Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse

Cloudron Forum

Apps | Demo | Docs | Install

Is it possible to limit IP address which can access to Cloudron instance login page?

Scheduled Pinned Locked Moved Support
loginfirewalliptables
23 Posts 8 Posters 1.1k Views
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • hiyukoimH Offline
    hiyukoimH Offline
    hiyukoim translator
    wrote on last edited by girish
    #1

    I want to limit the IP addresses which can access to my Cloudron instance (my.mydomain.com) for more security.

    Is that technically possible? 🤔
    If so, it would love to know how to do it. ☺️

    1 Reply Last reply
    1
  • nebulonN Offline
    nebulonN Offline
    nebulon Staff
    wrote on last edited by
    #2

    There is no way from the dashboard UI itself, however you can follow the instructions at https://cloudron.io/documentation/security/#block-ips

    hiyukoimH 1 Reply Last reply
    2
  • hiyukoimH Offline
    hiyukoimH Offline
    hiyukoim translator
    wrote on last edited by
    #3

    Thank you!

    My need is to block IP only for the cloudron login page (my.mydomain.com).

    I'm unfamiliar with iptables.
    I searched and read some pages on the web, so I'm sorry if I ask you a pointless question.

    As far as I read, iptables settings looks it affects all the Linux VPN.
    So my concern is whether I will shut the public accesses to my websites on LAMP and Ghost apps when I execute sudo iptables -A INPUT -s xxx.xxx.x.x -j ACCEPT.

    I know this forum is not about teaching tech stuff - but I'd be happy if somebody can guide me through. 🙏

    W 1 Reply Last reply
    0
  • E Offline
    E Offline
    eric
    wrote on last edited by
    #4

    Hi, you can use this in your .htaccess

    Order deny,allow
    Deny from all
    Allow from YOUR-IP-ADDRESS
    ErrorDocument 403 https://yourdomain.com
    ErrorDocument 401 https://yourdomain.com
    ErrorDocument 404 https://yourdomain.com

    👍

    H hiyukoimH 2 Replies Last reply
    -1
  • W Offline
    W Offline
    will
    replied to hiyukoim on last edited by
    #5

    @hiyukoim Whats your use case from locking IP access to the login page? Maybe that will inform the recommendation for a way forward. If you don't know/can't figure out IP tables, it might mean that your use case for doing this could be in error. Maybe there is a better way to achieve what you're trying to do?

    hiyukoimH 1 Reply Last reply
    2
  • luckowL Offline
    luckowL Offline
    luckow translator
    wrote on last edited by
    #6

    If you follow the idea of ip tables (imho the only valid thing), think of the openVPN app from the app store. The idea is to allow access to the dashboard only from the (external) ip from the Cloudron instance itself. Therefore you need openVPN. If everything works correctly, you need an active vpn session to your cloudron and (only) then you can reach the dashboard of my.example.org

    Pronouns: he/him | Primary language: German

    hiyukoimH 1 Reply Last reply
    1
  • H Offline
    H Offline
    hunghb
    replied to eric on last edited by
    #7

    @eric f you follow the idea of ip tables (imho the only valid thing), think of the openVPN app from the app store. The idea is to allow access to the dashboard only from the (external) ip from the Cloudron instance itself. Therefore you need openVPN

    1 Reply Last reply
    1
  • hiyukoimH Offline
    hiyukoimH Offline
    hiyukoim translator
    replied to eric on last edited by
    #8

    @eric Thank you for the code snippet!
    That's the format of suggestion what I'm exactly seeking for.
    At the moment, all that I can do is copy-paste, so... 😂

    .htaccess method would be useful when I want to limit access to individual apps, like Monica or Roundcube.

    Thanks anyways!

    1 Reply Last reply
    0
  • hiyukoimH Offline
    hiyukoimH Offline
    hiyukoim translator
    replied to will on last edited by
    #9

    @will
    I just personally feel uncomfortable/insecure when people can access to the login page just by adding "my." in front of the root domain.
    That's why I want to limit the access from random people by allowing an IP addresses from my self-hosted VPNs (Yes, OpenVPN).

    1 Reply Last reply
    1
  • hiyukoimH Offline
    hiyukoimH Offline
    hiyukoim translator
    replied to luckow on last edited by
    #10

    @luckow @hunghb
    Thank you for your advice, yes, I already got OpenVPN on my Cloudron.

    1 Reply Last reply
    0
  • hiyukoimH Offline
    hiyukoimH Offline
    hiyukoim translator
    wrote on last edited by
    #11

    My question is; is setting up iptables like this sudo iptables -A INPUT -s xxx.xxx.x.x -j ACCEPT can limit the access to the apps on my Cloudron?

    I need to achieve these;

    1. to limit the access to my Cloudron dashboard login page
    2. while limiting the access to the login page, I want to let some pubic apps (Ghost, Wordpress, Lamp) stay public (without IP limit)

    Thank you all for your advices!🙏

    W 1 Reply Last reply
    1
  • W Offline
    W Offline
    will
    replied to hiyukoim on last edited by will
    #12

    @hiyukoim Ah I see!

    1 Reply Last reply
    0
  • hiyukoimH Offline
    hiyukoimH Offline
    hiyukoim translator
    replied to nebulon on last edited by
    #13

    @nebulon
    I'm still looking into the correct command to execute for my case, but still no clue. (Maybe I should consult a specialist...?)
    Iptable looks a bit too advanced for beginners. Still, limiting access to my.yourcloudron.com by IP is one of the essential security features, I think.
    If Cloudron UI can let us manage IP address whitelist/blacklist, that'd be a great help for me and people like me.

    Thank you 🙏

    W 1 Reply Last reply
    1
  • W Offline
    W Offline
    will
    replied to hiyukoim on last edited by
    #14

    @hiyukoim With the hardening that Cloudron does, and with Two Factor Authentication enabled, limiting access to the login screen doesn't buy you much. Unless you're fairly advanced, I wouldn't do it.
    I'm a senior security consultant for a top security company and I don't do it. Think about every web service you use, limiting access to specific IP addresses is an older security model.

    1 Reply Last reply
    2
  • girishG Offline
    girishG Offline
    girish Staff
    wrote on last edited by
    #15

    I too won't recommend going down the iptables route. Generally, with 2FA you are quite protected. We haven't completely documented iptable commands (and I am afraid to put them here) because people will try it and if something is wrong, it will lock them out.

    A workaround if you really want to blacklist/whitelist is to use a 3rd party service like say Cloudflare which can act as a proxy to the Cloudron dashboard and in Cloudflare you can set up firewall rules. Cloudflare can do this at a domain level, so your other sites are intact. But do know that your credentials will now go via Cloudflare.

    1 Reply Last reply
    0
  • mehdiM Offline
    mehdiM Offline
    mehdi App Dev
    wrote on last edited by
    #16

    @girish said in Is it possible to limit IP address which can access to Cloudron instance login page?:

    But do know that your credentials will now go via Cloudflare.

    This part is particularly important ^^

    W 1 Reply Last reply
    0
  • W Offline
    W Offline
    will
    replied to mehdi on last edited by will
    #17
    This post is deleted!
    1 Reply Last reply
    0
  • girishG Offline
    girishG Offline
    girish Staff
    wrote on last edited by
    #18

    @will Cloudflare has a few products/features that analyze the contents of the traffic and may even insert scripts into it by parsing the HTML. This is the reason we had the major cloudflare security incident.

    Personally, I feel it comes down whether you trust them with decrypted traffic. The answer totally depends on the use case and how you use them, I think.

    W 1 Reply Last reply
    1
  • W Offline
    W Offline
    will
    replied to girish on last edited by
    #19

    @girish Ah, so they are not looking inside the TLS tunnel, but getting HTTP traffic that leaked.
    Relevant portion for those interested:
    "This included HTTP headers, chunks of POST data (perhaps containing passwords), JSON for API calls, URI parameters, cookies and other sensitive information used for authentication (such as API keys and OAuth tokens)."

    mehdiM 1 Reply Last reply
    0
  • mehdiM Offline
    mehdiM Offline
    mehdi App Dev
    replied to will on last edited by
    #20

    @will Can you give you source for the information that Cloudflare does not see inside the encryption session? I am a bit skeptical. The TLS tunnel goes to them, not to your own server. The whole point of their service is for them to handle the session so they can do some smart caching. The only more or less similar thing I know of is their Keyless SSL technology ( https://support.cloudflare.com/hc/en-us/articles/360022014111 ) which allows them to still terminate the encrypted session while not having the keys.

    W 1 Reply Last reply
    0

  • Login

  • Don't have an account? Register

  • Login or register to search.
  • First post
    Last post
0
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Login

  • Don't have an account? Register

  • Login or register to search.