Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum

Apps | Demo | Docs | Install
  1. Cloudron Forum
  2. Support
  3. Is it possible to limit IP address which can access to Cloudron instance login page?

Is it possible to limit IP address which can access to Cloudron instance login page?

Scheduled Pinned Locked Moved Support
loginfirewalliptables
23 Posts 8 Posters 2.4k Views 8 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • hiyukoimH Offline
      hiyukoimH Offline
      hiyukoim
      translator
      wrote on last edited by girish
      #1

      I want to limit the IP addresses which can access to my Cloudron instance (my.mydomain.com) for more security.

      Is that technically possible? 🤔
      If so, it would love to know how to do it. ☺️

      1 Reply Last reply
      1
      • nebulonN Offline
        nebulonN Offline
        nebulon
        Staff
        wrote on last edited by
        #2

        There is no way from the dashboard UI itself, however you can follow the instructions at https://cloudron.io/documentation/security/#block-ips

        hiyukoimH 1 Reply Last reply
        2
        • hiyukoimH Offline
          hiyukoimH Offline
          hiyukoim
          translator
          wrote on last edited by
          #3

          Thank you!

          My need is to block IP only for the cloudron login page (my.mydomain.com).

          I'm unfamiliar with iptables.
          I searched and read some pages on the web, so I'm sorry if I ask you a pointless question.

          As far as I read, iptables settings looks it affects all the Linux VPN.
          So my concern is whether I will shut the public accesses to my websites on LAMP and Ghost apps when I execute sudo iptables -A INPUT -s xxx.xxx.x.x -j ACCEPT.

          I know this forum is not about teaching tech stuff - but I'd be happy if somebody can guide me through. 🙏

          W 1 Reply Last reply
          0
          • E Offline
            E Offline
            eric
            wrote on last edited by
            #4

            Hi, you can use this in your .htaccess

            Order deny,allow
            Deny from all
            Allow from YOUR-IP-ADDRESS
            ErrorDocument 403 https://yourdomain.com
            ErrorDocument 401 https://yourdomain.com
            ErrorDocument 404 https://yourdomain.com

            👍

            H hiyukoimH 2 Replies Last reply
            -1
            • hiyukoimH hiyukoim

              Thank you!

              My need is to block IP only for the cloudron login page (my.mydomain.com).

              I'm unfamiliar with iptables.
              I searched and read some pages on the web, so I'm sorry if I ask you a pointless question.

              As far as I read, iptables settings looks it affects all the Linux VPN.
              So my concern is whether I will shut the public accesses to my websites on LAMP and Ghost apps when I execute sudo iptables -A INPUT -s xxx.xxx.x.x -j ACCEPT.

              I know this forum is not about teaching tech stuff - but I'd be happy if somebody can guide me through. 🙏

              W Offline
              W Offline
              will
              wrote on last edited by
              #5

              @hiyukoim Whats your use case from locking IP access to the login page? Maybe that will inform the recommendation for a way forward. If you don't know/can't figure out IP tables, it might mean that your use case for doing this could be in error. Maybe there is a better way to achieve what you're trying to do?

              hiyukoimH 1 Reply Last reply
              2
              • luckowL Offline
                luckowL Offline
                luckow
                translator
                wrote on last edited by
                #6

                If you follow the idea of ip tables (imho the only valid thing), think of the openVPN app from the app store. The idea is to allow access to the dashboard only from the (external) ip from the Cloudron instance itself. Therefore you need openVPN. If everything works correctly, you need an active vpn session to your cloudron and (only) then you can reach the dashboard of my.example.org

                Pronouns: he/him | Primary language: German

                hiyukoimH 1 Reply Last reply
                1
                • E eric

                  Hi, you can use this in your .htaccess

                  Order deny,allow
                  Deny from all
                  Allow from YOUR-IP-ADDRESS
                  ErrorDocument 403 https://yourdomain.com
                  ErrorDocument 401 https://yourdomain.com
                  ErrorDocument 404 https://yourdomain.com

                  👍

                  H Offline
                  H Offline
                  hunghb
                  wrote on last edited by
                  #7

                  @eric f you follow the idea of ip tables (imho the only valid thing), think of the openVPN app from the app store. The idea is to allow access to the dashboard only from the (external) ip from the Cloudron instance itself. Therefore you need openVPN

                  1 Reply Last reply
                  1
                  • E eric

                    Hi, you can use this in your .htaccess

                    Order deny,allow
                    Deny from all
                    Allow from YOUR-IP-ADDRESS
                    ErrorDocument 403 https://yourdomain.com
                    ErrorDocument 401 https://yourdomain.com
                    ErrorDocument 404 https://yourdomain.com

                    👍

                    hiyukoimH Offline
                    hiyukoimH Offline
                    hiyukoim
                    translator
                    wrote on last edited by
                    #8

                    @eric Thank you for the code snippet!
                    That's the format of suggestion what I'm exactly seeking for.
                    At the moment, all that I can do is copy-paste, so... 😂

                    .htaccess method would be useful when I want to limit access to individual apps, like Monica or Roundcube.

                    Thanks anyways!

                    1 Reply Last reply
                    0
                    • W will

                      @hiyukoim Whats your use case from locking IP access to the login page? Maybe that will inform the recommendation for a way forward. If you don't know/can't figure out IP tables, it might mean that your use case for doing this could be in error. Maybe there is a better way to achieve what you're trying to do?

                      hiyukoimH Offline
                      hiyukoimH Offline
                      hiyukoim
                      translator
                      wrote on last edited by
                      #9

                      @will
                      I just personally feel uncomfortable/insecure when people can access to the login page just by adding "my." in front of the root domain.
                      That's why I want to limit the access from random people by allowing an IP addresses from my self-hosted VPNs (Yes, OpenVPN).

                      1 Reply Last reply
                      1
                      • luckowL luckow

                        If you follow the idea of ip tables (imho the only valid thing), think of the openVPN app from the app store. The idea is to allow access to the dashboard only from the (external) ip from the Cloudron instance itself. Therefore you need openVPN. If everything works correctly, you need an active vpn session to your cloudron and (only) then you can reach the dashboard of my.example.org

                        hiyukoimH Offline
                        hiyukoimH Offline
                        hiyukoim
                        translator
                        wrote on last edited by
                        #10

                        @luckow @hunghb
                        Thank you for your advice, yes, I already got OpenVPN on my Cloudron.

                        1 Reply Last reply
                        0
                        • hiyukoimH Offline
                          hiyukoimH Offline
                          hiyukoim
                          translator
                          wrote on last edited by
                          #11

                          My question is; is setting up iptables like this sudo iptables -A INPUT -s xxx.xxx.x.x -j ACCEPT can limit the access to the apps on my Cloudron?

                          I need to achieve these;

                          1. to limit the access to my Cloudron dashboard login page
                          2. while limiting the access to the login page, I want to let some pubic apps (Ghost, Wordpress, Lamp) stay public (without IP limit)

                          Thank you all for your advices!🙏

                          W 1 Reply Last reply
                          1
                          • hiyukoimH hiyukoim

                            My question is; is setting up iptables like this sudo iptables -A INPUT -s xxx.xxx.x.x -j ACCEPT can limit the access to the apps on my Cloudron?

                            I need to achieve these;

                            1. to limit the access to my Cloudron dashboard login page
                            2. while limiting the access to the login page, I want to let some pubic apps (Ghost, Wordpress, Lamp) stay public (without IP limit)

                            Thank you all for your advices!🙏

                            W Offline
                            W Offline
                            will
                            wrote on last edited by will
                            #12

                            @hiyukoim Ah I see!

                            1 Reply Last reply
                            0
                            • nebulonN nebulon

                              There is no way from the dashboard UI itself, however you can follow the instructions at https://cloudron.io/documentation/security/#block-ips

                              hiyukoimH Offline
                              hiyukoimH Offline
                              hiyukoim
                              translator
                              wrote on last edited by
                              #13

                              @nebulon
                              I'm still looking into the correct command to execute for my case, but still no clue. (Maybe I should consult a specialist...?)
                              Iptable looks a bit too advanced for beginners. Still, limiting access to my.yourcloudron.com by IP is one of the essential security features, I think.
                              If Cloudron UI can let us manage IP address whitelist/blacklist, that'd be a great help for me and people like me.

                              Thank you 🙏

                              W 1 Reply Last reply
                              1
                              • hiyukoimH hiyukoim

                                @nebulon
                                I'm still looking into the correct command to execute for my case, but still no clue. (Maybe I should consult a specialist...?)
                                Iptable looks a bit too advanced for beginners. Still, limiting access to my.yourcloudron.com by IP is one of the essential security features, I think.
                                If Cloudron UI can let us manage IP address whitelist/blacklist, that'd be a great help for me and people like me.

                                Thank you 🙏

                                W Offline
                                W Offline
                                will
                                wrote on last edited by
                                #14

                                @hiyukoim With the hardening that Cloudron does, and with Two Factor Authentication enabled, limiting access to the login screen doesn't buy you much. Unless you're fairly advanced, I wouldn't do it.
                                I'm a senior security consultant for a top security company and I don't do it. Think about every web service you use, limiting access to specific IP addresses is an older security model.

                                1 Reply Last reply
                                2
                                • girishG Offline
                                  girishG Offline
                                  girish
                                  Staff
                                  wrote on last edited by
                                  #15

                                  I too won't recommend going down the iptables route. Generally, with 2FA you are quite protected. We haven't completely documented iptable commands (and I am afraid to put them here) because people will try it and if something is wrong, it will lock them out.

                                  A workaround if you really want to blacklist/whitelist is to use a 3rd party service like say Cloudflare which can act as a proxy to the Cloudron dashboard and in Cloudflare you can set up firewall rules. Cloudflare can do this at a domain level, so your other sites are intact. But do know that your credentials will now go via Cloudflare.

                                  1 Reply Last reply
                                  0
                                  • mehdiM Offline
                                    mehdiM Offline
                                    mehdi
                                    App Dev
                                    wrote on last edited by
                                    #16

                                    @girish said in Is it possible to limit IP address which can access to Cloudron instance login page?:

                                    But do know that your credentials will now go via Cloudflare.

                                    This part is particularly important ^^

                                    W 1 Reply Last reply
                                    0
                                    • mehdiM mehdi

                                      @girish said in Is it possible to limit IP address which can access to Cloudron instance login page?:

                                      But do know that your credentials will now go via Cloudflare.

                                      This part is particularly important ^^

                                      W Offline
                                      W Offline
                                      will
                                      wrote on last edited by will
                                      #17
                                      This post is deleted!
                                      1 Reply Last reply
                                      0
                                      • girishG Offline
                                        girishG Offline
                                        girish
                                        Staff
                                        wrote on last edited by
                                        #18

                                        @will Cloudflare has a few products/features that analyze the contents of the traffic and may even insert scripts into it by parsing the HTML. This is the reason we had the major cloudflare security incident.

                                        Personally, I feel it comes down whether you trust them with decrypted traffic. The answer totally depends on the use case and how you use them, I think.

                                        W 1 Reply Last reply
                                        1
                                        • girishG girish

                                          @will Cloudflare has a few products/features that analyze the contents of the traffic and may even insert scripts into it by parsing the HTML. This is the reason we had the major cloudflare security incident.

                                          Personally, I feel it comes down whether you trust them with decrypted traffic. The answer totally depends on the use case and how you use them, I think.

                                          W Offline
                                          W Offline
                                          will
                                          wrote on last edited by
                                          #19

                                          @girish Ah, so they are not looking inside the TLS tunnel, but getting HTTP traffic that leaked.
                                          Relevant portion for those interested:
                                          "This included HTTP headers, chunks of POST data (perhaps containing passwords), JSON for API calls, URI parameters, cookies and other sensitive information used for authentication (such as API keys and OAuth tokens)."

                                          mehdiM 1 Reply Last reply
                                          0
                                          • W will

                                            @girish Ah, so they are not looking inside the TLS tunnel, but getting HTTP traffic that leaked.
                                            Relevant portion for those interested:
                                            "This included HTTP headers, chunks of POST data (perhaps containing passwords), JSON for API calls, URI parameters, cookies and other sensitive information used for authentication (such as API keys and OAuth tokens)."

                                            mehdiM Offline
                                            mehdiM Offline
                                            mehdi
                                            App Dev
                                            wrote on last edited by
                                            #20

                                            @will Can you give you source for the information that Cloudflare does not see inside the encryption session? I am a bit skeptical. The TLS tunnel goes to them, not to your own server. The whole point of their service is for them to handle the session so they can do some smart caching. The only more or less similar thing I know of is their Keyless SSL technology ( https://support.cloudflare.com/hc/en-us/articles/360022014111 ) which allows them to still terminate the encrypted session while not having the keys.

                                            W 1 Reply Last reply
                                            0
                                            Reply
                                            • Reply as topic
                                            Log in to reply
                                            • Oldest to Newest
                                            • Newest to Oldest
                                            • Most Votes


                                              • Login

                                              • Don't have an account? Register

                                              • Login or register to search.
                                              • First post
                                                Last post
                                              0
                                              • Categories
                                              • Recent
                                              • Tags
                                              • Popular
                                              • Bookmarks
                                              • Search