Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


    Cloudron Forum

    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular

    Is it possible to limit IP address which can access to Cloudron instance login page?

    Support
    login firewall iptables
    8
    23
    1063
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • hiyukoim
      hiyukoim translator last edited by girish

      I want to limit the IP addresses which can access to my Cloudron instance (my.mydomain.com) for more security.

      Is that technically possible? 🤔
      If so, it would love to know how to do it. ☺️

      1 Reply Last reply Reply Quote 1
      • nebulon
        nebulon Staff last edited by

        There is no way from the dashboard UI itself, however you can follow the instructions at https://cloudron.io/documentation/security/#block-ips

        hiyukoim 1 Reply Last reply Reply Quote 2
        • hiyukoim
          hiyukoim translator last edited by

          Thank you!

          My need is to block IP only for the cloudron login page (my.mydomain.com).

          I'm unfamiliar with iptables.
          I searched and read some pages on the web, so I'm sorry if I ask you a pointless question.

          As far as I read, iptables settings looks it affects all the Linux VPN.
          So my concern is whether I will shut the public accesses to my websites on LAMP and Ghost apps when I execute sudo iptables -A INPUT -s xxx.xxx.x.x -j ACCEPT.

          I know this forum is not about teaching tech stuff - but I'd be happy if somebody can guide me through. 🙏

          W 1 Reply Last reply Reply Quote 0
          • E
            eric last edited by

            Hi, you can use this in your .htaccess

            Order deny,allow
            Deny from all
            Allow from YOUR-IP-ADDRESS
            ErrorDocument 403 https://yourdomain.com
            ErrorDocument 401 https://yourdomain.com
            ErrorDocument 404 https://yourdomain.com

            👍

            H hiyukoim 2 Replies Last reply Reply Quote -1
            • W
              will @hiyukoim last edited by

              @hiyukoim Whats your use case from locking IP access to the login page? Maybe that will inform the recommendation for a way forward. If you don't know/can't figure out IP tables, it might mean that your use case for doing this could be in error. Maybe there is a better way to achieve what you're trying to do?

              hiyukoim 1 Reply Last reply Reply Quote 2
              • luckow
                luckow translator last edited by

                If you follow the idea of ip tables (imho the only valid thing), think of the openVPN app from the app store. The idea is to allow access to the dashboard only from the (external) ip from the Cloudron instance itself. Therefore you need openVPN. If everything works correctly, you need an active vpn session to your cloudron and (only) then you can reach the dashboard of my.example.org

                Pronouns: he/him | Primary language: German

                hiyukoim 1 Reply Last reply Reply Quote 1
                • H
                  hunghb @eric last edited by

                  @eric f you follow the idea of ip tables (imho the only valid thing), think of the openVPN app from the app store. The idea is to allow access to the dashboard only from the (external) ip from the Cloudron instance itself. Therefore you need openVPN

                  1 Reply Last reply Reply Quote 1
                  • hiyukoim
                    hiyukoim translator @eric last edited by

                    @eric Thank you for the code snippet!
                    That's the format of suggestion what I'm exactly seeking for.
                    At the moment, all that I can do is copy-paste, so... 😂

                    .htaccess method would be useful when I want to limit access to individual apps, like Monica or Roundcube.

                    Thanks anyways!

                    1 Reply Last reply Reply Quote 0
                    • hiyukoim
                      hiyukoim translator @will last edited by

                      @will
                      I just personally feel uncomfortable/insecure when people can access to the login page just by adding "my." in front of the root domain.
                      That's why I want to limit the access from random people by allowing an IP addresses from my self-hosted VPNs (Yes, OpenVPN).

                      1 Reply Last reply Reply Quote 1
                      • hiyukoim
                        hiyukoim translator @luckow last edited by

                        @luckow @hunghb
                        Thank you for your advice, yes, I already got OpenVPN on my Cloudron.

                        1 Reply Last reply Reply Quote 0
                        • hiyukoim
                          hiyukoim translator last edited by

                          My question is; is setting up iptables like this sudo iptables -A INPUT -s xxx.xxx.x.x -j ACCEPT can limit the access to the apps on my Cloudron?

                          I need to achieve these;

                          1. to limit the access to my Cloudron dashboard login page
                          2. while limiting the access to the login page, I want to let some pubic apps (Ghost, Wordpress, Lamp) stay public (without IP limit)

                          Thank you all for your advices!🙏

                          W 1 Reply Last reply Reply Quote 1
                          • W
                            will @hiyukoim last edited by will

                            @hiyukoim Ah I see!

                            1 Reply Last reply Reply Quote 0
                            • hiyukoim
                              hiyukoim translator @nebulon last edited by

                              @nebulon
                              I'm still looking into the correct command to execute for my case, but still no clue. (Maybe I should consult a specialist...?)
                              Iptable looks a bit too advanced for beginners. Still, limiting access to my.yourcloudron.com by IP is one of the essential security features, I think.
                              If Cloudron UI can let us manage IP address whitelist/blacklist, that'd be a great help for me and people like me.

                              Thank you 🙏

                              W 1 Reply Last reply Reply Quote 1
                              • W
                                will @hiyukoim last edited by

                                @hiyukoim With the hardening that Cloudron does, and with Two Factor Authentication enabled, limiting access to the login screen doesn't buy you much. Unless you're fairly advanced, I wouldn't do it.
                                I'm a senior security consultant for a top security company and I don't do it. Think about every web service you use, limiting access to specific IP addresses is an older security model.

                                1 Reply Last reply Reply Quote 2
                                • girish
                                  girish Staff last edited by

                                  I too won't recommend going down the iptables route. Generally, with 2FA you are quite protected. We haven't completely documented iptable commands (and I am afraid to put them here) because people will try it and if something is wrong, it will lock them out.

                                  A workaround if you really want to blacklist/whitelist is to use a 3rd party service like say Cloudflare which can act as a proxy to the Cloudron dashboard and in Cloudflare you can set up firewall rules. Cloudflare can do this at a domain level, so your other sites are intact. But do know that your credentials will now go via Cloudflare.

                                  1 Reply Last reply Reply Quote 0
                                  • mehdi
                                    mehdi App Dev last edited by

                                    @girish said in Is it possible to limit IP address which can access to Cloudron instance login page?:

                                    But do know that your credentials will now go via Cloudflare.

                                    This part is particularly important ^^

                                    W 1 Reply Last reply Reply Quote 0
                                    • W
                                      will @mehdi last edited by will

                                      This post is deleted!
                                      1 Reply Last reply Reply Quote 0
                                      • girish
                                        girish Staff last edited by

                                        @will Cloudflare has a few products/features that analyze the contents of the traffic and may even insert scripts into it by parsing the HTML. This is the reason we had the major cloudflare security incident.

                                        Personally, I feel it comes down whether you trust them with decrypted traffic. The answer totally depends on the use case and how you use them, I think.

                                        W 1 Reply Last reply Reply Quote 1
                                        • W
                                          will @girish last edited by

                                          @girish Ah, so they are not looking inside the TLS tunnel, but getting HTTP traffic that leaked.
                                          Relevant portion for those interested:
                                          "This included HTTP headers, chunks of POST data (perhaps containing passwords), JSON for API calls, URI parameters, cookies and other sensitive information used for authentication (such as API keys and OAuth tokens)."

                                          mehdi 1 Reply Last reply Reply Quote 0
                                          • mehdi
                                            mehdi App Dev @will last edited by

                                            @will Can you give you source for the information that Cloudflare does not see inside the encryption session? I am a bit skeptical. The TLS tunnel goes to them, not to your own server. The whole point of their service is for them to handle the session so they can do some smart caching. The only more or less similar thing I know of is their Keyless SSL technology ( https://support.cloudflare.com/hc/en-us/articles/360022014111 ) which allows them to still terminate the encrypted session while not having the keys.

                                            W 1 Reply Last reply Reply Quote 0
                                            • W
                                              will @mehdi last edited by will

                                              @mehdi Yeah I think Im mistaken on that.
                                              We are implimenting an enterprise TSL Break & Inspect (man in the middling everyone's TLS) and it requires the endpoint to have the certificate of the Proxy accepted on box.
                                              Basically, if Cloudflare was breaking and inspecting TLS sessions in order to cache, you'd need their TLS cert on your server.
                                              Normal TLS
                                              [You] -------TLS Tunnel ------- [Destination Server]

                                              Break & Inspect TLS
                                              [You] ------ TLA Tunnel to Cloudflare (TLS Session 1) ------ [Cloudflare Proxy] ----- TLS Tunnel to Destination (TLS Session 2) --------- [Destination Server]

                                              So instead of the destination's certificate, you'd be seeing Cloudflare's cert. I'll look into it more, I don't want to give bad advice.

                                              mehdi 1 Reply Last reply Reply Quote 0
                                              • mehdi
                                                mehdi App Dev @will last edited by

                                                @will When you enable, Cloudflare proxying, you do see their cert (or the cert you have provided them with).

                                                It's basically a break-and-inspect that they do. Except their root certificate is already trusted by most machines by default ^^

                                                W 1 Reply Last reply Reply Quote 2
                                                • W
                                                  will @mehdi last edited by

                                                  @mehdi Thats kind of scary, thanks for the correction.

                                                  1 Reply Last reply Reply Quote 2
                                                  • First post
                                                    Last post
                                                  Powered by NodeBB