Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum

Apps | Demo | Docs | Install
  1. Cloudron Forum
  2. Support
  3. Restrict Dashboard Access - Cloudron v6.1.2

Restrict Dashboard Access - Cloudron v6.1.2

Scheduled Pinned Locked Moved Support
firewall
5 Posts 3 Posters 1.2k Views 3 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • A Offline
    A Offline
    anwarnajjar
    wrote on last edited by girish
    #1

    Dears,

    How can I restrict who can reach and access my dashboard?

    The use case:

    I need to restrict access to the dashboard to only two static IPs and few users.
    any other IPs can't reach the dashboard webpage.

    girishG 1 Reply Last reply
    0
    • A anwarnajjar

      Dears,

      How can I restrict who can reach and access my dashboard?

      The use case:

      I need to restrict access to the dashboard to only two static IPs and few users.
      any other IPs can't reach the dashboard webpage.

      girishG Offline
      girishG Offline
      girish
      Staff
      wrote on last edited by
      #2

      @anwarnajjar You can set this as a rule in your Cloud firewall. Cloudron itself doesn't have built-in support for this yet. For example, in DO, you can use their firewall - https://www.digitalocean.com/docs/networking/firewalls/how-to/configure-rules/

      potemkin_aiP 1 Reply Last reply
      0
      • girishG girish

        @anwarnajjar You can set this as a rule in your Cloud firewall. Cloudron itself doesn't have built-in support for this yet. For example, in DO, you can use their firewall - https://www.digitalocean.com/docs/networking/firewalls/how-to/configure-rules/

        potemkin_aiP Offline
        potemkin_aiP Offline
        potemkin_ai
        wrote on last edited by
        #3

        @girish thank you! Is there any recommendations on how to do it from the command line? For those, who are not so happy about cloud provider?

        May I use ufw with Docker addition?

        By the way, blocking dashboard will also block updating SSL certificates, unless CloudRon can switch to DNS validation with appropriate certbot modules?

        girishG 1 Reply Last reply
        0
        • potemkin_aiP potemkin_ai

          @girish thank you! Is there any recommendations on how to do it from the command line? For those, who are not so happy about cloud provider?

          May I use ufw with Docker addition?

          By the way, blocking dashboard will also block updating SSL certificates, unless CloudRon can switch to DNS validation with appropriate certbot modules?

          girishG Offline
          girishG Offline
          girish
          Staff
          wrote on last edited by
          #4

          @potemkin_ai UFW and Docker are not compatible. I haven't looked into the repo you linked yet.

          Why not just enable 2FA on the dashboard?

          potemkin_aiP 1 Reply Last reply
          0
          • girishG girish

            @potemkin_ai UFW and Docker are not compatible. I haven't looked into the repo you linked yet.

            Why not just enable 2FA on the dashboard?

            potemkin_aiP Offline
            potemkin_aiP Offline
            potemkin_ai
            wrote on last edited by
            #5

            @girish said in Restrict Dashboard Access - Cloudron v6.1.2:

            @potemkin_ai UFW and Docker are not compatible. I haven't looked into the repo you linked yet.

            I didn't test the solution yet, found it with people referring as a working one, so I have hopes.

            The idea is to modify /etc/ufw/after.rules to contain:

            # BEGIN UFW AND DOCKER
            *filter
            :ufw-user-forward - [0:0]
            :ufw-docker-logging-deny - [0:0]
            :DOCKER-USER - [0:0]
            -A DOCKER-USER -j ufw-user-forward
            
            -A DOCKER-USER -j RETURN -s 10.0.0.0/8
            -A DOCKER-USER -j RETURN -s 172.16.0.0/12
            -A DOCKER-USER -j RETURN -s 192.168.0.0/16
            
            -A DOCKER-USER -p udp -m udp --sport 53 --dport 1024:65535 -j RETURN
            
            -A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 192.168.0.0/16
            -A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 10.0.0.0/8
            -A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 172.16.0.0/12
            -A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 192.168.0.0/16
            -A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 10.0.0.0/8
            -A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 172.16.0.0/12
            
            -A DOCKER-USER -j RETURN
            
            -A ufw-docker-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW DOCKER BLOCK] "
            -A ufw-docker-logging-deny -j DROP
            
            COMMIT
            # END UFW AND DOCKER
            

            Why not just enable 2FA on the dashboard?

            It's a different security layer. 2FA relies on the code, which is much more complicated, as opposed to network level filtering.

            What is more complicated could have more issues.

            So, whenever possible, I close any code from outside access - everything have bugs, some of them are in security space, even if you are OpenBSD 🙂

            Do you believe this could become part of the system?

            I would really like to deny from all with allow from xxx.xxx.xxx.xxx with periodic firewall disable for let's encrypt.

            1 Reply Last reply
            0
            Reply
            • Reply as topic
            Log in to reply
            • Oldest to Newest
            • Newest to Oldest
            • Most Votes


            • Login

            • Don't have an account? Register

            • Login or register to search.
            • First post
              Last post
            0
            • Categories
            • Recent
            • Tags
            • Popular
            • Bookmarks
            • Search