Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse

Cloudron Forum

Apps | Demo | Docs | Install

Restrict Dashboard Access - Cloudron v6.1.2

Scheduled Pinned Locked Moved Support
firewall
5 Posts 3 Posters 372 Views
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • A Offline
    A Offline
    anwarnajjar
    wrote on last edited by girish
    #1

    Dears,

    How can I restrict who can reach and access my dashboard?

    The use case:

    I need to restrict access to the dashboard to only two static IPs and few users.
    any other IPs can't reach the dashboard webpage.

    girishG 1 Reply Last reply
    0
  • girishG Offline
    girishG Offline
    girish Staff
    replied to anwarnajjar on last edited by
    #2

    @anwarnajjar You can set this as a rule in your Cloud firewall. Cloudron itself doesn't have built-in support for this yet. For example, in DO, you can use their firewall - https://www.digitalocean.com/docs/networking/firewalls/how-to/configure-rules/

    potemkin_aiP 1 Reply Last reply
    0
  • potemkin_aiP Offline
    potemkin_aiP Offline
    potemkin_ai
    replied to girish on last edited by
    #3

    @girish thank you! Is there any recommendations on how to do it from the command line? For those, who are not so happy about cloud provider?

    May I use ufw with Docker addition?

    By the way, blocking dashboard will also block updating SSL certificates, unless CloudRon can switch to DNS validation with appropriate certbot modules?

    girishG 1 Reply Last reply
    0
  • girishG Offline
    girishG Offline
    girish Staff
    replied to potemkin_ai on last edited by
    #4

    @potemkin_ai UFW and Docker are not compatible. I haven't looked into the repo you linked yet.

    Why not just enable 2FA on the dashboard?

    potemkin_aiP 1 Reply Last reply
    0
  • potemkin_aiP Offline
    potemkin_aiP Offline
    potemkin_ai
    replied to girish on last edited by
    #5

    @girish said in Restrict Dashboard Access - Cloudron v6.1.2:

    @potemkin_ai UFW and Docker are not compatible. I haven't looked into the repo you linked yet.

    I didn't test the solution yet, found it with people referring as a working one, so I have hopes.

    The idea is to modify /etc/ufw/after.rules to contain:

    # BEGIN UFW AND DOCKER
    *filter
    :ufw-user-forward - [0:0]
    :ufw-docker-logging-deny - [0:0]
    :DOCKER-USER - [0:0]
    -A DOCKER-USER -j ufw-user-forward
    
    -A DOCKER-USER -j RETURN -s 10.0.0.0/8
    -A DOCKER-USER -j RETURN -s 172.16.0.0/12
    -A DOCKER-USER -j RETURN -s 192.168.0.0/16
    
    -A DOCKER-USER -p udp -m udp --sport 53 --dport 1024:65535 -j RETURN
    
    -A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 192.168.0.0/16
    -A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 10.0.0.0/8
    -A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 172.16.0.0/12
    -A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 192.168.0.0/16
    -A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 10.0.0.0/8
    -A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 172.16.0.0/12
    
    -A DOCKER-USER -j RETURN
    
    -A ufw-docker-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW DOCKER BLOCK] "
    -A ufw-docker-logging-deny -j DROP
    
    COMMIT
    # END UFW AND DOCKER
    

    Why not just enable 2FA on the dashboard?

    It's a different security layer. 2FA relies on the code, which is much more complicated, as opposed to network level filtering.

    What is more complicated could have more issues.

    So, whenever possible, I close any code from outside access - everything have bugs, some of them are in security space, even if you are OpenBSD 🙂

    Do you believe this could become part of the system?

    I would really like to deny from all with allow from xxx.xxx.xxx.xxx with periodic firewall disable for let's encrypt.

    1 Reply Last reply
    0

  • Login

  • Don't have an account? Register

  • Login or register to search.
  • First post
    Last post
0
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Login

  • Don't have an account? Register

  • Login or register to search.