LDAP port (security considerations)
-
In a way I understood from the hints I've got, when I expose my LDAP to the outside, you are not spawning a separate process, but instead re-route 3004 port to the web service - ldapjs - https://github.com/ldapjs/node-ldapjs/
I'm wondering if I can limit access to the port 3004 to a specific IP address? Or, even better, I would love to see limited access to some specific URLs - so that I could block access to 'ldapjs' only to my internal servers, as well as access to /well-known/' or other web services.
It feels like a relatively easy thing to do at nginx side, unless I'm wrong or missing something?
-
Yes, I'm. It seems I forgot that I made that setting with my own hand.
Is it possible to set this up for other services and web apps, including dashboard?
-
@potemkin_ai said in LDAP port (security considerations):
Is it possible to set this up for other services and web apps, including dashboard?
It's easier to discuss if you can give us concrete use cases (of what you are trying to achieve). Generally, anything is possible
but the way we go about Cloudron development itself is to be a solution and not a generic server management panel where a sysadmin can achieve all sorts of setups. -
@girish thanks! I would like to be able to close some web apps to be only accessible from specific IP set.
For example, Jitsi to be used by those who logged in via VPN.
Does it make sense?
-
@potemkin_ai Ah ok. The VPN use case requires a lot more platform integration and cannot be achieved just using some iptable rules. That feature is planned for 7.6 - https://forum.cloudron.io/topic/9180/what-s-coming-in-7-5/2 .
-
@girish agh, I meant some security gate that closes Cloudron from the outside and all of the traffic is coming from there - so I do know the IP address of all of the clients, as it's my security gate, and I want to make sure none from the outside world would reach specific app.
Does it makes sense?
Speaking about Cloudron build-in VPN integration - do you already have some plans how Wireguard integration & managent would looks like?
-
@potemkin_ai IP block/allow on app level including Geo-block/allow might be a solution? I use Cloudflare for some (sub)domains for this but love to have it inside Cloudron!
-
@imc67 geo-block feels like a more feature-rich solution, that might be of help, but not exactly my cup of tea.
I would guess, that Cloudflare doesn't prevent anyone from accessing your web service directly (should they figure out the IP address, for example, via e-mail you've sent)?
