@wind-gmbh Is the use case here that the server has multiple interfaces and one is public internet and another is private internet ?
Yes, exactly. It is basically the idea to limit the attack surface in a single-server scenario by excluding some apps from the public eye.
FWIW, I prefer the first config more then the second one i.e just restrict listening on the interface only in the first place.
I would say either has it's advantages:listen on IP allow / deny Network Layer Layer 3/4 (TCP/IP) Layer 7 (HTTP) Works with single IP no yes Network segmentation / Firewall required yes no Visible Access Barrier Not routed / dropped by Firewall HTTP 403 Cloudron needs to keep track of assigned IP addresses yes no
They are differently working solutions for the same basic problem, that apply to different scenarios.