limit access to an app via nginx

[fsennj]

Hello how can i permantly (not using the authentication thing) limit access to certain apps via allowing only specific IPs to be able to access it.

for example access to portainer only to internal 192.168.0.0/24 IP Range.

is there any best practices how to do that?

[githubsaturn]

You have to edit nginx config for that. You can add something like this to your location block:

            allow 192.168.0.0/24;
            deny all;

[fsennj]

hi - thank you for your answer - could you tell exactly where to place? i am not getting it to work:
<%
if (s.forceSsl) {
%>
server {

    listen       8000;

    server_name  <%-s.publicDomain%>;

    # Used by Lets Encrypt
    location /.well-known/acme-challenge/ {
        root <%-s.staticWebRoot%>;
    }

    # Used by CapRover for health check
    location /.well-known/captain-identifier {
        root <%-s.staticWebRoot%>;
    }

    location / {
        return 302 https://$http_host$request_uri;
    }
}

<%
}
%>

server {

<%
if (!s.forceSsl) {
%>
    listen       80;
<%
}
if (s.hasSsl) {
%>
    listen              443 ssl http2;
    ssl_certificate     <%-s.crtPath%>;
    ssl_certificate_key <%-s.keyPath%>;
<%
}
%>

    client_max_body_size 500m;

    server_name  <%-s.publicDomain%>;

    # 127.0.0.11 is DNS set up by Docker, see:
    # https://docs.docker.com/engine/userguide/networking/configure-dns/
    # https://github.com/moby/moby/issues/20026
    resolver 127.0.0.11 valid=10s;
    # IMPORTANT!! If you are here from an old thread to set a custom port, you do not need to modify this port manually here!!
    # Simply change the Container HTTP Port from the dashboard HTTP panel
    set $upstream http://<%-s.localDomain%>:<%-s.containerHttpPort%>;

    location / {

<%
if (s.httpBasicAuthPath) {
%>
        auth_basic           "Restricted Access";
        auth_basic_user_file <%-s.httpBasicAuthPath%>; 
<%
}
%>

        proxy_pass $upstream;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

<%
if (s.websocketSupport) {
%>
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_http_version 1.1;
<%
}
%>
    }

    # Used by Lets Encrypt
    location /.well-known/acme-challenge/ {
        root <%-s.staticWebRoot%>;
    }
    
    # Used by CapRover for health check
    location /.well-known/captain-identifier {
        root <%-s.staticWebRoot%>;
    }

    error_page 502 /captain_502_custom_error_page.html;
    location = /captain_502_custom_error_page.html {
            root <%-s.customErrorPagesDirectory%>;
            internal;
    }

}

[githubsaturn]

Just above proxy_pass $upstream, i.e.

+        allow 192.168.0.0/24;
+        deny all;

        proxy_pass $upstream;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

[fsennj]

thank you very much - it works - perfect! is there for the general captain backend also an nginx rule i could set that allow/deny rules?

[githubsaturn]

Yes. Settings > Edit nginx > Second block > Insert above proxy_pass $upstream

[fsennj]

great working! all the best for Christmas

[fsennj]

Hi githubsaturn. May i ask another thing ? i try to setup a wordpress multisite installation on caprover using wordpress 5.8.2 label for docker container.

for multisite i need to add some things to htaccess (which nginx doesnt have) how could i add that to the nginx setting of that container?
Add the following to your .htaccess file in /var/www/html/, replacing other WordPress rules:

RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]

# add a trailing slash to /wp-admin
RewriteRule ^([_0-9a-zA-Z-]+/)?wp-admin$ $1wp-admin/ [R=301,L]

RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]
RewriteRule ^([_0-9a-zA-Z-]+/)?(wp-(content|admin|includes).*) $2 [L]
RewriteRule ^([_0-9a-zA-Z-]+/)?(.*\.php)$ $2 [L]
RewriteRule . index.php [L]

[githubsaturn]

I have limited knowledge of apache rules, so unfortunately I can't help here. But my guess is that probably you don't need to change nginx config. Just add more domains to your app, and it'll all be directed to your wordpress container.

[fsennj]

yes thank you - thats what i ended up doing and now it just works fine! appreciate the fast help here! is there any plans on integrating:

1. 2 FA like Authy for the captain installation?
2. one click app for matrix / synapse / element chatserver

[githubsaturn]

1- 2FA will be coming soon!
2- One click apps are fully community maintained. CapRover one click apps are simply just docker compose files. I'm not familiar with these services, but for someone who is familiar, it'll take just a few minutes to set one up.

See the guide for one click apps here

There are tons of Docker compose files on web. Here is an example for Matrix Server Docker Compose.

[fsennj]

Hi - right understood and thank you for the update.. then i will try my luck with synapse!

[fsennj]

Hi i tried but i get always this problem:

2022-01-02T16:01:23.685046298Z File "/usr/local/lib/python3.8/os.py", line 223, in makedirs
2022-01-02T16:01:23.685048382Z mkdir(name, mode)
2022-01-02T16:01:23.685050325Z PermissionError: [Errno 13] Permission denied: '/DATADIR'

i set it like that and tried with www-data and also root permissions:

Path in App
/data
Path on Host
/var/lib/docker/volumes/captain--matrix-data/_data/data/

could this be related to that matrixdotorg/synapse:latest generate command i cant run?

[githubsaturn]

These types of errors are application errors and they are not specific to CapRover. See here for an example: Automattic/matrix-env#2

[fsennj]

Thank you very much – funny i didnt find that result in google search. BR Von: Kasra Bigdeli ***@***.***> Gesendet: Sonntag, 2. Januar 2022 19:35 An: caprover/caprover ***@***.***> Cc: Franz Senn jun. ***@***.***>; Author ***@***.***> Betreff: Re: [caprover/caprover] limit access to an app via nginx (Discussion #1289) These types of errors are application errors and they are not specific to CapRover. See here for an example: Automattic/matrix-env#2<Automattic/matrix-env#2> — Reply to this email directly, view it on GitHub<#1289 (reply in thread)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AOVBDJPZJEHL4Y2HY75MPK3UUCLGXANCNFSM5KPQQLEQ>. Triage notifications on the go with GitHub Mobile for iOS<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android<https://portalnospam.senn-beteiligung.at/link?id=BCAAAABGd7m3lfMOLOIhx3uNR_1Qav4Ffx8-jQB0torD82ts_OsAAAAIqWsF9ePBYPVmsLZivURSR1wiRXp7NFC5K2z9KEsGe3A8YpNHMihKUXY1FG6h_O6rfVBEhBKUnn5GaXwih5TdvYMT7gIdhcERXTiLCd_3QlrbSshvAXcpuQ5BYyq-iGmxjTDmQx2LZP85G_ImP3sJHwkSBTt7QaXUurqjg1FAVQd1rCGeQ3x2p-WGIkYE9_y_l-Qlboz3InlJLvI_o_BbiSsycM_2CZV94QM6ksx7Ch02EH4EcJraRtFWGOfjPrxd9Bg1Vuqn4E0f1KfAsstTT_3Nzon6B1qrkSwdjCYz7lgIcPo4tpWRZAZT0>. You are receiving this because you authored the thread.Message ID: ***@***.******@***.***>>

[fsennj]

Hi Kasra,

it works - thank you once again - 2 ideas - would it be possible in futuer to see the ID/name of the conatiner in the apps dashboard of caprover as well as a "green light" for running container or smth. like "red light" for stopped containers?

[githubsaturn]

Displaying container name is probably just way too much noise. But displaying a health indicator is already a feature request: #503

[fsennj]

right understood but maybe when you enter one app below the name of the container.

for many docker exec it would be helpful so i wouldnt need portainer.. thank you

[fsennj]

Hello Kasra - for the self deployed one click app - is it possible to set the restart policy in caprover or do i need to use portainer for it?

eg. an app where i use the image from docker hub and put the env values manually. thank you

[githubsaturn]

You can use service override. But it's not easy. You have read the Docker API docs to understand what flag to set. It's easier to just use Portrainer.