disable webinterface or ip whitelist it

[Kkeller83]

Hello everyone,

is ther a way I can disable the webinterface or alternatively whitelist the admin interface to an internal private ip only while my deployed apps are still reachable from the public internet?

Thank you!

[githubsaturn]

No built-in functionality - but you can surely edit this in nginx UI at your own risk

[Kkeller83]

So I tried that, but the nginx in caprover seems to only see my public ip, even though I am resolving the domain to caprover to a private ip address through the VPN connected DNS. So when I add my private IP address from the VPN it wont let me connect and always shows forbidden. So I either figure out how to make sure that nginx sees the private IP address from the VPN, or what I did as a workaround for now, I enabled the firewall of the Cloud hoster I am using (Hetzner) to only allow ip addresses from private VPN network to access the server. That works for me now. I will see if I can also get it to work with caprover, but I am not very confident its a good route. If I can not figure it out I will just disable the UI by letting the not working IP address rule present, so basically nobodoy can connect, and therby disabling the UI and just use the API endpoints.

[Kkeller83]

Ok I figured it out, at least as far as I can can work with it now. So I realized that the IP that nginx sees is the IP from my VPN server and not the IP the VPN server has assigned to me as a local address in the network and it works. Now I also need to protect the endpoints, but this is probably a different story. Meanwhile this is resolved

[Kkeller83]

endpoits are also protected through this rule. Tihis is amazing

[githubsaturn]

You can disable healthcheck if you want:

echo  "{\"skipVerifyingDomains\":\"true\"}" >  /captain/data/config-override.json
docker service update captain-captain --force

[Kkeller83]

Will try that, but suspect its because the certificate can not be validated or received as the acme certbot communication is blocked? Then I might to have just get a wildcard cert. Will try both

…

On Wed, 19 Apr 2023, 18:30 Kasra Bigdeli, ***@***.***> wrote: You can disable healthcheck if you want: echo "{\"skipVerifyingDomains\":\"true\"}" > /captain/data/config-override.json docker service update captain-captain --force — Reply to this email directly, view it on GitHub <#1581 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AB224IDJHCIDFOKCMIKKCM3XCAHKRANCNFSM6AAAAAASTPBHRM> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[Kkeller83]

disabling health checks worked!

[Kkeller83]

So this setup works great after disabling the health check, but it also blocks certificates from being renewed as the ACME server can not verfiy the domain when there is a tight allow list of ip addresses in the nginx config that does not include the ACME servers IP addresses. I am using zeroSSL and they dont seem to have a static public list of IP addresses that they use.

So I have 2 options. Either use a wildcard cert or @githubsaturn is there a way that I can turn off the react front end for the Captain Manager?

Like somehow not make it render any HTML for the CaptainManager at all and replace it with a blank page.

Since I am only using the Caprover API endpoints anyway at this moment I also dont really need it anymore. API endpoints would still be exposed, but it least its not as easy as having a nice page to try to brute force the password. At least you need a to have to go to the trouble to create some code and figoure out the endpoints as an attacker.

Ultimaly integration with an IDP like Azure or Okta would have be the best solution for this. Basically OIDC (OpenID connect) SSO. I am pretty good with all things regarding authentication. Also happy to help. I just dont know anything about Javascript or Typescript.

[githubsaturn]

You can probably make some changes in nginx config that blocks anything that doesn't start with /api

Settings > nginx > "CapRover Config Location in nginx container"
Go under # Captain dashboard at captain.captainroot.domain.com and add the relevant block

https://serverfault.com/questions/832975/nginx-block-access-to-url

[bastienperez]

To allow the access of your CapRover dashboard only from your IP, you can edit the nginx https://captain.xxx.xxx.xxx/#/settings > CapRover Config Location in nginx container.

In the the part

location / {
        proxy_pass $upstream;

add allow/deny lines (do not forget the semi-colon ;).

location / {
        allow yourPublicIP;
        deny all;
        proxy_pass $upstream;

Be cautious with this parameter as it can potentially block access. If you need to reset the nginx config, you can use the commandes in
https://caprover.com/docs/troubleshooting.html#ive-made-a-change-to-the-nginx-config-that-broke-the-admin-ui