disable webinterface or ip whitelist it #1581
-
Hello everyone, is ther a way I can disable the webinterface or alternatively whitelist the admin interface to an internal private ip only while my deployed apps are still reachable from the public internet? Thank you! |
Beta Was this translation helpful? Give feedback.
Replies: 4 comments 9 replies
-
No built-in functionality - but you can surely edit this in nginx UI at your own risk |
Beta Was this translation helpful? Give feedback.
-
Will try that, but suspect its because the certificate can not be validated
or received as the acme certbot communication is blocked? Then I might to
have just get a wildcard cert.
Will try both
…On Wed, 19 Apr 2023, 18:30 Kasra Bigdeli, ***@***.***> wrote:
You can disable healthcheck if you want:
echo "{\"skipVerifyingDomains\":\"true\"}" > /captain/data/config-override.json
docker service update captain-captain --force
—
Reply to this email directly, view it on GitHub
<#1581 (reply in thread)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AB224IDJHCIDFOKCMIKKCM3XCAHKRANCNFSM6AAAAAASTPBHRM>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
Beta Was this translation helpful? Give feedback.
-
So this setup works great after disabling the health check, but it also blocks certificates from being renewed as the ACME server can not verfiy the domain when there is a tight allow list of ip addresses in the nginx config that does not include the ACME servers IP addresses. I am using zeroSSL and they dont seem to have a static public list of IP addresses that they use. So I have 2 options. Either use a wildcard cert or @githubsaturn is there a way that I can turn off the react front end for the Captain Manager? Like somehow not make it render any HTML for the CaptainManager at all and replace it with a blank page. Since I am only using the Caprover API endpoints anyway at this moment I also dont really need it anymore. API endpoints would still be exposed, but it least its not as easy as having a nice page to try to brute force the password. At least you need a to have to go to the trouble to create some code and figoure out the endpoints as an attacker. Ultimaly integration with an IDP like Azure or Okta would have be the best solution for this. Basically OIDC (OpenID connect) SSO. I am pretty good with all things regarding authentication. Also happy to help. I just dont know anything about Javascript or Typescript. |
Beta Was this translation helpful? Give feedback.
-
To allow the access of your CapRover dashboard only from your IP, you can edit the nginx https://captain.xxx.xxx.xxx/#/settings > In the the part
add
Be cautious with this parameter as it can potentially block access. If you need to reset the nginx config, you can use the commandes in |
Beta Was this translation helpful? Give feedback.
You can disable healthcheck if you want: