Greetings,
CloudPanel is installed behind a pfSense firewall with HA Proxy enabled on a shared public IP address. In this configuration the /admin/settings pages are accessible which is undesired. How can this be restricted? HA Proxy is passing the X-Forwarded-For to the backend however the Remote-Host contains the internal interface address of the firewall. I remember reading a long time ago that the /admin/settings was restricted to localhost but it is not in this configuration.
Thanks.
That is odd because it should be checking that the connection is from localhost and/or 127.0.0.1 loop back address. It coming from the interface of the firewall should not be allowing access to it. Can you use Google Chrome developer tools, click on the network tab, then go to the site to generate the traffic. Right click in the box and choose to save all to a HAR file and upload that?
@jdixon I have the har file as requested. Is there a secure location to upload the content?
I have the har file as requested. Is there a secure location to upload the content?
@churbz You can upload it here: https://compsysar.sharefile.com/r-rb5052b5f99854b309318211c15ac0e5e
@jdixon The file has been uploaded. Thanks Jacob.
As an aside, I have been using your product for many years and I have experienced the stability and maturity evolve. Well done! Looking at my password safe the record was created in August 2015. My use case is for my own personal domains and I would not exceed your generous 250 user account limit, however if there was a donation support one time payment option, I would contribute to your continued development efforts.
This is probably not the right forum to request feature requests, but here are a couple of things to ponder:
1) in the spf records check section, further include _autodiscover, DKIM and DMARC record checks.
2) with no association to the project, there is an open source DKIM tool that works well on github: /Pro/dkim-exchange. I have been adding DKIM and DMARC records for all my on-prem hosted domains and no email gets routed to spam. If a tool such as this were integrated into CloudPanel, it would be even more professional than it is today.
Appreciate you help.
@churbz Looking at the HAR file, I see the remote address and not the local address. Also, when I try it using the request url in the HAR file I get a 401 response which doesn’t let me in. Is the public FQDN in the HAR going through the proxy?
@jdixon Yes it is part of the shared IP public frontend in HA Proxy. The URL in the har file is correct. The server IP address in the har file is correct. I’ve just tried it off the local network infrastructure and receive the CloudPanel login screen as expected. Not sure why you are receiving a 401 unauthorized message.
Maybe I was not specific enough, without authenticating, yes the 401 would be expected. But once authenticated, the /admin/settings page will be accessible however my login is a super user but is not attempted from localhost to access the /admin/settings.
A terse log snip image from IIS is attached showing your attempt.
@churbz It is sending back a 200 so it can display the 401 error to you but it seems to be working as designed. You can access the setup page from EITHER the local server it is installed on OR if you are logged in as a super admin. So if you are logged in as a super admin you can access that page from anywhere.
