Support Forums

CloudPanel behind a…
 
Notifications
Clear all

CloudPanel behind a Proxy – Admin Settings

9 Posts
2 Users
0 Likes
63 Views
Churbz
Posts: 5
Topic starter
(@churbz)
Active Member
Joined: 4 years ago

Greetings,

 

CloudPanel is installed behind a pfSense firewall with HA Proxy enabled on a shared public IP address. In this configuration the /admin/settings pages are  accessible which is undesired. How can this be restricted? HA Proxy is passing the X-Forwarded-For to the backend however the Remote-Host contains the internal interface address of the firewall. I remember reading a long time ago that the /admin/settings was restricted to localhost but it is not in this configuration.

Thanks.

8 Replies
Jacob Dixon
Posts: 1408
Admin
(@jdixon)
Illustrious Member
Joined: 8 years ago

That is odd because it should be checking that the connection is from localhost and/or 127.0.0.1 loop back address. It coming from the interface of the firewall should not be allowing access to it. Can you use Google Chrome developer tools, click on the network tab, then go to the site to generate the traffic. Right click in the box and choose to save all to a HAR file and upload that?

Reply
1 Reply
Churbz
(@churbz)
Joined: 4 years ago

Active Member
Posts: 5

@jdixon I have the har file as requested. Is there a secure location to upload the content?

Reply
Churbz
Posts: 5
Topic starter
(@churbz)
Active Member
Joined: 4 years ago

I have the har file as requested. Is there a secure location to upload the content?

Reply
5 Replies
Jacob Dixon
Admin
(@jdixon)
Joined: 8 years ago

Illustrious Member
Posts: 1408
Churbz
(@churbz)
Joined: 4 years ago

Active Member
Posts: 5

@jdixon The file has been uploaded. Thanks Jacob. 

As an aside, I have been using your product for many years and I have experienced the stability and maturity evolve. Well done! Looking at my password safe the record was created in August 2015. My use case is for my own personal domains and I would not exceed your generous 250 user account limit, however if there was a donation support one time payment option, I would contribute to your continued development efforts.

This is probably not the right forum to request feature requests, but here are a couple of things to ponder:

1) in the spf records check section, further include _autodiscover, DKIM and DMARC record checks. 

2) with no association to the project, there is an open source DKIM tool that works well on github: /Pro/dkim-exchange. I have been adding DKIM and DMARC records for all my on-prem hosted domains and no email gets routed to spam. If a tool such as this were integrated into CloudPanel, it would be even more professional than it is today.

Appreciate you help.

Reply
Jacob Dixon
Admin
(@jdixon)
Joined: 8 years ago

Illustrious Member
Posts: 1408

@churbz Looking at the HAR file, I see the remote address and not the local address. Also, when I try it using the request url in the HAR file I get a 401 response which doesn’t let me in. Is the public FQDN in the HAR going through the proxy?

Reply
Churbz
(@churbz)
Joined: 4 years ago

Active Member
Posts: 5

@jdixon Yes it is part of the shared IP public frontend in HA Proxy. The URL in the har file is correct. The server IP address in the har file is correct. I’ve just tried it off the local network infrastructure and receive the CloudPanel login screen as expected. Not sure why you are receiving a 401 unauthorized message. 

Maybe I was not specific enough, without authenticating, yes the 401 would be expected. But once authenticated, the /admin/settings page will be accessible however my login is a super user but is not attempted from localhost to access the /admin/settings.

A terse log snip image from IIS is attached showing your attempt. 

Reply
Jacob Dixon
Admin
(@jdixon)
Joined: 8 years ago

Illustrious Member
Posts: 1408

@churbz It is sending back a 200 so it can display the 401 error to you but it seems to be working as designed. You can access the setup page from EITHER the local server it is installed on OR if you are logged in as a super admin. So if you are logged in as a super admin you can access that page from anywhere.

Reply
Share:
X