search

azukaar / Cosmos-Server

☁️ The Most Secure and Easy Selfhosted Home Server. Take control of your data and privacy without sacrificing security and stability (Authentication, anti-DDOS, anti-bot)
https://cosmos-cloud.io
Other
3.1k stars 112 forks source link

[FEAT]: Network, admin control and proxy server separation #92

Closed baltazartroisville closed 11 months ago

baltazartroisville commented 11 months ago

Feature Description

Hello,

first of all I would like to thank you very much for this great software. It was certainly an enormous effort to do all this work alone, without a good portion of discipline and dedication it would certainly not have been possible. Thank you very much!

I have a few thoughts, these are from a layman's point of view and therefore possibly complete nonsense, please bear with me. English isnt my mother tongue.

  1. wouldn't it make sense for security reasons if Cosmos and its associated server apps were added by default to a Docker network other than the default bridge? After all, it's already possible to add any server app to an isolated network now.

  2. from a security perspective, would it perhaps make sense to separate the proxy server part and the admin control panel and also make them addressable through a different, freely selectable, port? This would for example allow to protect the admin control panel separately by additional software, e.g. CF tunnels, without restricting the Cosmos proxy by multiple reverse proxies, right?

  3. maybe it would also be useful to be able to customize the domain path suffix for the control panel?

Many kind regards!

azukaar commented 11 months ago

Thanks you for the kind comments, appreciate it

  1. ok so a bit of backstory: there are two ways to create a servapp: either via compose/docker import, or via the market. When you use compose/docker import, it's up to the user to isolate the network since it's in their control. THen from the market, the "isolate network" checkbox is on by default which effectively makes it use a private network other than the bridge. SO the answer is yes, by default it already does isolate container's network (except if told otherwise)

  2. Yes and no. That would add additional complexity to a system that is already borderline to master for many people. Using different ports is not quite the solution IMO, but I do agree there's an opportunity for improvements here. One of the thing I have considered would be restricting the admin to Constellation (optionally) which means the admin would be 3 factors instead of 2

  3. do you mean the suffix for the path? The /cosmos-ui? If that's what you mean I don't think it will have any use to be honest, on the other hand it will f up your cache everytime you change it inducing complexity for the user (and also for me in the code for each redirects)

I am closing the ticket but feel free to continue the conversation here :)