search

binhex / arch-rtorrentvpn

Docker build script for Arch Linux base with ruTorrent, rTorrent, autodl-irssi, Privoxy and OpenVPN
GNU General Public License v3.0
238 stars 35 forks source link

Limit nginx to lan access only? #179

Open hobeone opened 3 years ago

hobeone commented 3 years ago

I installed the rtorretvpn image and I think I have things working appropriately (thanks for making this so easy!)

I was wondering about some of the firewall settings for the nginx ports. I'm running with wireguard as the VPN and noticed that the iptables rules (I think) can allow traffic from the VPN to hit the nginx proxy. I can't actually get a connection through from the VPN endpoint but I thought it might be good to have an option to explicitly lock down access in the container.

I have a separate nginx reverse proxy that handles authentication and so disabled authentication on the web interface presented in the container.

iptables snipit

0 0 ACCEPT     all  --  wg0    *       0.0.0.0/0            0.0.0.0/0

and

# netstat -an -A ip -p | grep nginx
tcp        0      0 0.0.0.0:9443            0.0.0.0:*               LISTEN      1938/nginx: master  
tcp        0      0 0.0.0.0:9080            0.0.0.0:*               LISTEN      1938/nginx: master

The above suggests that traffic could come in over wireguard to the nginx instance. Is that prevented in some other way?

hobeone commented 3 years ago

I forgot to mention that I'm using Cloudflare as the VPN provider and that this seems to be the opposite of what is being asked for in #169.