afeiszli
commented
2 years ago In the labels of your netmaker-ui section of your docker-compose:
-
you need to add this line:
- traefik.http.middlewares.nmui-security-1.ipwhitelist.sourcerange=YOUR_IP_CIDR
-
you need to change this line:
- traefik.http.routers.netmaker-ui.middlewares=nmui-security@docker to this:
- traefik.http.routers.netmaker-ui.middlewares=nmui-security-1@docker,nmui-security@docker
After that, docker-compose down / up and you should be good.
Replace YOUR_IP_CIDR with the whitelist ip range (can be multiple ranges)
Hello there, team!
I highly appreciate the effort you are putting in this project.
We want to better secure our Netmaker installation, so we are trying to separate the web-dashboard access from the API communication of the netclients. The access to the web dashboard = compromise of the whole private network, since it becomes trivial to create a token and instantly get an access to the network.
The Goal
The goal is:
Example https://dashboard.netmaker.com:8080 for web control; behind the firewall https://api.netmaker.com:443 for nodes communication; accessible from anywhere
Configuration
We are running a standard docker-compose configuration described in this doc: https://netmaker.readthedocs.io/en/master/quick-start.html. As far as I can see, netclients are communicating with the netmaker using the same port :443, as a https web interface.
Could you please guide me to the solution? I have tried a couple of options, like changing different ports in docker-compose.yml configuration, but wasn't able to achieve my goal. Perhaps I can ask you for a little help, since you have a better understanding of the system overall.
If you need any additional info, I will be glad to provide it! Any help will be appreciated. Perhaps you could even suggest some alternative way of securing the system.