Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(proxy): add restrict access field #151

Merged
merged 3 commits into from
Mar 20, 2025
Merged

feat(proxy): add restrict access field #151

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
7125c69
feat(proxy): add restrict access field
gsanchietti Mar 17, 2025
ea35a5d
fix: add note
gsanchietti Mar 17, 2025
9cb1ece
Update proxy.rst
gsanchietti Mar 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 27 additions & 1 deletion proxy.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,12 @@ The proxy is installed on each cluster node.

Access the ``HTTP routes`` card inside the ``Settings`` page to see all configured routes.
Applications usually automatically setup the proxy during the configuration phase.
Automatic routes can't be modified.
Automatic routes can't be modified except for the allowed IPs.

Each route can have a list of special attributes visible from the list:

- ``automatic`` for created rules created by the applications
- ``access restricted`` if access is restricted to a specific network

You can add a custom route by clicking :guilabel:`Create route` button.
Then enter the following details:
Expand All @@ -29,3 +34,24 @@ Then enter the following details:
the application will be available on a URL like ``https://cluster.nethserver.org/myapp``
- ``Strip URL path prefix``: when ``Path`` field is not empty, strip the path before routing the request to the target URL
- ``Request Let's Encrypt certificate`` enable this option to request a valid certificate, please remember :ref:`all requirements <certificate_manager-section>`
- ``Restrict access from``: restrict access to the route to a specific network, by default the route is accessible from any network.
Enter a valid IPv4 address or CIDR network per line.

.. note::
The route named ``cluster-admin`` is a special route that is automatically created during the cluster setup.
It is used to access the cluster administration interface.
Please bear in mind that if you restrict access to this route:

- you may prevent a new worker from joining the cluster
- you may lose access to the cluster configuration if you do not correctly enter your own IP address


If you loose access to the cluster administration interface, you can remove the access restriction from the command line.
Follow these steps:

1. Access the cluster node using SSH with root privileges
2. Run the following command to remove the access restriction from the ``cluster-admin`` route: ::

api-cli run module/traefik1/set-route --data '{"instance": "cluster-admin", "ip_allowlist": []}'

Replace ``traefik1`` with the correct module identifier, if your cluster has multiple nodes. Traefik identifiers are listed in the ``HTTP routes`` page.