Seperating web ports for customer and admin portals


#1

I would like to request the option to separate the tcp port on which the customer portal runs from the adminstrator portals.

This will enable better firewall rules to restrict the administrator portals from specific hosts or internal subnets as against the customer portal which should be public.

cheers


#2

Hi,
you can change nginx config, to set access from different subnets, like:

    location /admin {
            allow 192.168.1.0/24;
            deny all;
            try_files $uri $uri/ /index.php?$args;
    }

    location /portal {
            allow 192.168.1.0/24;
            allow 10.1.0.0/20;
            allow 10.10.1.0/20;
            deny all;
            try_files $uri $uri/ /index.php?$args;
    }

#3

While this works - Would this stay in place when there is an update?
A better solution for the next release would be the ability to specify this within the Splynx Admin portal itself.


#4

Hi Glenn,

sure, it will work after update.


#5

awesome - thank you for quick reply.


#6

Hi Nik

We already have that setup working but we always need to add and remove lists from the config and reload web server which is not the best and does not scale well.

Is there a way to serve the content of admin pages on different tcp port from the customer portal?
For example:
https://account.myisp.net:8085 ===> admin portal
https://account.myisp.net:8088 ===> customer portal

Then we can apply a central firewall rule on the servers gateway to allow permitted IPs to the admin portal tcp port.

And possibly even have the two on different subdomain as well.


#7

The simplest solution is to use the same configuration and prohibit access to /admin for customers

Follow these steps:

  1. Admin portal
    In the file /etc/nginx/sites-enabled/splynx-ssl change

listen 443;

to

listen 8085;

  1. Customers portal

Copy /etc/nginx/sites-available/splynx-ssl to /etc/nginx/sites-available/splynx-ssl-portal and make symbolic link in /etc/nginx/sites-enabled/

bash# cp /etc/nginx/sites-available/splynx-ssl /etc/nginx/sites-available/splynx-ssl-portal
bash# cd /etc/nginx/sites-enabled/
bash# ln -s /etc/nginx/sites-available/splynx-ssl-portal

In the file /etc/nginx/sites-enabled/splynx-ssl-portal change

listen 8085;

to

listen 8088;

Add these lines after include sites-available/splynx-*.addons;

location /admin/ {
deny all;
}

  1. Restart nginx service

bash# systemctl restart nginx


#8

Thanks Peter

I have adapted your solution to my environment.
Now I need to find a means to disable nginx Forbidden 403 message when unauthorized resource is accessed.
I just want the request to be silently dropped without showing any page.

cheers


#9

You can create custom web page to handle 403 errors. For instance:

<html>
<body>
my error page
</body>
</html>

Save this page in /var/www/splynx/web/403.html
Then edit /etc/nginx/sites-enabled/splynx…
Insert this block:

error_page 403 /403.html;
        location = /403.html {
                root /var/www/splynx/web;
                internal;
        }

Restart nginx:

systemctl restart nginx

Reference: https://www.digitalocean.com/community/tutorials/how-to-configure-nginx-to-use-custom-error-pages-on-ubuntu-14-04