Seperating web ports for customer and admin portals

theafricanpenguin · September 16, 2017, 11:21pm

I would like to request the option to separate the tcp port on which the customer portal runs from the adminstrator portals.

This will enable better firewall rules to restrict the administrator portals from specific hosts or internal subnets as against the customer portal which should be public.

cheers

Nik · September 17, 2017, 5:39pm

Hi,
you can change nginx config, to set access from different subnets, like:

    location /admin {
            allow 192.168.1.0/24;
            deny all;
            try_files $uri $uri/ /index.php?$args;
    }

    location /portal {
            allow 192.168.1.0/24;
            allow 10.1.0.0/20;
            allow 10.10.1.0/20;
            deny all;
            try_files $uri $uri/ /index.php?$args;
    }

Glenn_Kelley · September 25, 2017, 4:10pm

While this works - Would this stay in place when there is an update?
A better solution for the next release would be the ability to specify this within the Splynx Admin portal itself.

Nik · September 25, 2017, 5:50pm

Hi Glenn,

sure, it will work after update.

Glenn_Kelley · September 27, 2017, 10:14pm

awesome - thank you for quick reply.

theafricanpenguin · December 24, 2018, 12:15pm

Hi Nik

We already have that setup working but we always need to add and remove lists from the config and reload web server which is not the best and does not scale well.

Is there a way to serve the content of admin pages on different tcp port from the customer portal?
For example:
https://account.myisp.net:8085 ===> admin portal
https://account.myisp.net:8088 ===> customer portal

Then we can apply a central firewall rule on the servers gateway to allow permitted IPs to the admin portal tcp port.

And possibly even have the two on different subdomain as well.

peter · December 27, 2018, 1:50pm

The simplest solution is to use the same configuration and prohibit access to /admin for customers

Follow these steps:

Admin portal
In the file /etc/nginx/sites-enabled/splynx-ssl change

listen 443;

to

listen 8085;

Customers portal

Copy /etc/nginx/sites-available/splynx-ssl to /etc/nginx/sites-available/splynx-ssl-portal and make symbolic link in /etc/nginx/sites-enabled/

bash# cp /etc/nginx/sites-available/splynx-ssl /etc/nginx/sites-available/splynx-ssl-portal
bash# cd /etc/nginx/sites-enabled/
bash# ln -s /etc/nginx/sites-available/splynx-ssl-portal

In the file /etc/nginx/sites-enabled/splynx-ssl-portal change

listen 8085;

to

listen 8088;

Add these lines after include sites-available/splynx-*.addons;

location /admin/ {
deny all;
}

Restart nginx service

bash# systemctl restart nginx

theafricanpenguin · January 2, 2019, 3:34am

Thanks Peter

I have adapted your solution to my environment.
Now I need to find a means to disable nginx Forbidden 403 message when unauthorized resource is accessed.
I just want the request to be silently dropped without showing any page.

cheers

peter · January 29, 2019, 9:05am

You can create custom web page to handle 403 errors. For instance:

<html>
<body>
my error page
</body>
</html>

Save this page in /var/www/splynx/web/403.html
Then edit /etc/nginx/sites-enabled/splynx…
Insert this block:

error_page 403 /403.html;
        location = /403.html {
                root /var/www/splynx/web;
                internal;
        }

Restart nginx:

systemctl restart nginx

Reference: https://www.digitalocean.com/community/tutorials/how-to-configure-nginx-to-use-custom-error-pages-on-ubuntu-14-04