Admin console and admin login on different port. #389
-
|
Would it be possible to run the admin console and admin login on a different port? Mainly for security; at least on AWS I could just set a special security group that doesn't allow entering that special port, but would still allow a specific IP to connect to it, or maybe restrict this access to a VPC. As I understand, this would require to run two instances of echo. I think the magic would have to happen in api/base.go but that's as far as my understanding goes. I am not sure how this works with the auto SSL certificates. I think this could be done with an NGINX on front of PB, but that's hardly ideal (as opposed to switching the config on AWS, here I may heve to restart this nginx every time I need the admin console). |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 4 replies
-
|
I'm not really sure that I understand the use case for this. Technically you can run the api server and the Admin UI on a different port, but I dont's see any security benefit in doing that.
Why accessing the admin would require restarting NGINX in the first place? NGINX (or any other reverse proxy) is a viable option when you need finer network controls. Could you elaborate a little more on your use case? |
Beta Was this translation helpful? Give feedback.
-
|
@floydnunez If you want to allow access to the admin login endpoint only to specific IP(s), then you could attach ALB to your instance and define a rule for the Another alternative could be also to use CloudFront and again restrict the access to the |
Beta Was this translation helpful? Give feedback.
-
|
I will look into the later before I re-open this question.
Wait, how? I must have missed that in the documentation. My use case is: I am reimplementing a (small) forum with pocketbase as backend, as a framework; most of my endpoints are custom and I disabled all the api entries. But in practice I've seen that bots try to login all the time to any login form I leave in the web. Now, I know to use a secure password but I cannot discard a security hole letting people in anyway. Which is why I'd rather not expose the admin login / token api cause that'd give access to everything, instead of just an user token which just would give access to what I already allow as an user. |
Beta Was this translation helpful? Give feedback.
-
|
@floydnunez Nothing is preventing you to create your own But I don't recommend this approach. If you want to restrict access to the admin login endpoint my recommendation is to use NGINX (or any other reverse proxy). Alternatively, you can also register a middleware and check the request ip or any other parameter inside it: package main
import (
"log"
"net/http"
"github.com/labstack/echo/v5"
"github.com/pocketbase/pocketbase"
"github.com/pocketbase/pocketbase/apis"
"github.com/pocketbase/pocketbase/core"
)
func accessCheck(app core.App) echo.MiddlewareFunc {
return func(next echo.HandlerFunc) echo.HandlerFunc {
return func(c echo.Context) error {
// do something with the request context and return an error to disable access...
return next(c)
}
}
}
func main() {
app := pocketbase.New()
app.OnBeforeServe().Add(func(e *core.ServeEvent) error {
e.Router.Pre(accessCheck(app))
// serves static files from the provided public dir (if exists)
subFs := echo.MustSubFS(e.Router.Filesystem, "pb_public")
e.Router.GET("/*", apis.StaticDirectoryHandler(subFs, false))
return nil
})
if err := app.Start(); err != nil {
log.Fatal(err)
}
} |
Beta Was this translation helpful? Give feedback.
-
|
ok, that makes a lot of sense, thanks. |
Beta Was this translation helpful? Give feedback.
I'm not really sure that I understand the use case for this. Technically you can run the api server and the Admin UI on a different port, but I dont's see any security benefit in doing that.
Why accessing the admin would require restarting NGINX in the first place? NGINX (or any other reverse proxy) is a viable option when you need finer network controls.
Could you elaborate a little more on your use case?