Is there a way to hide the WebAdmin page form access from the Internet?

[BobWs]

Is there any way to hide the webadmin page from acces from the internet?

I want the Admin page to be accessible only within my LAN. For the calendars, access from outside is allowed though.

Currently I have Baikal behind a Reverse Proxy, and I see no way to allow only the caldav.mydoemein.com access from the internet and not the Admin page.
I have already tried to add an htacces file in the admin folder /docker/baikal/html/admin with this:

# Confiugration for apache-2.4:
Require all denied
Require ip 127.0.0.1/8 192.168.0.0/24

But it doesn't work, I still have access from the internet.

[ckulka]

Hi @BobWs , which reverse proxy and which image variant (Nginx/Apache httpd) do you use?

[BobWs]

Hi @BobWs , which reverse proxy and which image variant (Nginx/Apache httpd) do you use?

Hi, I'm using the Apache variant

[ckulka]

Hey there, on vacation with basically no internet - your rule looks good and .htaccess files should be used as well - can you try the following three things?

1. Temporarily deny all access from anywhere - that should show you if the rule and .htaccess file is applied
2. Check the Apache logs for the source IP address
3. Which reverse proxy do you use?

If the deny rule works, then I'd think it's because the client's IP address (e.g. someone on the internet) is replaced by the reverse proxy's IP address when it's forwarding the request to Baikal.

If that's the case, then I'd add the IP whitelist to your reverse proxy instead of the Baikal container. This also has the added benefit that the paket is blocked as early as possible and doesn't arrive at Apache httpd where weird misconfigurations or exploits could be used.

You could also configure the reverse proxy to forward the original IP address (afair typically as X-Forwarded-For HTTP header) and tell Apache to filter based on that one, but that's imho just more complicated. I think it'd be easier to do with the Nginx variant, but I'd try the first option first before you make that switch.

[BobWs]

Hey there, on vacation with basically no internet

Thanks for replying back, no worries I hope you had a great vacation 😎
And first all the best wishes for the new year!

So I’m using nginx reverse-proxy in front of Baikal. Baikal is running on Docker on a Synology NAS, which has a built in reverse proxy based on nginx.

[BobWs]

1. Temporarily deny all access from anywhere - that should show you if the rule and .htaccess file is applied

Tried this but didn’t work the Admin page is still accessible from the internet...

[ckulka]

That's interesting, almost sounds like the .htaccess files isn't used at all, but that'd be very surprising given Baikal uses those files themsevles (e.g. https://github.com/sabre-io/Baikal/blob/master/html/.htaccess#L19). Can you do a curl on https://yourserver.de/.well-known/caldav and see if it does a 308 redirect to /dav.php?

If so, then something isn't working with the Require directive, can you post the entire thing?

Also, can you modify the Nginx configuration file that has the proxy_pass directive to the Baikal container?

Adding an IP whitelist to Nginx might overall be simpler (plus you won't run into the issue with overridden client IPs), would be something along the lines of

location /admin {
  allow 127.0.0.1/8;
  allow 192.168.0.0/24;
  deny all;
}

[BobWs]

When I do a curl https://yourserver.de/.well-known/caldav then I get this in terminal:

~$ curl https://dav.mydomain.com/.well-known/caldav
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://dav.mydomain.com/dav.php">here</a>.</p>
<hr>
<address>Apache/2.4.38 (Debian) Server at dav.mydomain.com Port 443</address>
</body></html>

Baikal is working fine with the clients on iOS, MacOS and Android. So I guess the well-known is working.

Synology doesn't allow extra entries into the reverse proxy configuration file, all is done by GUI

This is how it looks like:

I'm not sure how to add this to the GUI

location /admin {
  allow 127.0.0.1/8;
  allow 192.168.0.0/24;
  deny all;
}

[BobWs]

I think I solved it!
I'm using NPM as reverse proxy now and there it is possible to
add

location /admin {
  allow 127.0.0.1/8;
  allow 192.168.0.0/24;
  deny all;
}

So now when I go to the admin/page I'm getting a 403 Forbidden page
and caldav.mydomain.com in the ios and android clients just work fine.