Get started
We are having lots of fun on Discord. Come and join us!
Star on GitHub 45.1K Get started
Back

restricting access to appwrite

  • 0
  • Self Hosted
View on Discord
mauricev
21 Jul, 2023, 14:01

I want to restrict access to appwrite to certain IPs. If I do that for https in iptables, it doesn't work because a user can still connect via http. I can't restrict access to http the same way because that would interfere with the LetsEncrypt mechanism obtaining new certificates periodically because that depends on the LetsEncrypt client having access to the server via http. But can I disable traefik's access to port 80 in the docker compose file? Will that prevent LetsEncrypt from working too?

TL;DR
The user wants to restrict access to Appwrite to certain IPs. They are asking how LetsEncrypt is able to contact the server despite the firewall status. The recommendation is to use full (strict) if not planning on using OAuth2 services and flexible if planning to use OAuth2 services. The user also asks about Cloudflare and wanting to allow only certain IPs while blocking all others. It is mentioned that Cloudflare is on the DNS level and not a server. The suggestion is to use SSL-DNS like Cloudflare and set Firewall settings with Cloudflare WAF. This would keep the server IP port 80 open and protect it. The
Binyamin
21 Jul, 2023, 16:12

You want to block all Appwrite APIs endpoints by IP?

The best solution to something like this would be to use SSL-DNS like <:cloudflare:1026272852900581496> Cloudflare, set all the Firewall settings with Cloudflare WAF.

Then you can keep your Server IP port 80 open as no one would know your server IP.

Binyamin
21 Jul, 2023, 16:13

Make sure to set Cloudflare protection as full

Binyamin
21 Jul, 2023, 16:16
mauricev
21 Jul, 2023, 17:17

I already have a server; I'd rather not require a third-party service.

Binyamin
21 Jul, 2023, 17:23

Cloudflare is not a server, its on the DNS level.

Otherwise you'll need to open that port for let's encrypt, as it must have connection to the 80 port.

You can open it manually every 90 days, it's when let's encrypt will make is challenge. it can be problem to remember, Also you can change the value of _APP_SYSTEM_SECURITY_EMAIL_ADDRESS to your email so you'll get notifications when certificates about to expire.

mauricev
23 Jul, 2023, 03:21

OK, with regard to Cloudflare, I want to do the opposite, allow only certain IPs and block all others? Why do I want full which uses a self-signed certificate and Full (strict) if I have Let's Encrypt?

Binyamin
23 Jul, 2023, 03:22

First, you're correct. I'm the example I've put the wrong one. You can choose to allow only to certain IPs

Binyamin
23 Jul, 2023, 03:23

The second reason is due to Appwrite mechanism.

When you choose full then Appwrite will be able to send https request to OAuth2 providers.

Binyamin
23 Jul, 2023, 03:23

So if you not planning on ise any OAuth2 services then you cna leave it on flexible

D5
23 Jul, 2023, 09:47

I recommend full(strict) unless it gives you any problem

mauricev
23 Jul, 2023, 16:54

So how is LetsEncrypt able to contact the server despite the firewall status? Is appwrite giving it the IP directly?

Binyamin
23 Jul, 2023, 16:55

Yes,

Binyamin
23 Jul, 2023, 16:55

Because it goes from inside of your server

Reply

Reply to this thread by joining our Discord

Reply on Discord

Recommended threads

Need support?

Join our Discord

Get community support by joining our Discord server.

Join Discord

Get premium support

Join Appwrite Pro and get email support from our team.

Learn more