restricting access to appwrite | Appwrite | Page 1

full tulip Jul 21, 2023, 2:01 PM

#

I want to restrict access to appwrite to certain IPs. If I do that for https in iptables, it doesn't work because a user can still connect via http. I can't restrict access to http the same way because that would interfere with the LetsEncrypt mechanism obtaining new certificates periodically because that depends on the LetsEncrypt client having access to the server via http. But can I disable traefik's access to port 80 in the docker compose file? Will that prevent LetsEncrypt from working too?

vernal wing Jul 21, 2023, 4:12 PM

#

You want to block all Appwrite APIs endpoints by IP?

The best solution to something like this would be to use SSL-DNS like Cloudflare, set all the Firewall settings with Cloudflare WAF.

Then you can keep your Server IP port 80 open as no one would know your server IP.

#

Make sure to set Cloudflare protection as full

#

full tulip Jul 21, 2023, 5:17 PM

#

I already have a server; I'd rather not require a third-party service.

vernal wing Jul 21, 2023, 5:23 PM

#

Cloudflare is not a server, its on the DNS level.

Otherwise you'll need to open that port for let's encrypt, as it must have connection to the 80 port.

You can open it manually every 90 days, it's when let's encrypt will make is challenge. it can be problem to remember,
Also you can change the value of _APP_SYSTEM_SECURITY_EMAIL_ADDRESS to your email so you'll get notifications when certificates about to expire.

full tulip Jul 23, 2023, 3:21 AM

#

OK, with regard to Cloudflare, I want to do the opposite, allow only certain IPs and block all others? Why do I want full which uses a self-signed certificate and Full (strict) if I have Let's Encrypt?

vernal wing Jul 23, 2023, 3:22 AM

#

First, you're correct. I'm the example I've put the wrong one. You can choose to allow only to certain IPs

#

The second reason is due to Appwrite mechanism.

When you choose full then Appwrite will be able to send https request to OAuth2 providers.

#

So if you not planning on ise any OAuth2 services then you cna leave it on flexible

noble heath Jul 23, 2023, 9:47 AM

#

I recommend full(strict) unless it gives you any problem

full tulip Jul 23, 2023, 4:54 PM

#

So how is LetsEncrypt able to contact the server despite the firewall status? Is appwrite giving it the IP directly?

vernal wing Jul 23, 2023, 4:55 PM

#

Yes,

#restricting access to appwrite