Restrict access to web management UI?
-
Is it possible to configure the firewall on a FOG server to restrict access only to the web management UI? Will this mess up the PXE boot process? I read on the FOG wiki about HTTPS and it mentions that PXE boot also uses HTTP/HTTPS. There is also an old page that talks about security and ports on the FOG wiki, but the examples only show allowing all traffic on ports 80 and 443.
The main purpose for this would be to reduce the attack surface of the FOG server.
-
@fogcloud Pxe boot has to get to the boot.php file. It does this over port 80 or 443 if you have https enforced. When you enforce https ipxe is compiled with the fog ca and the certificate generated by said ca as trusted certs within your local version of ipxe.
I’m not quite sure what you mean by restricting access only to the web UI. Do you mean close all other ports? Because that will likely break tftp and nfs as they use other ports and imaging and pxe boot will be broken. ipxe itself will be fine if you’ve booted to it outside of native pxe boot where the ipxe boot file (i.e. ipxe.efi or snponly.efi) is downloaded via tftp. ipxe then downloads the boot.php file from the fog web server and boots to it to get to the fog pxe menu. -
@JJ-Fullmer I’ll try to give an example. Let’s say I have a network with a computer lab, my computer, and the FOG server. I want to FOG server to be able to image the computer lab, but the computer lab computers should not be able to access the FOG web UI. Even if they don’t have any credentials, you don’t want unauthorized people attempting to brute force the login or attempting to exploit security vulnerabilities in the web UI.
Thus, I was hoping that I could configure the firewall on the FOG server to limit access to the web UI to only my computer while still allowing it to image the lab computers.
-
@fogcloud FOG is a web based system. The same points that a machine needs to get to for imaging, pxe boot, etc… hit’s the same “place” as the going to the FOG UI. You could block it (not with a firewall mind you) by editing your fog’s base.php.
While not a perfect system, you could potentially change it by adding to the end of the file:
$ip = $_SERVER['REMOTE_ADDR'] ?? ( $_SERVER['HTTP_CLIENT_IP'] ?? ( $_SERVER['HTTP_X_FORWARDED_FOR'] ?? false ) ); // If the IP is found and ip is not your machine and we have a useragent string - from browser usually - don't allow access. if (!($ip === false) && $ip != '<your system IP here>' && FOGCore::$useragent) { die(); } -
@Tom-Elliott Thank you for the response. That answers the question. I’ll consider the proposed workaround. I’m going to look into other options, such as keeping FOG on an isolated network, and the practicality of those options.
