• Recent
  • Unsolved
  • Tags
  • Popular
  • Users
  • Groups
  • Search
  • Register
  • Login
  • Recent
  • Unsolved
  • Tags
  • Popular
  • Users
  • Groups
  • Search
  • Register
  • Login

Restrict access to web management UI?

Scheduled Pinned Locked Moved Unsolved
General Problems
3
5
422
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • F
    fogcloud
    last edited by Jul 24, 2024, 6:57 PM

    Is it possible to configure the firewall on a FOG server to restrict access only to the web management UI? Will this mess up the PXE boot process? I read on the FOG wiki about HTTPS and it mentions that PXE boot also uses HTTP/HTTPS. There is also an old page that talks about security and ports on the FOG wiki, but the examples only show allowing all traffic on ports 80 and 443.

    The main purpose for this would be to reduce the attack surface of the FOG server.

    J 1 Reply Last reply Jul 25, 2024, 7:36 PM Reply Quote 0
    • J
      JJ Fullmer Testers @fogcloud
      last edited by Jul 25, 2024, 7:36 PM

      @fogcloud Pxe boot has to get to the boot.php file. It does this over port 80 or 443 if you have https enforced. When you enforce https ipxe is compiled with the fog ca and the certificate generated by said ca as trusted certs within your local version of ipxe.
      I’m not quite sure what you mean by restricting access only to the web UI. Do you mean close all other ports? Because that will likely break tftp and nfs as they use other ports and imaging and pxe boot will be broken. ipxe itself will be fine if you’ve booted to it outside of native pxe boot where the ipxe boot file (i.e. ipxe.efi or snponly.efi) is downloaded via tftp. ipxe then downloads the boot.php file from the fog web server and boots to it to get to the fog pxe menu.

      Have you tried the FogApi powershell module? It's pretty cool IMHO
      https://github.com/darksidemilk/FogApi
      https://fogapi.readthedocs.io/en/latest/
      https://www.powershellgallery.com/packages/FogApi
      https://forums.fogproject.org/topic/12026/powershell-api-module

      F 1 Reply Last reply Jul 25, 2024, 9:22 PM Reply Quote 0
      • F
        fogcloud @JJ Fullmer
        last edited by fogcloud Jul 25, 2024, 3:23 PM Jul 25, 2024, 9:22 PM

        @JJ-Fullmer I’ll try to give an example. Let’s say I have a network with a computer lab, my computer, and the FOG server. I want to FOG server to be able to image the computer lab, but the computer lab computers should not be able to access the FOG web UI. Even if they don’t have any credentials, you don’t want unauthorized people attempting to brute force the login or attempting to exploit security vulnerabilities in the web UI.

        Thus, I was hoping that I could configure the firewall on the FOG server to limit access to the web UI to only my computer while still allowing it to image the lab computers.

        T 1 Reply Last reply Jul 26, 2024, 10:37 AM Reply Quote 0
        • T
          Tom Elliott @fogcloud
          last edited by Tom Elliott Jul 26, 2024, 4:45 AM Jul 26, 2024, 10:37 AM

          @fogcloud FOG is a web based system. The same points that a machine needs to get to for imaging, pxe boot, etc… hit’s the same “place” as the going to the FOG UI. You could block it (not with a firewall mind you) by editing your fog’s base.php.

          While not a perfect system, you could potentially change it by adding to the end of the file:

          $ip = $_SERVER['REMOTE_ADDR'] ?? (
              $_SERVER['HTTP_CLIENT_IP'] ?? (
                  $_SERVER['HTTP_X_FORWARDED_FOR'] ?? false
              )
          );
          // If the IP is found and ip is not your machine and we have a useragent string - from browser usually - don't allow access.
          if (!($ip === false) && $ip != '<your system IP here>' && FOGCore::$useragent) {
              die();
          }
          

          Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

          Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

          Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

          F 1 Reply Last reply Jul 26, 2024, 5:34 PM Reply Quote 1
          • F
            fogcloud @Tom Elliott
            last edited by Jul 26, 2024, 5:34 PM

            @Tom-Elliott Thank you for the response. That answers the question. I’ll consider the proposed workaround. I’m going to look into other options, such as keeping FOG on an isolated network, and the practicality of those options.

            1 Reply Last reply Reply Quote 0
            • 1 / 1
            1 / 1
            • First post
              4/5
              Last post

            160

            Online

            12.0k

            Users

            17.3k

            Topics

            155.2k

            Posts
            Copyright © 2012-2024 FOG Project