Is there any option for blocking Web UI access over public IP?
There’s no options in Pritunl to control access to the web console based on IP address. This should be done with a firewall.
1 Like
Thx. So, logically speaking, I should disable port 443 for my public IP on my firewall, right?
Some features require the web server including connection single sign-on, device authentication, dynamic firewall and WireGuard. If these are not used port 80 and 443 can be blocked.
Hello. I also considered this issue and ended up deploying nginx in front of pritunl. Below is an example configuration.
server {
listen 80;
server_name pritunl.example.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
server_name pritunl.example.com;
ssl_certificate /etc/letsencrypt/live/pritunl.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/pritunl.example.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
user profile (public)
location ^~ /key/ { proxy_pass https://127.0.0.1:8443; include proxy_headers.conf; }
location ^~ /k/ { proxy_pass https://127.0.0.1:8443; include proxy_headers.conf; }
location ^~ /ku/ { proxy_pass https://127.0.0.1:8443; include proxy_headers.conf; }
location ^~ /key_pin/ { proxy_pass https://127.0.0.1:8443; include proxy_headers.conf; }
fonts (needed by user profile)
location ~* .(woff|woff2|ttf|eot)$ {
proxy_pass https://127.0.0.1:8443;
include proxy_headers.conf;
}
location / {
allow YOU_homeOrWork_IP;
deny all;
proxy_pass https://127.0.0.1:8443;
proxy_ssl_verify off;
include proxy_headers.conf;
}
}
could also protect the pritunl web ui with cloudflare if domain is associated with it and block ip outside your country !
Thanks, I also did the same. Works fine to me!