Block access to KeyHelp, phpMyAdmin and Webmail - But allow locally

[shoulders]

At the current time, KeyHelp is running on the same ports as all the other websites so I cannot use a NAT/Firewall to effectively block access to KeyHelp, phpMyAdmin and Webmail.

Things I looked at

• You can block access to admin accounts via: Settings --> Configuration --> Security --> Login & Session --> Access restriction to administrator accounts, However this is limited to admin credentials.
• I looked at Settings --> Configuration --> System --> Web Server --> Global web server directives , this will be a rule that will be included in the virtual host container of each domain. I only want to add restrictions to the KeyHelp primary domain.
• I considered a .htaccess file and would place it in /home/keyhelp/www/ but this will probably get wiped out on a KeyHelp update so i dont want to rely on this one.
  English/Translated: https://community-keyhelp-de.translate. ... wapp#p5704
  Original: viewtopic.php?p=5704&hilit=phpmyadmin+deny#p5704
• I can disable both webmail and phpMyAdmin from the KeyHelp admin but I want them to be available locally.

Any best practice or help here would be really appreciated.

[andromeda]

At the current time, KeyHelp is running on the same ports as all the other websites so I cannot use a NAT/Firewall to effectively block access to KeyHelp, phpMyAdmin and Webmail.

Things I looked at

• I looked at Settings --> Configuration --> System --> Web Server --> Global web server directives , this will be a rule that will be included in the virtual host container of each domain. I only want to add restrictions to the KeyHelp primary domain.

Any best practice or help here would be really appreciated.

I don't think that is actually a problem? From what i have seen in other posts, you run it from home and not a production envoirment? I don't get what you are trying to archive here.

Well... or you build your own script.

[shoulders]

I run it from home and it is a production environment.

[24unix]

I run it from home and it is a production environment.

You have a strange definition of prod environment, unless you have a backup power supply and at least two big upstream connection with different providers.

When its a prod env, I assume you have a business plan, why don't you just buy a /28 and don't stress yourself with NAT?

Regarding the restriction of your sites: You can try to deny access in your pfSense from outside via FQDN instead of IP, but I've never tried it.

[shoulders]

I have the UPS, the second backup machine.... A single fibre connection at the minute but I have not gone live yet and do not need a big internet pipe, that is coming in summer 1GB up/down and then I will have 2 lines. I also am forming an off-site back strategy. I also have the network edge router fully configured for security.

I could deny by using a custom DNSBL list, thanks, might give that a go but need to make sure the user is not added to my blocklist. Damn HTTPS, the blocking has to be done on the web server.

NAT adds an extra layer of security and is easy for me to control unwanted traffic.

[andromeda]

Why from home?

I mean: You could just do colocation

[shoulders]

cost and the nearest data centre is 100miles away. My server room is down the corridor, much easier.