[Feature Request] Allow/Deny ACL on admin interface

[micush]

Hi Shreyas,

It would be nice to be able to put an allow/deny ACL on the admin interface to limit exposure. I could do that on the OS level firewall, but it would probably be cleaner to be able to do it in the web interface.

Thanks.

micush

[ShreyasZare]

Thanks for the request. I would say that using firewall for this would be much better since it will prevent access to the service completely. Doing this at the web server level means that an adversary will be able to connect to the web server and make queries which would return something like a 403 page.

The other issue I can think of is getting accidentally locked out of the DNS admin panel due to incorrect ACL config. With a firewall, you could fix it easily but the DNS server is configurable only via the admin panel and losing access will be come an issue.

[micush]

The accidentally locked out part is easy solved. Always allow access to it via 127.0.0.1 and then the API can be used to recover it on a bad configuration.

But you're probably right. A local firewall rule is probably the best way, assuming you don't lock yourself out with that.

[ShreyasZare]

The accidentally locked out part is easy solved. Always allow access to it via 127.0.0.1 and then the API can be used to recover it on a bad configuration.

Such a thing always ends up with support emails since large number of people will find it difficult to use the API by themselves. These same set of users would be prone to do such a misconfig too.

But you're probably right. A local firewall rule is probably the best way, assuming you don't lock yourself out with that.

In case of locking out due to firewall, there is always an option to take console access of the server and fix the config.