Idea: a different installation path for security

[danielrosehill]

Although it's probably not the best idea to host this on the same server you plan on deploying on, for those who want the convenience of that, it might be worth considering installing the dashboard to a different directory to allow users to secure it with Cloudflare Zero Trust etc.

For example, the admin panel might install at:

youurl.com/adminzone

And this way users could create a CF rule adding good authentication here.

[actraiser]

Why not just use a subdomain like coolify.yourserver.com and protect this one with Cloud Flare Zero Trust? That's what I do and it does not require any changes on the Coolify side of things other than adding that domain as Instance's Domain in the settings.

The problem that I did not solve yet is, that the Coolify Admin panel is still reachable via http://Server-IP-Adress:8000 which is of course not good. I suppose this direct access can be somehow blocked within Traefik? Maybe @andrasbacsai can point to a solution here.

Greets
-act

[danielrosehill]

@actraiser

a) That's indeed much smarter.

b) (Why didn't I think of this yesterday!?) I think it actually makes more sense again to put the Coolify "node" (I hate to 'talk' Kubernetes!) and the target VPSes on separate servers altogether.

So simply A records for the workload-running server and others ones for wherever you're putting stuff.

And thanks for the cautionary note about the hooks (haven't used them yet but might do so). Seems like a very tricky one to solve given that I see Cloudflare Access doesn't work at the port level.

The only solution coming to mind is setting up some kind of internal reverse proxy to map the internal (Coolify) webhook onto an externally hosted one (I think it's called a webhook relay). But ... probably a lot of complication just to get that additional feature to work.

[marko-hologram]

@actraiser Regarding access over IP still being available, you just need to set up some sort of firewall to block all traffic except ports:

• 22 (ssh)
• 80 (http)
• 443 (https)

If you for example use Ubuntu, you can do it directly on the VM using ufw package. Or maybe your hosting provider has firewall built into their dashboard. For example I'm using Hetzner and I've set up firewall directly in their dashboard for my particular VM.

This long tutorial by CJ is filled with lots of tips and tricks and setting up Coolify https://youtu.be/taJlPG82Ucw?si=a3QZOkJ-AXLn3DAE&t=1001. This timestamp is the firewall part.

[actraiser]

Thank you @marko-hologram - that's exactly what I needed.

Greets
-act

[actraiser]

One more Caveat i just noticed when using zero-trust. Auto Deploy does not work anymore as Github will not be able to access the hook on the coolify platform. Surely this can be configured somewhere, but I have not looked into that. If anyone did did this in the past, please let me no which approach is the correct one.

Greets
-act