Hardening Admin page without VPN

Hi currently i have my server url https://my.domain.com and wss://my.domain.com/socket for internet clients.

But i don’t want to expose urbackup web publicly.

I saw some configurations with firewall rules allow perticulair locations ips. But thats not what im looking for.

This is my caddy configuration currently:

my.domain.com {
encode {
zstd # best compression
gzip
}
log {
output file /var/log/caddy/access_urbackup.log {
roll_size 750MiB
roll_keep 10
roll_keep_for 720h
}
format json
}
reverse_proxy 192.168.0.130:55414 {
}
}

Now im wondering which endpoints urls and methods are needed for internet clients to do the image and file backups?

my.domain.com/socket* is that enough or does the client still need to do http put post get reqeusts for other functionality of the clients it self?

IM TRYING TO HARDEN THE INSTALLATION. SO DISABLE THE WEB UI PUBLICLY WITHOUT FIREWALL SOURCE IP RULES BUT WITH THE REVERSE PROXY.

IT WOULD BE A BONUS IF ADMIN SETTINGS ARE NOT PUBLICLY BUT FILE RESTORE FOR CLIENTS ARE AVAILABLE AS WELL.

It needs only /socket. You can hide that by renaming it to something sufficiently random, then forwarding it correctly in the reverse proxy.

Same for the whole web UI. Put it into a random subdir, then put that as URL in the settings for clients to access the web interface. Or add basic auth.

So if i do like

your-domain.com {

# Protect everything with Basic Auth by default...

basic_auth * {
    # Generate your hashed password using 'caddy hash-password'
    username <HASHED_PASSWORD>
}

# ...but bypass Basic Auth for the /socket endpoint so clients can connect

@bypass_auth {
    path /socket
}

basic_auth @bypass_auth {
    # Leaving this empty inside a matcher conditional handles the bypass
}

# Reverse proxy everything to UrBackup

reverse_proxy 127.0.0.1:55414

}

Wss will keep clients working but protect the rest as file restore?

I’d protect the socket with the same basic auth or rename it.

I think wss://username:password@example.com/socket as connect URL should work. Please give a heads up if it does not work.

You can use Cloudflare Zero-Trust tunnels with OTP by email. As On-prem option I can recommend something like Netbird App Proxy. Some firewalls allow app proxy as well as commercial services like MS Entra ID App Proxy. You can also try to integrate something like Nginx + Keycloack, or Caddy/Traefik/Openresty etc.