Protecting web interface from outside

Hi

If I want to restore from a client (internet) y must open TCP port 55414, but that also is used for the web interface so this expose the server to the internet and will be attacked continuously.

Since the access would be from dynamic IPs I can’t create a rule in the fw limiting access only from some IPs. How do you suggest to protect the server? Is safe to open 55414 without limits? I guess no…

No, that would be a very bad idea. But there is also no need to do that - just use Tailscale or ZeroTier. Tailsacle is easier to set up IMO so I suggest you start there. It will give you something like a mesh VPN with automagic NAT traversal.

UrBackup Server in internet mode works like a charm over both Tailscale and ZeroTier, I’m using it for multiple clients for over a year now and didn’t have any issues. What’s more, you can set up UrBackup server with multiple IP addresses (LAN + VPN) and use it in mixed environments i.e. some clients are always in the office and others move around.

It’s not really a big deal to open & forward the ports the server actually uses to listen on, if it gets bad traffic it should discard it, if it’s not running your OS will just return connection refused type responses.

Heck, game consoles open ports to the outside world, any packets just go where they’re sent, the specific internal IP, it’s not like they can sneak anywhere they’re not routed to.

@Bearded_Blunder are you saying that opening up a server with all your (and other clients) precious data on it to the whole public internet is not a big deal? You are talking about destination, but I would be more worried about the source.

On the other hand, I just realized that OP may be asking about a one-off situation, in which case he probably can get away with it. I was thinking about generic solution when you set it up for production use.

One can put e.g. apache in front. For the web interface see e.g. the admin manual (FastCGI). For the Internet clients e.g. Connect clients with a HTTPS CONNECT web proxy | UrBackup Developer Blog . 2.5.x makes it easier with websockets.

Once apache is in front it can be protected by e.g. basic authentication or putting it into a unusual path.

1 Like

Thanks, I’ll take a look to that since ZeroTier and similar are just VPNs and they will reduce performance.

I guess 2.5.x is still in beta, any ETA to production release?