1

I have a VM instance running in the cloud.

I would like to allow requests to one endpoint in the application running there from all sources, while blocking all requests to an other endpoint if they are not from a specific IP.

e.g. domain.com/endpoint should be accessible by all IPs - domain.com should be accessible from one IP.

Currently i am blocking all requests to domain.com if you are not from a specific IP using the firewall feature.

Unfortunatly i do not not know much about this subject - so i am having trouble even searching for what i need, since i dont know the right terms, or what the google cloud product would be called. I looked briefly at endpoints, but it seems that is for APIs - so i dont think that is what i need.

Does anyone know what product i need to use?

EDIT:
I am running adguard home, using docker - it is already serving dns over tls, and i wish to serve dns over https too.
Both the domain.com request and the domain.com/endpoint request is served by the same image. The issue is that both the UI and doh is served on the same port, and it is not possible for me to configure which port the UI uses, at least from inside the menues. it does not seem wise to me to expose a login interface to the entire internet.
It would not be a problem for me add other docker containers to handle this. But i would prefer that it stayed a google cloud configuration issue. Cloudflare is also an option for me. It is already configured for other parts of my domain.

Improve this question
6
  • 1
    You use the functionality provided by your web server software. Commented Sep 19, 2020 at 16:20
  • Thank you for your comment @MichaelHampton - are there no other way? As i am running my service in docker, i would prefer to keep the configuration in the cloud console, like i am doing now with my firewall rules Commented Sep 20, 2020 at 7:14
  • Are example/com and example.com/endpoing going to the same container or they're two saparate containers ? Please provide more details about your setup (frontend, backend) for better troubleshooting. Commented Sep 21, 2020 at 11:51
  • @Wojtek_B - i have updated my question. Please have an other look when you have the time Commented Sep 23, 2020 at 3:15
  • I'm trying to understand what's your actual setup; correct me if I'm wrong: you're running some web application and AdGuard in the same docker image ? And they are both using the same port ? AdGuard by default uses port 3000... Commented Sep 23, 2020 at 12:00

1 Answer 1

Reset to default
0

I deployed mentioned container and was able to set up private DNS.

At first setup promt you're asked for the administrator interface so you can either change it to localhost (but then you need to access this instance from inside network which is very cumbersome and complicated) or: make it available in all interfaces but change port from 80 to something else (its just unencrypted http). I haven't found a feature allowing you to server admin panel over HTTPS unless I missed something.

If you set up admin panel at some other port then you can easily create firewall rule allowing incoming connections from just one IP (or a range of IP's).

---------- UPDATE ---------

To block request for /admin you can use Cloud Armor based on a URL and/or IP. You can block all the traffic going to admin panel with the exception of one (or a range) IP(s).

Improve this answer
6
  • My apologies - i have been busy. If you configure the dns to serve doh and dot, you will be installing a certificate, which will enable the UI on port 443. With no way to change it. At the same time, the doh will also be served on port 443, but at the /dns-query endpoint, while the dot will be served at 853. I am currently just using dot on my lan and in my devices wifi settings. But i would also like to use doh in firefox and other places that support that Commented Oct 3, 2020 at 10:02
  • I've updated my answer to include the solution for you. Commented Oct 5, 2020 at 12:53
  • As far as i can see, this does not allow differentiating requests based on port - at least there is no mention of doing it in the documentation. I need to allow access to these based on IP: domain.com:80, domain.com:443 while at the same time allowing access for all on domain.com:443/dns-query and domain.com:853 Commented Oct 13, 2020 at 5:06
  • @Morten Toudahl - Were you able to resolve your issue? Commented Mar 8, 2021 at 9:29
  • Unfortunately not Commented Mar 9, 2021 at 18:36

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.