Feature Request - Restrict Admin Page

[someengineer1]

I see this has been mentioned in the discussions - but a way to restrict access to the admin page using an IP filter list or even a way to disable it completely (enabling only when needed via the command line) or have it on a different port would give ways to block it from the internet.

It can be done using iptables keyword filter (for those running it on linux, or that have a linux based router) however in both cases, it only works reliably if hardware flow acceleration is disabled, which significantly impacts performance.

Obviously strong password is there but preference would be to not be exposed at all, just in case of a vulnerability that allows the password to be bypassed, and/or just reducing people attempting dictionary attacks.

Thanks for the great program! For public use it is a far simpler interface than trunking recorder (though I am using that to feed unitrunker into rdio-scanner).

[DrHolbr]

I have my Rdio instances behind a reverse proxy, and restrict access to /admin there to just my home IP addresses. I would agree though that there are improvements that could be made, 2FA token support, failed login alerting/lockouts, etc.

[someengineer1]

Yeah I'm trying to keep this a pretty small scale operation running on an old laptop and not using up too much power.

I'm now considering moving to a Linux setup with Trunk Recorder feeding Rdio, simpler setup than what I am doing now with SDRTrunk, Unitrunker, Trunking Recorder, and Rdio. So using iptables to filter the admin URL and disabling hardware acceleration may be an option there, I don't need huge network performance (though it will increase energy consumption)......

The old laptop is on a totally isolated VLAN and has nothing else on it, more just a concern with someone messing with something or potentially installing malware and infecting users etc. I'm just generally security conscious. I suppose I could look into a lightweight reverse proxy to put directly on the laptop itself.

[someengineer1]

While a restriction in rdio-scanner still seems like a good idea, I think I've found a good solution. Using Cloudflare's free plan, you get access to their web firewall and can block anything matching /admin that way. Then since you're using their proxy service anyway, you can add firewall rules to your router and/or server to block access from everything except cloudflare's proxy IP ranges. Going through cloudflare also gives free SSL that renews automatically (can even use them for SSL offloading and do standard HTTP to your server, since admin is blocked and username/pass will never be sent) and a bunch of other stuff.

They also offer dynamic DNS, though you either need to use a script or use DNS-O-Matic (I'll be doing the latter since my router supports them). Haven't seen any routers or updater clients (other than DNS-O-Matic) that supports updating cloudflare directly.

I think with the combination of above a reverse proxy isn't even needed, though I may still use haproxy as a second line of defense and to get the flexibility it offers, i.e. if I want rdio-scanner to sit under something other than just the root domain like domain.com/scanner. Haven't decided on that part yet.