Securely hosting admin panels

Hey, I just want to ask, how are admin panels hosted in production? I have no real company experience because I am too young (sadly 😦 ). Let's take for example admin tools like grafana (or even prometheus), portainer, custom admin websites, how developers access them once they are on prod? I've read quite a bit about techniques to do that, but I'm left confused. SSH tunneling doesn't sound good considering I'd want to host dev k8s (docker compose) locally and SSH would bind local ports. Domains don't sound cool neither - everyone could know what tools we host if it was grafana.example.com etc. VPNs - I don't know what's bad about them, but people seem to not enjoy them (I think because one credential would leak entire host). Also what if I'd want to access prod database? Or that's a bad idea and I shouldn't expose database in any scenario? Oh and I'm not using AWS, GCP or any of the clouds, rather on-premise VPS server 🙂 I've asked same question on official Go server, but after some talking they redirected me here.
24 Replies
Erisa
Erisa4mo ago
Cloudflare Tunnels plus Cloudflare Access, or a VPN setup like Cloudflare WARP or third-party like Tailscale. For domains, I would just give them generic names like monitoring.example.com if you don't want the world to know what services are in use.
Also what if I'd want to access prod database? Or that's a bad idea and I shouldn't expose database in any scenario?
I don't think it's always bad to want to access the prod database, especially at small company size, but I'd be wary exposing it to the internet without appropriate security and ensure only relevant people can get to it.
Londek
LondekOP4mo ago
I've heard about Zero Trust which after some digging seems to be Cloudflare Tunnels, I enjoy the all-in-one solution for secure accessing private networks and I will be for sure looking into it! About database part; If I was going to actually deploy real big prod application, yes I'd create accounts based on least privilege principle and require SSL
Erisa
Erisa4mo ago
I've heard about Zero Trust which after some digging seems to be Cloudflare Tunnels
To better clarify, Cloudflare Tunnels is one piece of the wider Zero Trust suite which includes Tunnels, Gateway, Access, WARP and more
Londek
LondekOP4mo ago
Sorry If I sound in any way rude, but do companies really just expose databases to the internet?
Erisa
Erisa4mo ago
Not usually without strict identity verification through a system like Cloudflare Access or hiding it inside a VPN network using e.g, WARP
Londek
LondekOP4mo ago
Okay, thanks, If I have any more questions in future I will for sure ask them here. Thanks for professional support And quick response times ^
For domains, I would just give them generic names like monitoring.example.com if you don't want the world to know what services are in use.
What if I don't want world to know servers in use (thru for example A records), but also I don't want to give developers struggle of managing/memorizing few ipv4's if not ipv6's, rather let them access servers thru some aliased hostnames (eu-prod-1, us-dev-2 etc) via idk internal dns? Or that's not even valid problem in real world
Erisa
Erisa4mo ago
internal dns is indeed what youd do there but realistically it doesnt rly matter there are huge companies (such as Cloudflare, Discord, and I believe even Twitter) that have publicly resolvable hostnames for internal services and theyre fine
Londek
LondekOP4mo ago
oh hell yeah
No description
Londek
LondekOP4mo ago
7k subdomains Then I guess it won't be an issue or off-standards practice I've also stumbled upon one article from Cloudflare about how they used to access their db thru public bastion
Erisa
Erisa4mo ago
yeah
Erisa
Erisa4mo ago
Cloudflare Docs
SSH | Cloudflare Zero Trust docs
The Secure Shell Protocol (SSH) enables users to remotely access devices through the command line. With Cloudflare Zero Trust, you can make your SSH server available over the Internet without the risk of opening inbound ports on the server.
Londek
LondekOP4mo ago
Yep, I'm in process of deciphering it and making it "scallable" if more machines joined zero trust Trying to figure out most optimal way *Perfectionism *
Erisa
Erisa4mo ago
if you like reading, they have some very lengthy architecture deep dives you can follow: https://developers.cloudflare.com/reference-architecture/design-guides/zero-trust-for-startups/
Cloudflare Docs
Building zero trust architecture into your startup | Cloudflare Ref...
Most of Cloudflare’s documentation (and, generally, documentation by most vendors in the space) is written with the assumption that adopting Zero Trust products will require shifting away from something. In scenarios in which nothing is built, or there is no tool that fulfills the goals which your team is trying to accomplish, this can sometimes...
Erisa
Erisa4mo ago
that page is very big
Londek
LondekOP4mo ago
Thanks, haven't found it yet I will give it a read for sure!
Londek
LondekOP4mo ago
Sorry to bother you, but I've decided to use Github as idp, I have created new organization and added "Github Organization" policy in device enrollment rules however this policy fails for unknown reason. Do you know by any chance what could've gone wrong?
No description
No description
Erisa
Erisa4mo ago
You need to give Cloudflare Access permission to access org information when signing in with it shows as "Organization access" on the github authorisation page
Londek
LondekOP4mo ago
whooops, sorry for that Ive authenticated previously with same account before I realized I need org And it just kept reusing the oauth without org access Or something, not quite sure, once clicked no window appeared
Erisa
Erisa4mo ago
go to https://github.com/settings/applications find it on the list, click it and then you can change the settings or remove and readd
Londek
LondekOP4mo ago
yeah thanks ❤️ Is xyz.internal.example.com possible to achieve with Local Domain Fallback? I'm not even sure if that's correct way of doing what I have in mind, maybe reserved tlds such as .local are better suited? Currently dig results in SERVFAIL "; EDE: 22 (No Reachable Authority): (Upstream request timed out)" which I find weird because once I'm off zero trust vpn and I try to query private dns it works just fine - but it defeats purpose of zero trust
Luka
Luka4mo ago
I'm actually struggling with the same. I want to deploy my apps using docker compose on private servers that have cloudflare tunnel running. The tunnel allows me to SSH in without evening knowing the IP address. I think this is the most amazing part because no one can DDoS if they don't know it. The problem, however, is how do I expose several services such as web server, database from those docker compose projects. I recall reading that running a separate cloudflare tunnel service thus adding to multiple services on the same physical server is a bad service. Binding ports to host is bad, I really don't want to do that. Creating some shared docker network and then system of labels that I could route to using CF tunnel feels the most reasonable approach. I would absolutely love to hear what the community is doing. I'm not an enterprise but neither a lazy guy to trade security for fastness.
Londek
LondekOP4mo ago
What I ended up doing is: - Adding cloudflared to docker compose - Setting up private dns server (and adding it to local domain faillback) - Setting up dns like grafana.internal.example.com - Add private network via cloudflare tunnel (10.0.0.0/16) - Remember to remove 10.0.0.0/8 from split tunnels exclude ^ - Routing grafana.internal.example.com with reverse proxy to local service this way once i connect with warp I can simply access https://grafana.internal.example.com from web browser but I dont really enjoy the solution since if service is non-http such as db I can still access it thru private ip (10.0.0.1:5432) In my head I imagined rather grafana.internal.example.com actually resolving to actual service in docker compose and not the server host Right now grafana.internal.example.com:5432 connects me with db which I dont want, it works with server ports and not individual services
Londek
LondekOP4mo ago
This post describes exactly what I want to achieve https://gtzsec.medium.com/accessing-kubernetes-services-using-cloudflare-zero-trust-cb594435da22 But docker compose is just...
Medium
Accessing kubernetes services using cloudflare zero trust
In this tutorial I want to show you how secure access to services running inside a kubernetes cluster, this is useful for Dev teams…
Londek
LondekOP4mo ago
also http://any-subdomain-resolved-to-that-server.internal.example.com:3000 grants access to grafana service (service, not reverse proxy) via server bound port which was never intended to be a thing in first place I'm not an enterprise but neither a lazy guy to trade security for fastness. - This is very accurate description of me too, I just want to do stuff correctly, like it'd be done in big tech
Want results from more Discord servers?
Add your server