Skip to content

feat: add nethsupport UI on port 8443 with automatic firewall rules#1565

Closed
stephdl wants to merge 9 commits intomainfrom
sdl-1542-nginx-custom-port
Closed

feat: add nethsupport UI on port 8443 with automatic firewall rules#1565
stephdl wants to merge 9 commits intomainfrom
sdl-1542-nginx-custom-port

Conversation

@stephdl
Copy link
Copy Markdown
Contributor

@stephdl stephdl commented Mar 9, 2026
edited
Loading

  • Add support for netlsupport-specific nginx instance on port 8443
  • Automatically activate/deactivate UI when don service starts/stops
  • Configure firewall zone 'don' for tunDON interface
  • Create firewall rule to allow port 8443 from VPN tunnel to LAN
  • Refactor ns-ui script to support multiple custom ports via function
  • Use same SSL certificate and backend API as main UI

When don start is executed:

  • Enables port 8443 for nethsupport UI
  • Creates firewall zone for tunDON interface
  • Creates accept rule for port 8443 from don zone

When don stop is executed:

  • Disables port 8443
  • Removes firewall rules and zone

#1542

@stephdl stephdl marked this pull request as draft March 9, 2026 15:09
@stephdl stephdl force-pushed the sdl-1542-nginx-custom-port branch 2 times, most recently from 1643308 to 12a1e9c Compare March 9, 2026 15:31
stephdl added 7 commits March 9, 2026 17:30
@stephdl
feat: add nethsupport UI on port 8443 with automatic firewall rules
b573148 
- Add support for netlsupport-specific nginx instance on port 8443
- Automatically activate/deactivate UI when don service starts/stops
- Configure firewall zone 'don' for tunDON interface
- Create firewall rule to allow port 8443 from VPN tunnel to LAN
- Refactor ns-ui script to support multiple custom ports via function
- Use same SSL certificate and backend API as main UI

When don start is executed:
- Enables port 8443 for nethsupport UI
- Creates firewall zone for tunDON interface
- Creates accept rule for port 8443 from don zone

When don stop is executed:
- Disables port 8443
- Removes firewall rules and zone
@stephdl
refactor: remove reload_service from ns-ui init script
417318a 
Since we now call /usr/sbin/ns-ui directly in the don script,
we no longer need the reload_service() function in the init script.
This simplifies the code and avoids an unnecessary layer of indirection.
@stephdl
fix: add port 8443 to don nftables input rule
28be044
@stephdl
fix: update firewall rules to allow input on port 8443 from VPN network
34f946d
@stephdl
fix: restrict firewall zone input to REJECT by default, only allow 84…
eda4027 
…43 from VPN
@stephdl
fix: block access to port 8443 from LAN and WAN, allowing only VPN ac…
0c1cdae 
…cess
@stephdl
fix: remove redundant WAN block for port 8443, only block from LAN
99300f8
@stephdl stephdl force-pushed the sdl-1542-nginx-custom-port branch from ee14c4d to 99300f8 Compare March 9, 2026 16:31
@gsanchietti
Copy link
Copy Markdown
Member

gsanchietti commented Mar 26, 2026

Thanks for the work on this POC. I’ve reviewed it and while it works in some scenarios, it doesn’t fully solve the problem:

  • the nethsupport user is still reachable from the main UI because it is bound to rpcd
  • a better long-term approach would be to adjust the API server (as we did in NethServer) so that login is only allowed from there

Given that the current implementation is quite complex but still incomplete, I’d prefer to close this PR and postpone the work for now. Edoardo is also exploring a full replacement of current remote support, so it makes sense to revisit this later with a cleaner approach.

We can keep the issue open for future implementation.

@gsanchietti gsanchietti deleted the sdl-1542-nginx-custom-port branch March 26, 2026 15:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@stephdl @gsanchietti