AdGuardHome
AdGuardHome copied to clipboard
AdguardTeam
secret URL for Dashboard
Prerequisites
-
[X] I have checked the Wiki and Discussions and found no answer
-
[X] I have searched other issues and found no duplicates
-
[X] I want to request a feature or enhancement and not ask a question
The problem
adguard home open its login page for anyone who opens an VPS ip
Proposed solution
is it possible for security reasons to add a setting so that the dashboard opens only using a secret URL that can be specified in the settings (config file)? For example, specify the secret URL "/adguardhomesecreturl/" in the settings and then the login page and dashboard will be available only at "https://myvpsurl.com/adguardhomesecreturl /#". And at the address "https://myvpsurl.com "there will be nothing.
Alternatives considered and additional information
No response
Why not use a reverse proxy like Nginx, Cloudflare Access, or firewall IP restrictions to secure your AdGuard Home dashboard?
And if you specify ip 127.0.0.1 in http addres, the system stops responding to dns requests by doh
And I haven't found a way to get it to work without the Dashboard
#6041
it would be good if there was nginx or caddy. but just for the sake of this, it is not logical to study nginx and put it on a server that is used for other purposes and the processor is sometimes 95% loaded
I'm upvoting this feature request. AdGuardHome should be able to change the login/dashboard URL, setting some value in yaml so as one can let AdGuardHome serve on a public server with encryption easily without having to go into complex setup of AdguardHome. I've currently using this Caddyfile for caddy - caddyserver - to get around this limitation, so login/dashboard page is allowed only from some private/lan IP:
DOMAIN, http://10.0.0.1 {
encode gzip zstd
tls EMAIL
@internal {
remote_ip 10.0.0.0/8
}
handle @internal {
reverse_proxy http://127.0.0.1:3030 {
header_up Host {upstream_hostport}
}
}
handle /dns-query {
reverse_proxy http://127.0.0.1:3030 {
header_up Host {upstream_hostport}
}
}
handle /resolve {
reverse_proxy http://127.0.0.1:3030 {
header_up Host {upstream_hostport}
}
}
handle {
respond 204
}
}
Using a different port for the dashboard might be a safer option as it would be harder to bypass if correctly configured
Using a different port for the dashboard might be a safer option as it would be harder to bypass if correctly configured
Yes and would be great if "dashboard allowed IPs" are added to config so as it drops any connections from non-allowed IPs
You can already controle what ip can access a port with iptables on Linux. That way you can restrict what connects to port 3000 and allow everything to 443. But, the dashboard and dns over https would need to be on separate ports.
But, the dashboard and dns over https would need to be on separate ports
is this possible when using encryption (DOH)? AGH uses the same port for the panel as for DOH
But, the dashboard and dns over https would need to be on separate ports
is this possible when using encryption (DOH)? AGH uses the same port for the panel as for DOH
I think there is no technical issue with this, any service can listen to multiple ports and serve different services using same tls certificates without a problem. So on dashboard port only dashboard stuff is served. While DOH is still served on port 443 - or some other one if configured for so.