pingap icon indicating copy to clipboard operation
pingap copied to clipboard
Published 3 months ago verified publisher icon vicanso

pingap security, Pinap prevents scanning

Open happytrudy opened this issue 3 months ago • 4 comments

  1. Prevent scanning by certain software that attempts to obtain the configured location path.

  2. Prevent access to the server via IP address, allowing only domain name access.

  3. Block access from IP addresses or domain names in certain regions.

  4. When using a CDN, how to prevent access to the source code? Is it possible to add all CDN addresses?

Of course, the above security features require plugins to block them, but some can actually be achieved by the software itself.

happytrudy avatar Nov 13 '25 12:11 happytrudy

  1. Preventing location path scanning: This is a great idea, like a WAF (Web Application Firewall) feature. To help me understand the requirement better, could you provide a more specific scenario? For example, are you referring to blocking requests that generate a high number of 404s (like scanners) or blocking specific patterns (like requests for .git/config or wp-admin)?

  2. Preventing access via IP address (Domain-only access): This is already supported by Pingap's core logic. You can achieve this by configuring the host field for all of your location blocks. When a host is specified, Pingap will only route requests that match that exact hostname, and any requests made directly to the server's IP address will fail to match.

  3. Block access from certain regions: This sounds like a request for GeoIP blocking. Does the existing ip-restriction plugin meet your needs? You can use it to block large IP ranges. Or are you suggesting a new, dedicated plugin that would integrate with a GeoIP database (like MaxMind) to block based on country codes (e.g., 'CN', 'RU')?

  4. Protecting the origin server when using a CDN: This is a critical security pattern. I believe you are describing a need to "lock down" your server so it only accepts traffic from your CDN's IP addresses, and blocks all other direct access. Is that the scenario you're thinking of? If so, this is usually solved with an IP allow-list.

vicanso avatar Nov 13 '25 12:11 vicanso

  1. To prevent some software from scanning the pingap directory structure and exposing location vulnerabilities, this is simply hardening the server to prevent probing and, more importantly, to prevent server vulnerabilities.

  2. The scenario can be extended to support regular expression matching for hosts, as a server may have multiple domains.

  3. I suggest developing a plugin because this needs to be updated regularly for this country and region, and the update should support cron expressions.

  4. Of course, IP whitelist restrictions are too rigid; ultimately, plugins should support data sources such as IPs. As far as I know, CDNs generally provide APIs to retrieve all IPs.

happytrudy avatar Nov 13 '25 13:11 happytrudy

Regarding your second point (supporting regex for hosts), I'm happy to say this is already supported. You can use a format like ~(?.+).pingap.io in the host configuration.

For your other suggestions, I agree they are excellent features. These can be supported in the future in the form of plugins.

vicanso avatar Nov 14 '25 11:11 vicanso

This question has been stale for a week. It will be closed in an additional day if not updated.

github-actions[bot] avatar Nov 22 '25 02:11 github-actions[bot]