Replies: 9 comments 4 replies
-
|
The problem is that once SSL is set up, the dashboard is reachable via the domain on 443 and not just port 8000 anymore. And there's no built-in way in Coolify to restrict that to certain IPs. Also make sure /data/coolify/proxy/traefik.yaml has the file provider configured: Anyone not on the list gets a 403. If your office IP is dynamic you'll need to update that automatically somehow, or go the VPN route instead. |
Beta Was this translation helpful? Give feedback.
-
|
Thans @panic-Patrick for suggestion. I've creaded file (coolify.yaml has After reloading proxy, I see this file in Dynamic Configuration page (so I assume it's loaded), but blocking (0.0.0.0 should not allow anything?) does not work:
|
Beta Was this translation helpful? Give feedback.
-
|
So in principle, Coolify could always use that middleware with I mean, since Coolify generates .yaml file, it could add in that middleware dynamically too, right? |
Beta Was this translation helpful? Give feedback.
-
|
Your I would debug it from Traefik's dynamic config view/API rather than from the YAML file alone:
The important distinction is: loading a middleware is not enough; the active router must reference it. For the test config, I would also avoid http:
middlewares:
dashboard-ip-allowlist:
ipAllowList:
sourceRange:
- "203.0.113.42/32"Then attach it to the exact active routers shown by Traefik, for example only if those are really the generated router names: http:
routers:
coolify-https:
middlewares:
- dashboard-ip-allowlist
coolify-http:
middlewares:
- dashboard-ip-allowlistIf there is another proxy/CDN in front of Coolify, the client IP seen by Traefik may be the proxy IP, not your office IP. In that case you need to configure forwarded headers / IP strategy correctly, otherwise the allowlist will be checking the wrong address. For production, I would still prefer VPN or an upstream firewall rule if possible. A Traefik middleware can work, but Coolify may regenerate its proxy config, so any manual router-level change should be treated as something to re-check after upgrades/restarts. If this solves it, please mark this comment as the answer so other people can find it faster. |
Beta Was this translation helpful? Give feedback.
-
|
I've tried your example with custom router using |
Beta Was this translation helpful? Give feedback.
-
|
The 419 is a Laravel "Page Expired" / CSRF mismatch, and it's almost certainly because the new router with Host() and priority: 2000 is also catching the WebSocket traffic that Coolify normally routes through its realtime-ws and terminal-ws routers. Livewire (which Coolify uses) needs those WebSocket connections to keep CSRF/session state consistent, and when they get routed through the generic coolify service instead, login submissions break. Downside: the WebSocket endpoints stay unprotected by the IP allowlist. In practice not a huge deal because those endpoints require an authenticated session anyway, but worth being aware of. Higher priority than the main restricted router so the path matching wins. |
Beta Was this translation helpful? Give feedback.
-
|
It's just too complicated, I should just create Feature Request issue. Firewall would work if we have Dashboard accessible only via some specific port, but it also should be TLS. |
Beta Was this translation helpful? Give feedback.
-
|
Creaded #10332 |
Beta Was this translation helpful? Give feedback.
-
|
Thanks @yudin-s @panic-Patrick for your detailed input! |
Beta Was this translation helpful? Give feedback.

Uh oh!
There was an error while loading. Please reload this page.
-
At the beginning, I had the impression that Dashboard is only accessible via 8000 port.
But once SSL works, Dashboard is also accessible via domain, like
https://coolify.example.com.If Dashboard would be accessible ONLY via 8000, I could configure iptables (latest Docker has nftables experimental support with much cleaner setup) to allow 8000 port ONLY for specific IP addresses. But it's not TLS...
So now our Dashoard is accessible for anyone, and we don't have failed login logs of sorts to ban password attempts, for example...
So, is there simple way to have Dashboard accessible via HTTPS (not HTTP 8000), but only from limited IP addresses (actually one is enough - our office)?
Thanks.
Beta Was this translation helpful? Give feedback.
All reactions