Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Please accept the PR for making registration endpoint configurable #345

Open
saudiqbal opened this issue Sep 20, 2023 · 7 comments · May be fixed by #363
Open

Please accept the PR for making registration endpoint configurable #345

saudiqbal opened this issue Sep 20, 2023 · 7 comments · May be fixed by #363

Comments

@saudiqbal
Copy link

Please accept #109 into acme-dns which accomplishes my request to allow whitelisted domains only #263

Bots are attacking online services and abusing them all the time. It would be nice to have this function added to acme-dns. It is not a big change to the code but helps those who want limit the registration of domains.
@thde
Copy link

thde commented Oct 6, 2023

You don't need to publicly expose the API. You could use basic auth or IP lists to only allow certain IPs to connect to the API.

@saudiqbal
Copy link
Author

The problem with basic auth is that it uses md5 which is outdated and there is no rate limiting with basic auth. It would be nice to have a private registration endpoint.

@saudiqbal saudiqbal mentioned this issue Apr 21, 2024
Open
@m00nwtchr
Copy link

m00nwtchr commented May 14, 2024
edited
Loading

There are numerous other ways to keep the endpoint secure (which require 0 code changes to this project). You can put acme-dns on the same server as your let's encrypt client (e.g. traefik and acme-dns in 2 containers in docker), such that you don't need it to be exposed anywhere, or you can use a reverse proxy/firewall/etc. to whitelist IPs. (Not to mention vpns and so on)
tl;dr unauthorized people probably shouldn't be able to access this endpoint anyway

@lachesis
Copy link

There's nothing wrong with using md5 in the context of basic auth. If you use a long, random password, none of the documented weaknesses of md5 will impact you. Additionally, it's easy enough to add rate limiting for basic auth (or indeed the entire service) in nginx.

@maddes-b maddes-b mentioned this issue Sep 11, 2024
Open
maddes-b added a commit to maddes-b/acme-dns that referenced this issue Sep 21, 2024
@maddes-b
Update README: add information about reverse proxy for custom URL paths
4d313f4 
Also replace non-breakable spaces with normal ones
Closes joohoi#109
Closes joohoi#345
Closes joohoi#295
@maddes-b maddes-b linked a pull request Sep 21, 2024 that will close this issue
Open
@Daniel15
Copy link
Contributor

This is security through obscurity, which isn't really a security measure. You'd be better off completely blocking the register endpoint from public access and just curling to localhost whenever you want to registry a new account.

For rate limiting, just configure it in your reverse proxy.

@saudiqbal
Copy link
Author

This is security through obscurity, which isn't really a security measure. You'd be better off completely blocking the register endpoint from public access and just curling to localhost whenever you want to registry a new account.

For rate limiting, just configure it in your reverse proxy.

Security through obscurity is a security measure by adding an extra layer of security by combining existing protection.

@webprofusion-chrisc
Copy link
Contributor

@saudiqbal if you don't want someone using the endpoint then block them or require authentication. Renaming it breaks existing clients for no good reason.

If you really want it to be called something else, proxy the endpoints through your own API (you can achieve that using caddy or nginx with reverse proxy rules, or it's simple to do using any scripted web server in python or node.).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
6 participants
@Daniel15 @lachesis @thde @webprofusion-chrisc @saudiqbal @m00nwtchr