Comment by djlameche

Comment by djlameche 6 days ago

8 replies

View on Hacker News

Sorry if this is a noobish question, but would this allow me to access services on a VPS, that I do not want publicly accessible on the internet?

In other words: Let's say I have a VPS with eg. Keycloak running on it. I want to be able to access it for management purposes but don't want it exposed to other people on the internet. Would Pangolin be a way for me to do this?

dizhn 6 days ago

Don't you use Keycloak for SSO? The ports needed for that needs to be accessible so services can talk to it. If there's a dedicated port for management you can still use it with software like pangolin. Run the management service on only a local port and access using this software or wireguad.

I use authentik and as far as I know the management is on the same web port so I have to allow some paths to be accessible to the world.

Reply View 2 replies
  • djlameche 6 days ago

    I'm not using anything YET. I am thinking about hosting a pepper variety database I am developing on a VPS for public use. I want to use Keycloak for authentication and also some other services alongside (eg. a headless CMS for writing some of the content).

    The thing is, I don't have any prior experience with hosting at all. So I am wondering if I can reduce attack surface by making "management" services (Keycloak admin console, the headless CMS admin interface etc.) accessible only to me...

    Reply View 1 reply
    • dizhn 6 days ago

      > So I am wondering if I can reduce attack surface by making "management" services (Keycloak admin console, the headless CMS admin interface etc.) accessible only to me...

      The answer to this is YES. Of course there are a variety of ways to implement. In your case I would start simple with something like wireguard. Keycloak won't be easy to install and configure as a beginner. If your needs are simple, check out https://github.com/lldap/lldap for authentication (and user management).

      Reply View 0 replies
fossorialowen 5 days ago

Good advice in this thread. If its just you then ssh tunnels or tailscale or netbird or pure wireguard are all fine. You could use Pangolin for this and put auth in front of the web page of Keycloak using a local Pangolin site and that would be fine too. It depends on how important the security is to you and who else might want access.

Reply View 0 replies
zakki 6 days ago

I guess you have to use firewall as well. So basically you block any access from internet except VPN service. And you can have rule which IP allowed to access your VPN service.

Reply View 0 replies
TheTxT 6 days ago

Did you already consider using ssh port forwarding? That way you can temporarily forward the local port that keycloak is running on to your machine

Reply View 1 reply
  • djlameche 6 days ago

    I did not consider it yet, I will look into it. I am thinking about hosting a pepper variety databse that I am developing, but I have 0 experience with hosting software, so I am a bit wary about what I will be exposing...

    Reply View 0 replies