[Joplin server] disable login page for security reasons?

tom · 5 September 2023 16:34

Hi there,

I use Joplin Server as a Docker container and I am very satisfied.

To increase security I would like to use fail2ban (which is not so easy to implement, from what I've read?) or other mechanisms for security.

In this process I came across the idea to disable the login page (403 error page)

Would this be possible with simple means?

Thanks in advance for the support!

tom · 10 September 2023 09:21

Any thoughts on this? Or do you have other things implemented to increase security (e.g. TOTP)?

Have a great day everyone

dpoulton · 10 September 2023 21:55

If you are using an nginx reverse proxy you could use the site conf file to restrict the login page to only your local network (in the below example 192.168.0.x) or even a specific single IP address (as long as it is static for the accessing machine!) ...

    location / {
       proxy_redirect off;
       proxy_pass http://127.0.0.1:22300;
    }

    location /login {
       allow 192.168.0.0/24;
       deny all;
       proxy_redirect off;
       proxy_pass http://127.0.0.1:22300/login;
    }

I do not actually use this but it was something I looked into some time back.

tom · 11 September 2023 09:16

Thanks!

Do you yourself use any other security features?

dpoulton · 11 September 2023 16:48

One thing I did do is bind the port mappings in the docker compose file to localhost (The reverse proxy is on the same computer as the Joplin server).

...

ports:
    - "127.0.0.1:5432:5432"

...
    
ports:
    - "127.0.0.1:22300:22300"

...

I did this as I found that even though I had not allowed external access to ports 5432 and 22300 through the server's firewall, docker made the ports available to other machines on the network regardless.

I also used https://ssl-config.mozilla.org/ to help create a reasonable nginx conf file (mainly for the protocols and ciphers) and SSL Server Test (Powered by Qualys SSL Labs) to test my SSL settings, using the report to correct any failings

I stopped looking at security when I realised that I did not need my Joplin server to be accessible from the Internet and so made it internal only. In fact I do not run anything anymore that is Internet facing, life is a lot easier after making that decision

system · 11 October 2023 16:49

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Joplin-Server specify on which interface/ip address listen Support	4	707	6 March 2023
[Joplin Server] Log origin of authentication request Features	4	715	24 February 2024
Running Joplin Server on Unraid Support	6	3079	1 October 2021
Joplin Server & Docker: Serval Questions Support	6	815	1 August 2023
Apache Reverse Proxy - Use root address Support	6	757	25 September 2021

[Joplin server] disable login page for security reasons?

Related Topics