From 889e4b3c8cb6be62906463a3a8d118fb9d93d1c8 Mon Sep 17 00:00:00 2001 From: AlexV Date: Wed, 4 Jun 2025 18:22:12 +0200 Subject: [PATCH 1/3] [fix] Nginx config location admin/ allowed network list Unroll the allowed network list in location admin/ as explicited in nginx docs --- templates/nginx/site-conf.j2 | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/templates/nginx/site-conf.j2 b/templates/nginx/site-conf.j2 index 90581f60..79c0c653 100644 --- a/templates/nginx/site-conf.j2 +++ b/templates/nginx/site-conf.j2 @@ -65,7 +65,9 @@ server { {% if openwisp2_admin_allowed_network %} location /admin/ { try_files {{ openwisp2_path }}/public_html/maintenance.html $uri @uwsgi; - allow {{ openwisp2_admin_allowed_network }}; + {% for network in openwisp2_admin_allowed_network %} + allow {{ network }}; + {% endfor %} deny all; } {% endif %} From 19f4cf64c59e5c76c980c2e7b0fe4f3916f7ec35 Mon Sep 17 00:00:00 2001 From: Alexandre Vincent Date: Wed, 4 Jun 2025 18:52:58 +0200 Subject: [PATCH 2/3] [fix] Nginx admin location can allow one or more networks --- templates/nginx/site-conf.j2 | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/templates/nginx/site-conf.j2 b/templates/nginx/site-conf.j2 index 79c0c653..fcc88599 100644 --- a/templates/nginx/site-conf.j2 +++ b/templates/nginx/site-conf.j2 @@ -62,10 +62,13 @@ server { proxy_set_header X-Forwarded-Host $server_name; } - {% if openwisp2_admin_allowed_network %} + {% if openwisp2_admin_allowed_network or openwisp2_admin_allowed_networks %} location /admin/ { try_files {{ openwisp2_path }}/public_html/maintenance.html $uri @uwsgi; - {% for network in openwisp2_admin_allowed_network %} + {% if openwisp2_admin_allowed_network %} + allow {{ openwisp2_admin_allowed_network }}; + {% endif %} + {% for network in openwisp2_admin_allowed_networks %} allow {{ network }}; {% endfor %} deny all; From a2196a8c90e2ca145e6d8b5e0cc10fcd0ba5cc3e Mon Sep 17 00:00:00 2001 From: Alexandre Vincent Date: Thu, 5 Jun 2025 09:22:49 +0200 Subject: [PATCH 3/3] [fix] Add default for openwisp2_admin_allowed_networks. updated user doc --- defaults/main.yml | 1 + docs/user/role-variables.rst | 7 ++++--- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 70f65408..9438e79a 100755 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -64,6 +64,7 @@ openwisp2_nginx_csp: > worker-src https://{{ inventory_hostname }}{% for host in openwisp2_allowed_hosts %} https://{{ host }}{% endfor %} blob: 'self';" always; openwisp2_uwsgi_gid: null openwisp2_admin_allowed_network: null +openwisp2_admin_allowed_networks: [] openwisp2_install_ntp: true openwisp2_sentry: dsn: false diff --git a/docs/user/role-variables.rst b/docs/user/role-variables.rst index 6792d3ea..715bfc40 100644 --- a/docs/user/role-variables.rst +++ b/docs/user/role-variables.rst @@ -194,10 +194,11 @@ take a look at `the default values of these variables openwisp2_daphne_processes: 2 # maximum time to allow a websocket to be connected (in seconds) openwisp2_daphne_websocket_timeout: 1800 - # the following setting controls which ip address range - # is allowed to access the openwisp2 admin web interface + # the following setting controls which ip address ranges + # are allowed to access the openwisp2 admin web interface # (by default any IP is allowed) - openwisp2_admin_allowed_network: null + openwisp2_admin_allowed_networks: + - "192.168.1.0/24" # install ntp client (enabled by default) openwisp2_install_ntp: true # if you have any custom supervisor service, you can