Hello,
I’ve been trying to move away from ISPConfig and I’ve deployed HestiaCP on a cloud VPS instance to host a handful of websites for friends and family. I’m trying to lock down everything on the server that involves administrative actions,and to do that I’m using OpenZiti which is a ZTNA/ZTHA solution to access services. Essentially I install an Edge Tuneller on the VPS and then make the services only accessible to the Open Ziti overlay network. HestiaCP is challenging me a bit here.
- SSH: No problem, bind to 127.0.0.1
- Control Panel: Given the control panel runs on its own port and web server, I can pretty easily change that over by changing the listening IP to 127.0.0.1.
- PMA/PGA: This is causing me trouble, as it’s oddly available from the public websites rather than the administration control panel (may want to consider re-thinking this to ensure administrative context is separate from public context). I’ve tried making it work on the admin site by modifying files and permissions… it was turning into a rabbit hole and I abandoned this. I’m now trying to create a new “client” site that the root directory of apache points to PHP and I created templates for NGINX/Apache to bind to 127.0.0.1 (so open ziti can access it, but not the open internet), however I cannot apply an SSL via let’s encrypt given it’s using HTTP validation - how could I work around this, is there a way to do DNS validation or maybe having NGINX serve just the verification but not the websites?
- Other: Are there other tools to consider?
- SSO Login: Is there an ability to OIDC/OAUTH or SAML to do SSO? My other network services use Authentik which is a free and powerful IDP you can self-host and works great, and many open source apps are starting to embrace SSO, especially as it removes the burden of verifying identity from development.
Thankyou!