starred/acme-dns
1
0
Fork 0
mirror of https://github.com/acme-dns/acme-dns.git synced 2026-04-27 12:55:48 +03:00
Code Issues 178 Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #278] Allowing acme-dns API from limited set of IP addresses #140

New issue
Closed
opened 2026-03-13 15:55:31 +03:00 by kerem · 2 comments
kerem commented 2026-03-13 15:55:31 +03:00
Owner
Copy link

Originally created by @shalak on GitHub (Sep 18, 2021).
Original GitHub issue: https://github.com/acme-dns/acme-dns/issues/278

I'm trying to understand the [api] > ip entry of the configuration file. As far as I understand, this is the only IP address from which I can reach the acme-dns API via the acme-dns-client - is this correct?

My issue is that I'd like to set up a publicly exposed acme-dns server, which will also run the acme-dns-client locally:

  1. the public exposure is for hosts that come with their own acme-dns integration (e.g. proxmox server), so they will provision themselves (they will call acme-dns from static IPs)
  2. the acme-dns-client will produce certs that will be provisioned to hosts that are unable to do it themselves (i.e. printers, etc) by multitude of custom scripts

So basically, for security reasons, I need to limit acme-dns API to allow only those static IPs and the localhost. How can I do it?

Bonus question: I'd like the point no. 1 to be using different domains per each of the hosts, but on point no. 2 - the wildcard. Is this possible (I do not fully understand the issue of limir of 2 TXT records in acme-dns)

Originally created by @shalak on GitHub (Sep 18, 2021). Original GitHub issue: https://github.com/acme-dns/acme-dns/issues/278 I'm trying to understand the `[api]` > `ip` entry of the configuration file. As far as I understand, this is the only IP address from which I can reach the acme-dns API via the acme-dns-client - is this correct? My issue is that I'd like to set up a publicly exposed acme-dns server, which will also run the acme-dns-client locally: 1. the public exposure is for hosts that come with their own acme-dns integration (e.g. proxmox server), so they will provision themselves (they will call acme-dns from static IPs) 2. the acme-dns-client will produce certs that will be provisioned to hosts that are unable to do it themselves (i.e. printers, etc) by multitude of custom scripts So basically, for security reasons, I need to limit acme-dns API to allow only those static IPs **and** the localhost. How can I do it? Bonus question: I'd like the point no. 1 to be using different domains per each of the hosts, but on point no. 2 - the wildcard. Is this possible (I do not fully understand the issue of limir of 2 TXT records in acme-dns)
kerem closed this issue 2026-03-13 15:55:36 +03:00
kerem commented 2026-03-13 15:55:42 +03:00
Author
Owner
Copy link

@shalak commented on GitHub (Sep 19, 2021):

Argh... Now I started to realise, that the [api] > ip entry is just a bind for an interface over which the API is exposed. Is my understanding correct?

<!-- gh-comment-id:922399349 --> @shalak commented on GitHub (Sep 19, 2021): Argh... Now I started to realise, that the `[api] > ip` entry is just a bind for an interface over which the API is exposed. Is my understanding correct?
kerem commented 2026-03-13 15:55:47 +03:00
Author
Owner
Copy link

@joohoi commented on GitHub (Jan 25, 2022):

Yes, your understanding is correct. This way you can bind the API to an internal network IP address, there's no requirement for the HTTP api to be accesible from external network.

That said, acme-dns doesn't offer an built-in way to restrict the access to specific source addresses, but this is where your OS firewall configuration comes to help.

Closing this issue now as I feel it has been properly resolved, feel free to comment if there's something else, and we can reopen if needed.

<!-- gh-comment-id:1021665927 --> @joohoi commented on GitHub (Jan 25, 2022): Yes, your understanding is correct. This way you can bind the API to an internal network IP address, there's no requirement for the HTTP api to be accesible from external network. That said, acme-dns doesn't offer an built-in way to restrict the access to specific source addresses, but this is where your OS firewall configuration comes to help. Closing this issue now as I feel it has been properly resolved, feel free to comment if there's something else, and we can reopen if needed.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
fix_dockerhub
dockerhub
readme2.0
goreleaser_action
refactoring
linter_update_config
update_deps_122
dependabot/go_modules/github.com/valyala/fasthttp-1.34.0
deps_bump
update_goreleaser
update_golint
deps_update
update_dockerfile
v2.0.2
v2.0.1
v2.0
v1.1
v1.0
v0.8
v0.7.2
v0.7.1
v0.7
v0.6
v0.5
v0.4
v0.3.2
v0.3.1
v0.3
v0.2
v0.1
Labels
Clear labels   
Documentation

   
Documentation

   
bug

   
enhancement

   
feature request

   
feature request

   
help wanted

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
security

   
security

   
testing
No labels
Documentation
Documentation
bug
enhancement
feature request
feature request
help wanted
pull-request
question
security
security
testing
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/acme-dns#140
No description provided.