Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.
If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!
ProGet Free Question
-
First time user of ProGet and testing the Free version to get an idea of use cases at my company. I have a question for the forum, is it possible to limit the webpage access of ProGet? Here's what we're trying to do:
We want to use ProGet to host packages, however we don't want the web portal to be available outside of our internal network (IE we only want the web portal available internally to our admins only). We want to allow external endpoints to still communicate with API to the server so they can download packages, we just don't want to serve the webpage externally to try to reduce the attack surface.
Does anyone know if this is possible?
Thank you!
-
Hi @chris-cantrell_1211 ,
We do not support nor recommend this type of configuration for a couple reasons.
First, it doesn't change the attack surface, since the APIs are already the "weakest link". The Web Site use cryptographically-secured authentication tickets with anti-CRSF protection. The API just requires an API key to access.
Second, it's confusing to end-users who are trying to troubleshoot why some urls aren't accessible. The API may provide them with a link (for example to a vulnerability in a package), and then it will give some kind of error because the page is blocked. This causes everyone a headache.
Obviously you can use a lot of tools to block/allow access to URLs, just not using ProGet.
Cheers,
Alana
-
Thank you for the information Alana I appreciate the details!
