feat(haproxy): Admin-UI auf eigenem Port :3443 (mailgateway-Pattern)

* HAProxy neues Frontend mgmt_https :3443 → api_backend (Mgmt-UI). Selbe TLS-Cert-Strecke wie :443 (gleicher /etc/edgeguard/tls/-Pool). * :443 verliert default_backend → unbekannte Hosts kriegen 503, nicht mehr versehentlich die Admin-UI. Plus default-Route auf primary_backend pro Domain (catch-all-Routing dort, wo gewollt). * Anti-Lockout in nft-Template um tcp dport 3443 erweitert (zusätzlich zu 22 + 443). * SystemRulesCard zeigt 3443 als 3. Anti-Lockout-Eintrag. Erreichbarkeit: * Public Backends: https://<domain>:443 (mit eigenem Cert oder LE) * Admin-UI: https://<host>:3443 (jeder Hostname, default_backend) * SSH: :22 (rate-limited 10/min) Version 1.0.13. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-10 21:37:53 +02:00
parent fd294a273e
commit 0d51b26170
9 changed files with 28 additions and 10 deletions
--- a/2
+++ b/2
@@ -1 +1 @@
-1.0.12
+1.0.13
--- a/cmd/edgeguard-api/main.go
+++ b/cmd/edgeguard-api/main.go
@@ -39,7 +39,7 @@ import (
 	wgsvc "git.netcell-it.de/projekte/edgeguard-native/internal/services/wireguard"
 )

-var version = "1.0.12"
+var version = "1.0.13"

 func main() {
 	addr := os.Getenv("EDGEGUARD_API_ADDR")
--- a/cmd/edgeguard-ctl/main.go
+++ b/cmd/edgeguard-ctl/main.go
@@ -9,7 +9,7 @@ import (
 	"os"
 )

-var version = "1.0.12"
+var version = "1.0.13"

 const usage = `edgeguard-ctl — EdgeGuard CLI

--- a/cmd/edgeguard-scheduler/main.go
+++ b/cmd/edgeguard-scheduler/main.go
@@ -5,7 +5,7 @@ import (
 	"time"
 )

-var version = "1.0.12"
+var version = "1.0.13"

 func main() {
 	log.Printf("edgeguard-scheduler %s starting", version)
--- a/internal/firewall/ruleset.nft.tpl
+++ b/internal/firewall/ruleset.nft.tpl
@@ -28,7 +28,8 @@ table inet edgeguard {
        # Operator versehentlich „drop alles" baut, bleibt SSH + Admin-UI
        # erreichbar.
        tcp dport 22   ct state new limit rate 10/minute accept comment "anti-lockout: SSH (rate-limited)"
-        tcp dport 443 accept comment "anti-lockout: Management-UI (HAProxy/HTTPS)"
+        tcp dport 443  accept comment "anti-lockout: HAProxy public HTTPS"
+        tcp dport 3443 accept comment "anti-lockout: Management-UI (HAProxy admin HTTPS)"

        # Stateful baseline
        ct state established,related accept
--- a/internal/haproxy/haproxy.cfg.tpl
+++ b/internal/haproxy/haproxy.cfg.tpl
@@ -36,10 +36,15 @@ frontend public_http

    use_backend api_backend if is_acme

-# ── Public :443 ────────────────────────────────────────────────────────
+# ── Public :443 (Customer-Backends only) ──────────────────────────────
 # TLS termination. Reads certs from /etc/edgeguard/tls/ — postinst
 # seeds a self-signed _default.pem so HAProxy starts before certbot
 # has issued anything.
+#
+# WICHTIG: kein default_backend → unbekannte Hosts kriegen 503. Die
+# Management-UI sitzt bewusst auf :3443 (siehe mgmt_https unten),
+# damit ein versehentlich offengelassenes Wildcard-DNS nie auf das
+# Admin-Panel fällt. mailgateway/enconf-Pattern.
 frontend public_https
    bind :443 ssl crt /etc/edgeguard/tls/ alpn h2,http/1.1

@@ -49,8 +54,19 @@ frontend public_https
    {{- range $r := $d.Routes}}
    use_backend eg_backend_{{$r.BackendID}} if { hdr(host) -i {{$d.Name}} } { path_beg {{$r.PathPrefix}} }
    {{- end}}
+    {{- if $d.PrimaryBackendID}}
+    use_backend eg_backend_{{$d.PrimaryBackendID}} if { hdr(host) -i {{$d.Name}} }
+    {{- end}}
    {{- end}}

+# ── Mgmt :3443 (Admin-UI only) ────────────────────────────────────────
+# Eigener Port für die Management-UI — gleicher Cert-Pool, aber kein
+# Customer-Routing. Anti-Lockout-Regel im nft-Template lässt 3443
+# immer durch. Erreichbar über jede Domain die auf die Box zeigt
+# (Hostname egal — default_backend), inkl. der direkten IP.
+frontend mgmt_https
+    bind :3443 ssl crt /etc/edgeguard/tls/ alpn h2,http/1.1
+    http-response set-header Strict-Transport-Security "max-age=31536000"
    default_backend api_backend

 # ── Internal stats ─────────────────────────────────────────────────────
--- a/management-ui/package.json
+++ b/management-ui/package.json
@@ -1,7 +1,7 @@
 {
  "name": "edgeguard-management-ui",
  "private": true,
-  "version": "1.0.12",
+  "version": "1.0.13",
  "type": "module",
  "scripts": {
    "dev": "vite",
--- a/management-ui/src/components/Layout/Sidebar.tsx
+++ b/management-ui/src/components/Layout/Sidebar.tsx
@@ -70,7 +70,7 @@ const NAV: NavSection[] = [
  },
 ]

-const VERSION = '1.0.12'
+const VERSION = '1.0.13'

 export default function Sidebar({ isOpen, onClose }: SidebarProps) {
  const { t } = useTranslation()
--- a/management-ui/src/pages/Firewall/SystemRules.tsx
+++ b/management-ui/src/pages/Firewall/SystemRules.tsx
@@ -20,7 +20,8 @@ interface SystemRule {

 const ROWS: SystemRule[] = [
  { key: 'a1', chain: 'input', match: 'tcp dport 22 (rate-limit 10/min)',           action: 'accept', note: 'anti-lockout: SSH' },
-  { key: 'a2', chain: 'input', match: 'tcp dport 443',                               action: 'accept', note: 'anti-lockout: Management-UI' },
+  { key: 'a2', chain: 'input', match: 'tcp dport 443',                               action: 'accept', note: 'anti-lockout: HAProxy public HTTPS' },
+  { key: 'a3', chain: 'input', match: 'tcp dport 3443',                              action: 'accept', note: 'anti-lockout: Management-UI (admin HTTPS)' },
  { key: 'b1', chain: 'input', match: 'ct state established,related',                action: 'accept', note: 'stateful baseline' },
  { key: 'b2', chain: 'input', match: 'ct state invalid',                            action: 'drop',   note: 'stateful baseline' },
  { key: 'b3', chain: 'input', match: 'iif lo',                                      action: 'accept', note: 'loopback' },
@@ -1 +1 @@
 .0.12
 .0.13