Create specific authentication page for admins on a different port for added security on a wan situation.

[astrometrics]

How to use GitHub

• Please use the 👍 reaction to show that you are interested into the same feature.
• Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
• Subscribe to receive notifications on status change and new comments.

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

Admins can log on on wan... that's a bit problematic.

Describe the solution you'd like
A clear and concise description of what you want to happen.

Separation of login pages from normal users and admins. Admins would log on to a different port, which could be better managed by firewalls, increasing security greatly I think. This solution may have an appeal to organizations or anyone really focused on security.
That should be easy as an admin config or config.php admin port setting. If admin_port is omitted then same port as normal user is used.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

[joshtrichards]

You may be able to accomplish at least the restricting of where admins can log in from via with Nextcloud’s File Access Control app:

https://docs.nextcloud.com/server/latest/admin_manual/file_workflows/access_control.html
https://github.com/nextcloud/files_accesscontrol

Keep in mind that what you're requesting would just prevent the logins, but the attack surface (the application itself) would still be there either way. It'd be one thing if we were talking about locking down some sort of out-of-band admin interface/tool, but that's not the case (and in that case it wouldn't be an issue because it would inherently be a different resource that could be restricted however you like firewall-wise/VPN-wise/etc).

But we're talking about a single application. All SaaS platforms already have to deal with this issue these days. It's generally about:

• Password policies [NC supported]
• MFA [NC supported]
• Possibly source IP address restrictions for admins (which is what may be achievable with the link I provided above, but I've not personally used it in that way)

(Not an official response of any sort - just some morning coffee thoughts)

[astrometrics]

@joshtrichards, thanks for your answer.

The File Access Control app doesn't seem to do more than file access control inside NC but I suspect that with some tinkering some Admin based control can be achieved... That's good but what I'm proposing is a way to improve security in conjunction to firewalls etc (out of NC); the result of that is a reduction of the surface of attack which is someone by any means to have gotten the password and even TOTP seed by some other mean than a net attack. That way a type of attack that has huge impact couldn't really happen because the admin page just won't be available and typically a service would have one admin, which can then be ip locked, port locked or just LAN by the firewall. The other mentioned hardenings like MFA, Security Key, IP restrictions can be applied to unprivileged users too and the firewall could geo restrict or use ip ranges from the internet provider etc (thinking about people visiting clients). But I think a different port is more useful to be managed by firewalls (not by NC). But I understand the general problem of attack surface and if there's some basic unsuspected flaw, all that rigor may me in vain... as always.

Thanks again.

[joshtrichards]

Potentially related and/or a duplicate of #29294

[joshtrichards]

Possible of interest: #46473

[joshtrichards]

Fixed in #46473
Documented in nextcloud/documentation#12059