Defguard services option to listen only on localhost

[fbarbeira]

The docs said that a proxy can be put in front of the Defguard server. When I run and configure the core service I get the following:

[ CORE ]~# netstat -ntlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1/init
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      1196/nginx: master
tcp        0      0 0.0.0.0:444             0.0.0.0:*               LISTEN      1196/nginx: master
tcp        0      0 0.0.0.0:8000            0.0.0.0:*               LISTEN      696/defguard
tcp        0      0 127.0.0.1:5432          0.0.0.0:*               LISTEN      762/postgres
tcp        0      0 0.0.0.0:50055           0.0.0.0:*               LISTEN      696/defguard
tcp6       0      0 :::22                   :::*                    LISTEN      1/init
[ CORE ]~#

I have to protect ports 8000 and 50055 on the nginx and on the firewall (defense in depth). I know general recommendation is to put the Defguard core on a internal network, buf if anyone can has access to that internal net has the ability to reach the defguard.

A nicer and more robust option is to listen only on localhost like PostgreSQL does for example. With that I would have not to put any rules on firewall or nginx to protect that ports (it's on localhost), only nginx ports. An option on the Defguard configuration file for this would be appreciated.

[j-chmielewski]

Hi @fbarbeira, thank you for the feature request. I'm moving this into our backlog and we'll consider it during our next planning.