Erugo is a powerful self-hosted file-sharing platform that gives you complete control over your data. One important aspect of this control is managing who can access your Erugo instance. This guide explains how to implement geographical restrictions using Caddy as a reverse proxy, allowing you to:
- Restrict access to the Erugo upload interface to specific countries
- Allow file downloads from share links globally
Why Implement Geographical Restrictions?
There are several reasons you might want to limit access to your Erugo instance by geography:
- Security: Limiting administrative access to countries where your team operates
- Compliance: Meeting data protection or regulatory requirements
- Resource management: Reducing server load from regions you don't serve
Prerequisites
- A running Erugo instance
- Caddy server installed
- MaxMind GeoLite2 database (for geographical IP detection)
- Basic understanding of reverse proxies
Implementation with Caddy
Caddy makes implementing geographical restrictions straightforward. The example below shows how to:
- Allow the Erugo upload interface to be accessed only from Portugal
- Allow share download links to be accessed globally
Example Caddyfile
{
# Various Caddy configurations (dynamic DNS, ACME, etc.)
}
example.com {
# Logging configuration
route {
# Security measures (CrowdSec, etc.)
# Define an allowpt matcher that only allows traffic from Portugal
@allowpt {
maxmind_geolocation {
db_path "/usr/share/GeoIP/GeoLite2-Country.mmdb"
allow_countries PT
}
}
# Main application access (restricted to Portugal)
handle / {
reverse_proxy @allowpt 192.168.1.16:9998
}
# Assets necessary for the application
handle /build* {
reverse_proxy 192.168.1.16:9998
}
# API endpoints (globally accessible)
handle /api* {
reverse_proxy 192.168.1.16:9998
}
# Share links (globally accessible)
handle /shares* {
reverse_proxy 192.168.1.16:9998
}
# Logo endpoint (globally accessible)
handle /get-logo* {
reverse_proxy 192.168.1.16:9998
}
}
}
How This Configuration Works
- Root Path Restriction: The
handle /directive uses the@allowptmatcher to only allow access to the main application (upload interface) from Portugal. - Global Share Access: The
/shares*path does not use the country matcher, allowing anyone worldwide to access share links. - API Access: The
/api*endpoints are accessible globally, which is necessary for share functionality to work properly. - Essential Assets: Paths like
/build*and/get-logo*are accessible globally to ensure proper functioning of the share interface.
Customising for Your Needs
Changing Allowed Countries
To allow access from different countries, modify the allow_countries line with the appropriate ISO 3166 country codes. For example, to allow access from Portugal and Spain:
allow_countries PT ES
Allowing Multiple Regions
For more complex scenarios, you can create multiple matchers:
@allowEurope {
maxmind_geolocation {
db_path "/usr/share/GeoIP/GeoLite2-Country.mmdb"
allow_countries PT ES FR DE IT GB
}
}
@allowInternal {
remote_ip 192.168.0.0/16 10.0.0.0/8
}
handle / {
reverse_proxy @allowEurope @allowInternal 192.168.1.16:9998
}
Security Considerations
- Database Updates: Regularly update your MaxMind GeoLite2 database to ensure accurate IP geolocation.
- VPN Awareness: Users with VPNs can bypass geographical restrictions.
- Reverse Proxy Hardening: Ensure your Caddy server is properly secured and updated.
Conclusion
Implementing geographical access controls for Erugo provides an additional layer of security while maintaining the platform's core functionality. This approach allows you to restrict administrative access to trusted regions while ensuring shared files remain accessible to intended recipients regardless of location.
Remember that geographical restrictions should be part of a broader security strategy, not your only line of defence. Always implement strong authentication, secure configurations, and regular updates to your Erugo instance.