Need to hide/disable Passbolt configuration page without compromising functionality

I installed Passbolt on my VPS, where I also have a website:
Cent OS 7.9.2009
Nginx 1.20.1
PHP 8.0.27

Everything is working correctly. However, I wanted to find out if it was possible to hide the Passbolt configuration page from normal users or disable it if it is not needed (if disabled the subdomain no longer works passbolt). I don’t like the fact that non-admin users can find the configuration page.

Hi @gallo Welcome to the forum!

I’m not sure I know which page you are referring to. Can you post a screenshot?

Sure, here is the configuration screen I was talking about.
It is in the subdomain I created: passbolt.'mysite.‘com’/app/passwords

This screenshot is the password page, it isn’t a configuration page, or maybe I missed something ?

Indeed @gallo , this is the page where your passwords, and the ones shared by others with you, are displayed.

No other users, not even admins, have access to your passwords.

When accessing to this page, the other users in turn will see only their own passwords, and the ones shared with them.

Does this make sense to you?

Yes, I am aware that no one can have access to my passwords. I was just wondering if it was possible to hide this portal. I am attaching the image that maybe makes the concept clearer.

I mean, since I also have a website on the same VPS, everyone can access the Passbolt login page. I wanted to try to hide it or disable it by returning for example 404. In the Caddy configuration, disabling the subdomain used to access the login (passbolt.‘mysite’.‘com’./auth/), passbolt no longer works and the browser and mobile app come out with an error.


@gallo If you are only wanting access for yourself and are running NGINX you could add this to the NGINX server block:

allow your.ip.add.ress;
deny all;

Another option would be to add something like this in any location block for which you wish to prevent access (php, etc):

auth_basic "Restricted";
auth_basic_user_file /etc/nginx/.htpasswd;

The .htpasswd file would have a string in the format of {user}:{password hash} that is created using apache2-utils as explained here: Restricting Access with HTTP Basic Authentication | NGINX Plus

1 Like

I apologize for my ignorance, but if I’m not mistaken, allowing access to the page only from a specific IP address blocks connections from all others attempting to connect. So, am I correct in assuming that the Passbolt mobile app or Passbolt browser extension on devices that do not have that IP address will encounter the issue shown in the second photo, with the error message “An internal error occurred. The server response could not be parsed. Please contact your administrator.”?

Maybe you could explain more about your use case.

But it’s not clear yet why it is a problem to you for people to access the login page. It’s not your typical login page.

Have you tried accessing it from another device without an extension installed? There is no login option. The screen you show is only for users who have their extension installed.

For everyone else it looks like this:

And when they enter an email address but are not a user, it shows:

I have a private site and a public site. Here’s the public one: