How to secure self hosted plausible?

[madanyang]

Hi,

There seems to be a hcaptcha variable but its' use is not mentioned in the self-hosted documentation. From my understanding it is just setting these two hcaptcha variables namely the sitekey and securekey.

Since there is no 2FA available how can I secure the access to login?

I guess firewalling 443 only to a specific IP will not help as that would mean I am also blocking the access to the js which in return stops the analytics function.

So how does one protect the login and api access yet keep the functionality ?

[perfectly-preserved-pie]

Hello, I'm wondering the same thing. I don't feel comfortable exposing the Plausible login page to the whole world.

Are there any workarounds?

[susanthenerd]

You can redirect specific pages to a blank page from ngnix, or you can allow just the API and script to be accessible over the nginx proxy(or whatever you use)

[sideskift]

Hi Susan

Do you have any examples on how to do that?

[josephdpurcell]

With Apache you can do something like this:

    # Only allow admin access from an IP
    <Location "/">
        Require ip 127.0.0.1
    </Location>
    # Ensure /js and /api are accessible
    <LocationMatch "^/(js|api)/">
        Require all granted
    </LocationMatch>

I don't know what security risks this still poses but for my hobby server I found it to at least give a denial for anything that is not /js or /api. Change the IP of course to whatever IP you're requesting it from (from the perspective of Apache).

Why /js and /api? Because I saw #2519.