MySafeIP: a trusted third party for your firewall!

For a few years (10/15, damn it goes by fast) I’ve been hosting my services at home in the cool garage on a physical server, VMs and recently cloud instances. Me, my small family and a circle of friends are the only users. A bit like many people here no doubt.

One evening I install Grafana/Prometheus to train myself and see the continuous scans of bots on everything revealed. Well, I’m not a young one, I suspected it, but still, it’s pretty busy…

Not immune to missing an update from time to time, I don’t mind it too much and I’m looking for ways to improve all of this and here’s how…


Day 1 : The VPN solution! It’s cool, it protects against viruses according to VPN du Nord or OpenOffice in its time. Oh no, the minister thought it was a firewall… (see link 5)
And yes, that’s good, but you have to manage the authentications, install the clients, meet the gaze of your loved ones (“But why 😢”). The night is passing, we must find something else.

Day 2 : ssh bastion, socks proxies. It’s fun, all terrain and it works. But hey, we keep it to ourselves at work. It would be a worse replay of day one… Next!

Day 3 : gate-knock! You knock on the door of a server with the correct udp or tcp sequence, and it opens firewall rules. It is clean, there are clients available on almost all devices. It’s almost ideal, but it’s still technical, very, very much…

Day 4 : 😰 not much new.

Day 5 : I remember my few months developing a first open source project 🤔. If it doesn’t exist, we code it and share it! It was a good time! Go, we roll up our sleeves.

We code!

Month 1 : model under django, mariadb database and containerized installation. It does the job, but it’s not super light. I feel like I’m hammering in a nail with a sledgehammer.

Month 2 : It does the job and is still very practical. For example, my nextcloud and bitwarden instances are accessible through “third party” links that I give to my relatives. When they go on it, their client IPs are read and the firewall authorizes them directly. They will be redirected a few seconds later and use everything they normally know without going through MySafeIP again.
It’s also the first time I’ve been so reluctant to have personal data online.
The bots break their teeth, I cheer 😏.

Month 3 : share it as it is? It should be lighter. The discovery of Fastapi, bootstrap. We come out keyboard / mouse. Fastapi is great in a different registry than Django 🤩. The potential is there and the documentation is rich for such a young project. It’s very, very motivating and I have some ideas for the future :).

MySafeIP in brief

After this long introduction, but summarizing the need and limitations of this kind of tool, here is a brief overview of MySafeIP.

MySafeIp is an open source program (Apache-2.0) that acts as a trusted third party to dynamically update trusted IPs:

  • either declared manually after approval;
  • either automatically via links as a URL shortener, but whose redirection allows reading the client’s IP and its authorization.

The kit is based on the Fastapi (backend) and Bootstrap/jinja (UI) frameworks. The web management interface is PC/smartphone compatible.

It’s easy to install:

The installation is containerized on the server side and a small python module is available to ensure recovery of IPs on the firewall side. I also provide the script to set at least iptables based on ipset 🥳.

In short, it installs in 5 minutes via docker-compose (yeah, it’s a bit of a sell, let’s say 15 minutes including the client 😜) and adds fine filtering to the input of all your services without scaring your users.

On the authentication side, login/password and two factors (TOTP) for web administration, Tokens for the client module (manageable from the application).

Finally, you can approve or disapprove the registration of users who would like to use it for their own services. It is also available in French and English.

You know almost everything, I hope it will be of as much service to you as to me.

I’m considering it in Alpha version while working on refactoring the routes and adding unit tests. However, it works “out of the box” and will already give you a good idea of ​​its usefulness.

And before you rush to the screenshots: a very, very, very happy New Year to everyone!

Some screenshots:

Home :

The statement about ip:

An example of an instant link:

I am very interested in your feedback!

Go further


Leave a Comment