How to block Gateway port 8088 from internet but keep Perspective accessible?

Ignition
,
1

Hi everyone,

I’m trying to improve the security of our Ignition setup and need some guidance on the correct way to configure access.

Goal

  • Block port 8088 (Gateway web UI) from the internet
  • Keep Perspective projects accessible from the internet
  • Allow 8088 only when I’m on the local network (for admin / design work)

In other words:

  • On local network: http://<gateway-ip>:8088 → full Gateway + Perspective
  • From internet: no access to 8088, but users should still be able to open Perspective sessions.

Current setup

  • Ignition version: 8.1
  • OS: Windows
  • Ignition running on a server in the LAN
  • Firewall is currently forwarding 8088 on the Ignition server.

Questions

  1. What is the recommended way to block 8088 from WAN but allow it on LAN only?
  2. Should I:
    • Stop forwarding 8088 and only expose HTTPS (8043), or
    • Put a reverse proxy (Nginx/Caddy/Apache) in front and only proxy the Perspective paths?
  3. Are there any official best-practice examples for exposing Perspective securely while keeping the Gateway UI internal?

Any example firewall rules or reverse proxy configs would be really helpful.

Thanks!

2

FWIW, I don't feel like there is any harm for the users to have access to the gateway landing page. They cannot do anything to your Gateway without authentication.

1 Like
3

There is no way within Ignition to block the gateway web UI. Any block on port 8088 will kill everything.

Consider using a reverse proxy exposed to the internet and use rules within it to block the URL patterns that correspond to the gateway web UI.

You should also strongly consider not exposing the unencrypted port 8088 to the internet at all. Set up SSL, on the proxy perhaps, so all internet traffic is properly protected.

1 Like
4

You're option #2 is the way to go. As well as assigning permissions required for accessing the gateway webpage, etc.

1 Like