How to block Gateway port 8088 from internet but keep Perspective accessible?

WishahNaseer · November 20, 2025, 1:37pm

Hi everyone,

I’m trying to improve the security of our Ignition setup and need some guidance on the correct way to configure access.

Goal

Block port 8088 (Gateway web UI) from the internet
Keep Perspective projects accessible from the internet
Allow 8088 only when I’m on the local network (for admin / design work)

In other words:

On local network: http://<gateway-ip>:8088 → full Gateway + Perspective
From internet: no access to 8088, but users should still be able to open Perspective sessions.

Current setup

Ignition version: 8.1
OS: Windows
Ignition running on a server in the LAN
Firewall is currently forwarding 8088 on the Ignition server.

Questions

What is the recommended way to block 8088 from WAN but allow it on LAN only?
Should I:
- Stop forwarding 8088 and only expose HTTPS (8043), or
- Put a reverse proxy (Nginx/Caddy/Apache) in front and only proxy the Perspective paths?
Are there any official best-practice examples for exposing Perspective securely while keeping the Gateway UI internal?

Any example firewall rules or reverse proxy configs would be really helpful.

Thanks!

dillon · November 20, 2025, 1:42pm

FWIW, I don't feel like there is any harm for the users to have access to the gateway landing page. They cannot do anything to your Gateway without authentication.

pturmel · November 20, 2025, 2:06pm

There is no way within Ignition to block the gateway web UI. Any block on port 8088 will kill everything.

Consider using a reverse proxy exposed to the internet and use rules within it to block the URL patterns that correspond to the gateway web UI.

You should also strongly consider not exposing the unencrypted port 8088 to the internet at all. Set up SSL, on the proxy perhaps, so all internet traffic is properly protected.

tgarrison · November 20, 2025, 2:14pm

You're option #2 is the way to go. As well as assigning permissions required for accessing the gateway webpage, etc.

Nol · November 20, 2025, 4:46pm

You could create a security zone called local host, with an identifier IP address of 127.0.0.7 then in your gateway security general settings add SecurityZones/localhost to the gateway config permissions. Then you’ll only be able to access the gateway config UI from the machine itself. (Or similarly adjust this for your local network access if you want that)

Someone could still reach the gateway landing page from external addresses, so if a vulnerability within Ignition is discovered that could still be a concern. But they wouldn’t be able to access any of the config even if they phished an account login so it does add a layer of security.