Sky-Web
Sky-Web NGINX
sign in to your account
Sign in with Microsoft
or sign in locally
Sky-Web
Edge Gateway
Management
Dashboard
Sites
Certificates
Alerts
Notifications
Security
Firewall
Fail2ban
WAF
Port Forwards
Deployment
Web Deploy
Web Server Certs
Prod Certs
System
Edge Status
DB Backup
Communications
Users
Cloudflare DNS
Security / 2FA
Service Monitor
Log Viewer
– NGINX
● EDGE
Edge Gateway — Sky-Web
Loading…
Dashboard Overview
🌐
Total Sites
–
Managed by NGINX
🔒
SSL Enabled
–
With certificates
⚠️
Expiring Soon
–
Within 30 days
🔴
Expired
–
Action required

Recent Sites

Loading…
Site Management
Loading…
SSL Certificates
Auto-renew active
Auto-Renew Threshold
Certs are renewed automatically when this many days remain
days before expiry ✓ Saved
Loading…
Notification Contacts
Loading…

Notification Logs

Loading…
Firewall Administration
UFW Status
Loading…
Default Incoming
–
Default Outgoing
–

Quick Presets

Active Rules

Loading…

Quick IP Block

Fail2ban Protection
🛡️
Active Jails
–
🚫
Total Banned IPs
–
⚠️
Total Failures
–

Jail Status

Loading…

Manual Ban / Unban

Fail2ban Log

Loading…
Web Application Firewall
Loading…
Rules Active
–
Countries Blocked
–
Block Rules
–
Log Rules
–

Active Rules

Pattern matching applied via NGINX config — UA, URI path, IP/CIDR, HTTP method
🛡️

No rules. Click Load OWASP Presets to add recommended rules.

Blocked Countries

🌍

No countries blocked.

Block a Country

Quick Presets

Total Requests
–
Req / Min
–
Unique IPs
–
Attack Status
–

🔴 Suspected Attackers

Click Analyse to run detection.

Status Distribution

Top Paths

Top IPs by Volume

Click Analyse to load data.

IP Lookup

Edge Gateway Status
Edge Gateway
192.168.12.2
Public: 154.0.8.35
Checking…
NGINX · WAF · Fail2ban · Rate Limiting · Certbot
Active Sites
–
Proxied domains
SSL Certificates
–
Let's Encrypt managed

Edge Gateway Architecture

This server sits directly at the internet edge — there is no upstream firewall between it and the internal web servers. NGINX itself is the perimeter firewall: WAF rules, Fail2ban, UFW, rate limiting, and country blocking all enforce access control before traffic reaches any backend.
🌍 Internet
→
🌐 DNS
A 154.0.8.35
→
🛡 EDGE GATEWAY (THIS SERVER)
154.0.8.35 → 192.168.12.2
NGINX Reverse Proxy
WAF · Fail2ban · Rate Limits
UFW · Country Blocking
SSL Termination · Certbot
→
INTERNAL WEB SERVER
192.168.12.x
HTTP/HTTPS backend
INTERNAL WEB SERVER
192.168.12.x
HTTP/HTTPS backend
+ more servers via Site Management
⚠ No upstream firewall — NGINX is the perimeter. Keep WAF, Fail2ban and UFW active at all times.

Public IP NAT

Public IPInternal IPPorts ForwardedRole
154.0.8.35 192.168.12.2 80, 443 Edge Gateway
DNS Record
nginx.sky-web.co.za IN A 154.0.8.35 ; Edge Gateway
; Point each proxied domain's A record to 154.0.8.35 ; NGINX will route by server_name to the correct internal backend
Security & 2FA

Two-Factor Authentication

Loading…

Change Password

User Management
Name Email Role 2FA Status Last Login Actions
Loading...

📨 Invite History

Recipient Invited By Action Email Sent When
Loading...

Add User

Reset Password

Communications Settings

📧 Email SMTP

📱 SMS via Twilio

💬 WhatsApp via Twilio

Uses your Twilio account. The sandbox from-number is whatsapp:+14155238886. For production, use your approved WhatsApp sender number.

💬 WhatsApp via Meta Business API

Direct Meta Cloud API. Requires a verified Meta Business account and approved phone number.

Microsoft 365 SSO (Entra ID)

Azure App Registration steps:
1. portal.azure.com → App registrations → New registration
2. Supported account types: Accounts in this organizational directory only
3. Redirect URI (Web): https://nginx.sky-web.co.za/api/auth/microsoft/callback
4. Certificates & secrets → New client secret → copy the Value
5. API permissions → Add: openid, profile, email, User.Read, GroupMember.Read.All → Grant admin consent
6. Copy Directory (tenant) ID and Application (client) ID from the Overview page
Port Forwards
How it works: nginx listens on the selected port and proxies all traffic to the backend host/port you configure. Configs are written to the nginx-configs volume and automatically synced to Node 2 via lsyncd. For Sage Payroll / self-signed backends, set Backend Protocol → https and leave Verify Backend SSL off.

Configured Forwards

↔️

No port forwards configured. Click + Add Forward to get started.

Add Port Forward

Off = accept self-signed
Web Server Deployment Wizard

Audit Trail

Deployment History

No deployments yet. Click + New Deployment to start.
Production Web Server Certs
Servers
–
Registered
Total Certs
–
Tracked
Expiring Soon
–
Within 30 days
Expired
–
Action required

Remote Servers

Loading…

Certificates — –

Select a server above.
Cloudflare DNS Manager

DNS Records

TypeNameContentTTLProxyModifiedActions
Select a zone above.
Database Backup
Manual pg_dump Backups
Backups are stored on this node's volume. Run on Node 1 (primary DB). Files are compressed .sql.gz — restore with gunzip -c file.sql.gz | psql
Running pg_dump… this may take a moment.

Available Backups

Loading…
Service Monitor
Loading…
Log Viewer
Select a node and source, then click Load Logs.

Add DNS Record

Add Remote Server

Add Certificate

Add New Site

Add Notification Contact

Issue SSL Certificate

Domain must be publicly reachable on port 80 for the Let's Encrypt HTTP challenge.

Set Up Authenticator App

Scan this QR code with Google Authenticator, Authy, or any TOTP app.

Manual key:

Add Firewall Rule

Add WAF Rule

NGINX Config


  

Invite User

🔐 Two-Factor Authentication Required

Your organisation requires two-factor authentication. Please set up 2FA before accessing the panel.

Scan this QR code with your authenticator app, then enter the 6-digit code:

Manual key:

🔑 Change Your Password

You are using a temporary password. Please set a new password before continuing.

🔐

Accept Invitation

Edge Gateway