azorius.aria.company

Looking for a reverse proxy to put any service behind a login for external access.
from CatTrickery@lemmy.world to selfhosted@lemmy.world on 03 Apr 2024 18:59
https://lemmy.world/post/13870201

I host a few docker containers and use nginx proxy manager to access them externally since I like to have access away from home. Most of them have some sort of login system but there are a few examples where there isn’t so I currently don’t publicly expose them. I would ideally like to be able to use totp for this as well.

#selfhosted

threaded - newest

UltraBlack@lemmy.world on 03 Apr 2024 19:06 next collapse

caddy can do that with basicauth: caddyserver.com/docs/caddyfile/…/basicauth
nginx can 100% do that because it has plugins for everything
apache can probably do something like that

most reverse proxies have SSO tooling that you can set up pretty easily

But honestly, have you considered just using wireguard for these cases? It’s much more secure if you just want a bunch of stuff hidden from the rest of the world

emax_gomax@lemmy.world on 03 Apr 2024 19:14 next collapse

If you want a richer login authelia + caddy is good.

CatTrickery@lemmy.world on 03 Apr 2024 19:52 collapse

Ooh that Authelia looks pretty much ideal. I’ll give it a try and see how well it works.

Teng@lemmy.ml on 05 Apr 2024 06:38 collapse

How to use WireGuard for that? (Noob here)

UltraBlack@lemmy.world on 06 Apr 2024 21:41 collapse

WireGuard

try wg-easy. it’s on the docker hub and it makes setting up a wireguard tunnel incredibly easy (as in, press the add button). The initial docker configuration process was a bit annoying to me since I had no prior experience, but most of the issues were down to the dns settings, which I eventually figured out.

SeeJayEmm@lemmy.procrastinati.org on 03 Apr 2024 20:42 next collapse

I agree with everything everyone else has said here but if you looking for the most basic solution it’s already in NPM. You can configure basic auth in an access list and apply it to the site.

namelivia@lemmy.world on 03 Apr 2024 22:58 next collapse

I use pomerium for that

node815@lemmy.world on 06 Apr 2024 05:40 collapse

With that, I use Pomerium for apps which accept a HTTP Headers, for example, my Fresh Tomato firmware flashed router, it has a HTTP dialog. This allows me to login from the road if I need to manage something like rebooting it or updating firewall rules etc.

My access flow is this :

router.example.com —> Cloudflare Tunnel —> Pomerium IP —>Authentik —> Router’s Gui.

It works flawlessly. I don’t often use it, but when I do, it helps. I also had it enabled for AdguardHome but moved to Technitium DNS which I prefer and that doesn’t have the HTTP Headers so it’s not fully compatible with Pomerium that I’m aware of.

namelivia@lemmy.world on 06 Apr 2024 08:22 collapse

What does Authentik do in combination with pomerium? I don’t have it

node815@lemmy.world on 06 Apr 2024 17:58 collapse

Authentik is my IDP provider so I put it in front of all my publicly facing Apps which support OIDC login. For example, I can log into my Portainer instance from an external network, but to do so, I log into Authentik First which sends it to my service.

For the apps which support HTTP headers, like I said, Pomerium acts as the service which passes my credentials to the device. I admit - Authentik does this also without the need for Pomerium, (through their flow settings) but I found Pomerium to be much easier to set up for this than Authentik and haven’t looked back or felt the need to change it.

namelivia@lemmy.world on 07 Apr 2024 00:21 collapse

Ah I see! Thanks for the explanation, I have pomerium in front of everything using Google as IDP. Then if the app supports header authentication (like grafana) I get automatically logged in, and for those that don’t I have to log in again (a bit inconvenient) I event went as far as forking one and implementing header authentication myself.

PeachMan@lemmy.world on 03 Apr 2024 23:00 next collapse

It’s pretty easy to do this with Cloudflare Tunnels. You can set them up to use a Google account for SSO. Downside of course is that you’re reliant on Google and CF.

Decronym@lemmy.decronym.xyz on 03 Apr 2024 23:05 next collapse

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

Fewer Letters	More Letters
CF	CloudFlare
DNS	Domain Name Service/System
HTTP	Hypertext Transfer Protocol, the Web
IP	Internet Protocol
SSO	Single Sign-On
nginx	Popular HTTP server

[Thread #653 for this sub, first seen 3rd Apr 2024, 23:05] [FAQ] [Full list] [Contact] [Source code]

chiisana@lemmy.chiisana.net on 04 Apr 2024 00:49 next collapse

I use Traefik as reverse proxy and Authentik as SSO IdP. When I connect to my “exposed” service, Traefik middleware determines if I have the appropriate access credentials established. If so, I get access; if not, I’m bounced over to Authentik, where I enter my username, and authenticate via Passkey (modern passwordless gated by private keys behind biometrics unlock). The middleware can also be bypassed based on my pre established private custom HTTP header, so apps doesn’t support the flow (ie mobile client for some apps) can get in directly as well.

rentar42@kbin.social on 04 Apr 2024 07:49 next collapse

I've got the same setup! What I love about authentik is that I can even add a Google login as an authentication method. That severely increases the spouse-acceptance factor, as they don't have to "remember yet another password" or "carry around another thingie". Personally I use a YubiKey anyway, but for others who aren't into it "for fun" or for philosophical reasons reducing the friction as much as possible is paramount.

chiisana@lemmy.chiisana.net on 04 Apr 2024 08:50 collapse

I’m so lucky I got my SO on board with using a password manager early on! However, the passwordless login (after figuring out how send a user to the enroll stage initially) makes it so smiple, don’t even need the federated Google login.

uninvitedguest@lemmy.ca on 05 Apr 2024 11:16 collapse

How does this work for you when using an app (E.g. Nextcloud, home assistant, etc) where log in isn’t handled by a browser that can redirect, but instead expects username and password credentials entered in-app?

chiisana@lemmy.chiisana.net on 05 Apr 2024 14:00 collapse

I don’t use the two you’ve called out, so I cannot guarantee my Google results are accurate, but the principle is similar…

If the app supports external authentication (usually, looking for things like OIDC, SAML, or SSO in the documentation), then I’d configure the app to do that and skip the Traefik middleware piece.

This is what I’d do based on what I’m seeing on this article for NextCloud. That is, when all is said and done, I’d go nexcloud.myunexistent.deployment and be greeted with the next cloud login screen, where the external authentication option is shown on screen.

A similar setup might be achieved with Home Assistant’s commandline authentication provider to delegate authentication out via command line setup. Alternatively, use hass-auth-header plugin along with trusted proxy to delegate authentication out to the reverse proxy.

Hope this points to a relevant direction for you!

jet@hackertalks.com on 04 Apr 2024 07:04 next collapse

Tailscale, cloud flare, come to mind

DeltaTangoLima@reddrefuge.com on 04 Apr 2024 07:20 next collapse

I use Nginx Proxy Manager and Authelia for just this. Authelia supports a wide range of identity and MFA providers.

Edit: although Authelia has an article on how to set it up, I found it still missed some key info. This article was the one that helped me most in getting it to work.

ikidd@lemmy.world on 05 Apr 2024 18:53 collapse

Be nice if the images worked on that link.

Shimitar@feddit.it on 05 Apr 2024 17:50 next collapse

Add Pam or basic auth to nginx and you are done.

blackbarn@lemm.ee on 09 Apr 2024 03:01 collapse

Throwing my setup in: Traefik with Authentik