proxyAuth addon
-
@nebulon That would seem a sensible approach. Similar to other gateway authentication solutions I've seen. Definitely would need to restrict trust of those headers either in app or sever configuration though to prevent escalation/impersonation/ato attacks
-
@jimcavoli is there any risk or impersonation angle, if the reverse proxy always explicitly overwrites that header?
-
-
Related: while re-working the n8n packaging, I happened upon what would probably be reasonably common, where there are selected sub-paths of
/which should not be authenticated - example being we want/to require auth, but not/webhook/*paths. It's at least non-obvious if not unsupported by the current docs on how to do this withproxyAuth -
Related: while re-working the n8n packaging, I happened upon what would probably be reasonably common, where there are selected sub-paths of
/which should not be authenticated - example being we want/to require auth, but not/webhook/*paths. It's at least non-obvious if not unsupported by the current docs on how to do this withproxyAuth@jimcavoli Indeed, that's not something I designed for. How complicated can these rules get ? Atleast, https://docs.n8n.io/reference/security.html does not seems to have any more information. Or should I just add a
publicPathproperty (singular) and that's enough ? I like to under-design these things and extend them as use cases come. -
@jimcavoli Indeed, that's not something I designed for. How complicated can these rules get ? Atleast, https://docs.n8n.io/reference/security.html does not seems to have any more information. Or should I just add a
publicPathproperty (singular) and that's enough ? I like to under-design these things and extend them as use cases come.@girish I think the best would be to have the path in proxyAuth be an array, where given paths can be either positive or negative. It's the way things like .gitignore work.
For example, in this case, it would be:
{ "proxyAuth": [ "/", "!/webbooks/" ] } -
@girish I think the best would be to have the path in proxyAuth be an array, where given paths can be either positive or negative. It's the way things like .gitignore work.
For example, in this case, it would be:
{ "proxyAuth": [ "/", "!/webbooks/" ] } -
Agree on the default behavior - I imagine it's unlikely that anything more specific than path-level exceptions are unlikely. Perhaps as an extension to the solution that @mehdi suggests, we could extend the existing format of:
{ "proxyAuth": { "path": "/admin" } }To take exceptions:
{ "proxyAuth": { "path": "/admin" , "exclude": [ "/webhook", "/ ] } }Or with probably over-the-top features, make everything a map of path and exception(s):
{ "proxyAuth": { "paths": { "/" : [ "/webhook", "/public" ], "/admin": [] } } }Honestly, I appreciate the minimal-first approach, and I think the middle option of adding a (understood to be auto-wildcarded) array of exclusions is the easier next step. I can't imagine anything that would need the super-complex variant would be something that would or should rely on such a mechanism to secure it.
-
Back in the day, we had an "oauth proxy" for apps that didn't support any authentication to put up an auth wall. This was brought up https://forum.cloudron.io/topic/1451/alternative-to-oauth-proxy . We removed that proxy when we removed OAuth support altogether.
Recently, there is a bunch of apps that require an auth wall including:
- Prometheus server/alert manager
- Cloud torrent
- Transmission
- Apps like surfer
- Many of our internal apps
I have put in this "proxy auth" feature in Cloudron 6. Just have to add it to addons in the manifest like:
"addons": { "proxyAuth": {} }Just like the
ldapaddon, user can then select which users/groups can authenticate. If the manifest also hasoptionalSso, then user can choose to let the app have no auth wall altogether.When using this feature, two routes are "reserved" -
/loginand/logout. Some benefits of having this on the platform side (as opposed in the app are):- 2FA login
- Session management in the user's profile page. i.e can logout from apps etc
- Easier for us to maintain this feature. Currently, this feature has already been re-implemented in the apps using 3 different stacks - nginx/apache/node...
I took a lot of inspiration from https://github.com/andygock/auth-server and @mehdi's transmission code. So, big thanks to them!
-
@girish I don't see the 2FA code prompt on the login page of Simple Torrent. Am I missing something?
Some benefits of having this on the platform side (as opposed in the app are):
- 2FA login
-
Agree on the default behavior - I imagine it's unlikely that anything more specific than path-level exceptions are unlikely. Perhaps as an extension to the solution that @mehdi suggests, we could extend the existing format of:
{ "proxyAuth": { "path": "/admin" } }To take exceptions:
{ "proxyAuth": { "path": "/admin" , "exclude": [ "/webhook", "/ ] } }Or with probably over-the-top features, make everything a map of path and exception(s):
{ "proxyAuth": { "paths": { "/" : [ "/webhook", "/public" ], "/admin": [] } } }Honestly, I appreciate the minimal-first approach, and I think the middle option of adding a (understood to be auto-wildcarded) array of exclusions is the easier next step. I can't imagine anything that would need the super-complex variant would be something that would or should rely on such a mechanism to secure it.
-
@jimcavoli Shall I go with
path: "!/webhooks"for now? Will this be enough for n8n ?@girish Yeah, that would be enough for n8n I think, though if we're going to go that route, I think making paths an array of either path(s) and/or
!paths makes the most sense in general (at least somehow providing for the option of multiple excluded paths) -
@girish Yeah, that would be enough for n8n I think, though if we're going to go that route, I think making paths an array of either path(s) and/or
!paths makes the most sense in general (at least somehow providing for the option of multiple excluded paths)@jimcavoli won't having it plural cause some confusing semantics if you mix ! and no ! paths ? Let me think
-
@jimcavoli won't having it plural cause some confusing semantics if you mix ! and no ! paths ? Let me think
-
-
@jimcavoli won't having it plural cause some confusing semantics if you mix ! and no ! paths ? Let me think
-
@girish Hi Girish, what is the status of this? selectively exposing certain paths to public?
@saikarthik Girish answered here : https://forum.cloudron.io/post/23886
Yes, proxyAuth exclusion is implemented. I only implemented a simple approach with a ! pattern for now (not an array).
