Simple auth (e.g. htaccess) for apps without authentication

necrevistonnezr

Is it possible (or already doable) to add a simple auth option for all apps that don't have a built-in authentification?

I'm thinking of SearxNG, Invidious, etc. where I don't want them completely in the open to (ab)use for everyone.

Maybe just a simple .htaccess would be enough, so that you had a https://user:password@search.domain.com? Or is there a better method?

girish

We have the proxyAuth addon for exactly this . It puts an auth wall in front of apps. Depending on the app, this auth well might break extensions, api calls etc. For this reason, this is not a generic option but something we add in the package considering each app.

Also, it's quite confusing to add auth walls in front of apps that already have a login system. For example, invidivious already has users and login, now we have a totally different auth in front of this. For invidious, private instance feature is being implemented - https://github.com/iv-org/invidious/pull/4259

girish

The .htaccess only works in Apache btw and thus limited to apps that use apache (mostly php then).

Invidious is written in a fancy language (to me anyway) called crystal I think searx is python.

necrevistonnezr

@girish said in Simple auth (e.g. htaccess) for apps without authentication:

We have the proxyAuth addon for exactly this . It puts an auth wall in front of apps. Depending on the app, this auth well might break extensions, api calls etc. For this reason, this is not a generic option but something we add in the package considering each app.

Well, if I understand correctly, the App that's being proxied is still "unprotected", correct?

If I point proxy.domain.com to app.domain.com or 93.###.###.###, then app.domain.com (or the IP) can still be opened without any authentification (if someone knows or finds out the app.domain.com address, which is usually trivial), can't it? And from the docs I understand that I can't point it to an internal, unpublished IP like 192.168.1.100:88, correct? (<-- This would be awesome, by the way....)

I think that's the main difference for something like the .htaccess approach (which I understand would only work in an Apache setup).

girish

@necrevistonnezr I was referring to the proxyAuth addon (https://docs.cloudron.io/packaging/addons/#proxyauth) and not the similary named App Proxy .

proxyAuth - we add this in an app's package. In this, there is no DNS entry for the app itself. Just for the external facing proxy. I guess quite similar to what you have in mind for .htaccess. For example, apps like haste, tldraw, transmission, firefly etc use this already. You will see an authwall in the front (a login screen) to access the app.

With App Proxy, you are correct, app.domain.com will still be open to internet. One has to protect this using a network firewall.

girish

@necrevistonnezr your note on things being public was good, I put a note in the App Proxy docs

necrevistonnezr

@girish Thanks for the clarification - so it's nothing I can apply as a user after app packaging.
So in general, my feature request still stands

girish

@necrevistonnezr if you can raise the request for specific apps, we can discuss why or why not we can do it for the app. maybe that's a good was forward here?

robi

@necrevistonnezr maybe if it's a simple enough app, you can package it along with the Surfer app which can provide the basic auth w/ a nice config interface.