Hello @vk182
@vk182 said in Hiding apps behind the proxy app to enable cloudron authentication:
Do I understand correctly, that proxyAuth add-on will respect the Access Control setting of the app and allow access only to the allowed users via their Cloudron authentication? The target app may want the extra auth then but that is fine.
You understood correctly.
@vk182 said in Hiding apps behind the proxy app to enable cloudron authentication:
Is there a way to add proxyAuth for the existing app?
Yes that can be done.
You can think of that process like an app update, that only updates the app to use the Cloudron proxyauth add-on and does nothing with the application itself.
@vk182 said in Hiding apps behind the proxy app to enable cloudron authentication:
p.s. Just as a side note, what is the best way to isolate the particular app from the public interface?
If you have apps, that should not be publicly accessible, you could always only allow connections from specific IP-Addresses like e.g. a VPN.
Example setup could look something like this:
Main Cloudron server - running the VPN app and all other public apps
Separate Cloudron server - named intranet running all apps that should only be accessible from whitelisted IP-Addresses like the VPN (public IP of Main Cloudron)
non-public apps on this Cloudron intranet server
People who should be allowed to access the intranet server get a VPN client cert
The Cloudron intranet server can be connected to the Main Cloudron User Directory, thus syncing users for apps that have OIDC/LDAP
For the Intranet Cloudron server, you'd have to configure the firewall on a hosting provider level to only allow access from the Public IP of the Main Cloudron
Thus isolating public from intranet and still maintaining the comfortable setup of Cloudron User Directory.
Also comes in handy if you don't want your public apps (like Website or Shop) to go offline only when you need to update/reboot the intranet server.
