Simple auth (e.g. htaccess) for apps without authentication
-
Is it possible (or already doable) to add a simple auth option for all apps that don't have a built-in authentification?
I'm thinking of SearxNG, Invidious, etc. where I don't want them completely in the open to (ab)use for everyone.
Maybe just a simple
.htaccesswould be enough, so that you had a https://user:password@search.domain.com? Or is there a better method? -
We have the proxyAuth addon for exactly this . It puts an auth wall in front of apps. Depending on the app, this auth well might break extensions, api calls etc. For this reason, this is not a generic option but something we add in the package considering each app.
Also, it's quite confusing to add auth walls in front of apps that already have a login system. For example, invidivious already has users and login, now we have a totally different auth in front of this. For invidious, private instance feature is being implemented - https://github.com/iv-org/invidious/pull/4259
-
We have the proxyAuth addon for exactly this . It puts an auth wall in front of apps. Depending on the app, this auth well might break extensions, api calls etc. For this reason, this is not a generic option but something we add in the package considering each app.
Also, it's quite confusing to add auth walls in front of apps that already have a login system. For example, invidivious already has users and login, now we have a totally different auth in front of this. For invidious, private instance feature is being implemented - https://github.com/iv-org/invidious/pull/4259
@girish said in Simple auth (e.g. htaccess) for apps without authentication:
We have the proxyAuth addon for exactly this . It puts an auth wall in front of apps. Depending on the app, this auth well might break extensions, api calls etc. For this reason, this is not a generic option but something we add in the package considering each app.
Well, if I understand correctly, the App that's being proxied is still "unprotected", correct?
If I point
proxy.domain.comtoapp.domain.comor93.###.###.###, thenapp.domain.com(or the IP) can still be opened without any authentification (if someone knows or finds out theapp.domain.comaddress, which is usually trivial), can't it? And from the docs I understand that I can't point it to an internal, unpublished IP like192.168.1.100:88, correct? (<-- This would be awesome, by the way....)I think that's the main difference for something like the
.htaccessapproach (which I understand would only work in an Apache setup). -
@girish said in Simple auth (e.g. htaccess) for apps without authentication:
We have the proxyAuth addon for exactly this . It puts an auth wall in front of apps. Depending on the app, this auth well might break extensions, api calls etc. For this reason, this is not a generic option but something we add in the package considering each app.
Well, if I understand correctly, the App that's being proxied is still "unprotected", correct?
If I point
proxy.domain.comtoapp.domain.comor93.###.###.###, thenapp.domain.com(or the IP) can still be opened without any authentification (if someone knows or finds out theapp.domain.comaddress, which is usually trivial), can't it? And from the docs I understand that I can't point it to an internal, unpublished IP like192.168.1.100:88, correct? (<-- This would be awesome, by the way....)I think that's the main difference for something like the
.htaccessapproach (which I understand would only work in an Apache setup).@necrevistonnezr I was referring to the proxyAuth addon (https://docs.cloudron.io/packaging/addons/#proxyauth) and not the similary named App Proxy .
proxyAuth - we add this in an app's package. In this, there is no DNS entry for the app itself. Just for the external facing proxy. I guess quite similar to what you have in mind for
.htaccess. For example, apps like haste, tldraw, transmission, firefly etc use this already. You will see an authwall in the front (a login screen) to access the app.With App Proxy, you are correct,
app.domain.comwill still be open to internet. One has to protect this using a network firewall. -
@girish said in Simple auth (e.g. htaccess) for apps without authentication:
We have the proxyAuth addon for exactly this . It puts an auth wall in front of apps. Depending on the app, this auth well might break extensions, api calls etc. For this reason, this is not a generic option but something we add in the package considering each app.
Well, if I understand correctly, the App that's being proxied is still "unprotected", correct?
If I point
proxy.domain.comtoapp.domain.comor93.###.###.###, thenapp.domain.com(or the IP) can still be opened without any authentification (if someone knows or finds out theapp.domain.comaddress, which is usually trivial), can't it? And from the docs I understand that I can't point it to an internal, unpublished IP like192.168.1.100:88, correct? (<-- This would be awesome, by the way....)I think that's the main difference for something like the
.htaccessapproach (which I understand would only work in an Apache setup). -
@necrevistonnezr your note on things being public was good, I put a note in the App Proxy docs
@girish Thanks for the clarification - so it's nothing I can apply as a user after app packaging.
So in general, my feature request still stands -
@girish Thanks for the clarification - so it's nothing I can apply as a user after app packaging.
So in general, my feature request still stands -
@girish Thanks for the clarification - so it's nothing I can apply as a user after app packaging.
So in general, my feature request still stands@necrevistonnezr maybe if it's a simple enough app, you can package it along with the Surfer app which can provide the basic auth w/ a nice config interface.
