Hiding apps behind the proxy app to enable cloudron authentication

vk182

Hello,

We are using Cloudron (v9) to host several applications that do not support native Cloudron user authentication. To standardise access control, we have introduced a proxy app (running on the same Cloudron instance) that authenticates users and then forwards traffic to the target application. This is done by routing traffic internally using the 172.* Docker network IP and the app’s internal port, ensuring that users must authenticate before reaching the target app.

However, the proxy and the target app each have their own subdomain. The proxy correctly enforces Cloudron authentication, but the target app remains externally accessible via its own subdomain, bypassing the intended protection.

What would be the cleanest, most durable way to prevent external access to the target app’s subdomain, so that it is reachable only through the proxy? We are trying to avoid custom modifications or unsupported hacks that might break updates or interfere with Cloudron’s normal operation.

Thank you in advance for your guidance.

james

Hello @vk182 and welcome to the Cloudron forum

@vk182 said in Hiding apps behind the proxy app to enable cloudron authentication:

host several applications that do not support native Cloudron user authentication

Are these custom apps or are you running them inside e.g.: the LAMP app?

vk182

Hello @james ! Just normal cloudron apps like Mattermost or n8n that does not integrate with cloudron authentication and does not provide SSO

james

Hello @vk182
So you would like the app proxy infront of these apps, as well as their own user management?

vk182

@james hey yes, correct - I do not mind the apps to use their own user management but since we can not control/enforce proper rules over its secutiry we want to add proper cloudron auth on top of it. We are able to configure app proxy jsut fine, but we need a simple way to isolate these apps from the external IP so they will be accessible only via app proxy.

Teiluj

Unless I misunderstand @vk182's post, This seems like something that was described here, here , and here.
As well as some old references here.

Looks like a feature in high demand, with a fair amount of use cases...

james

Hello @vk182
Okay, understood.

@vk182 said in Hiding apps behind the proxy app to enable cloudron authentication:

What would be the cleanest, most durable way to prevent external access to the target app’s subdomain, so that it is reachable only through the proxy? We are trying to avoid custom modifications or unsupported hacks that might break updates or interfere with Cloudron’s normal operation.

Even though you have stated this.
It would be a simple change to the app and the extra maintenance would be somewhat manageable. Depending on how many apps you want to do this with.

I did a recent post about this, see: https://forum.cloudron.io/post/115963

With the same approch you can edit any Cloudron app and add the proxyAuth addon.

robi

It might be simpler to add an Nginx Auth option for any app as part of the App location configuration.

That way there's no way around the gate if configured via app subdomain and no additional proxy app is needed.

vk182

@james thank you for the clarification and the link! Do I understand correctly, that proxyAuth add-on will respect the Access Control setting of the app and allow access only to the allowed users via their Cloudron authentication? The target app may want the extra auth then but that is fine.

Is there a way to add proxyAuth for the existing app? I do understand that documentation says it is impossible, but what if we have quite a big data already in the app that we want to protect and we are not able to just run a fresh install?

p.s. Just as a side note, what is the best way to isolate the particular app from the public interface? This will allow us to be able to hide any app without clear reinstall with proxyAuth. This public-interface disabling also would come handy if we wanted the app to only be allowed on the VPC interface (i.e. on our ZeroTier network, but not on the public).

james

Hello @vk182

@vk182 said in Hiding apps behind the proxy app to enable cloudron authentication:

Do I understand correctly, that proxyAuth add-on will respect the Access Control setting of the app and allow access only to the allowed users via their Cloudron authentication? The target app may want the extra auth then but that is fine.

You understood correctly.

@vk182 said in Hiding apps behind the proxy app to enable cloudron authentication:

Is there a way to add proxyAuth for the existing app?

Yes that can be done.
You can think of that process like an app update, that only updates the app to use the Cloudron proxyauth add-on and does nothing with the application itself.

@vk182 said in Hiding apps behind the proxy app to enable cloudron authentication:

p.s. Just as a side note, what is the best way to isolate the particular app from the public interface?

If you have apps, that should not be publicly accessible, you could always only allow connections from specific IP-Addresses like e.g. a VPN.

Example setup could look something like this:

• Main Cloudron server - running the VPN app and all other public apps
• Separate Cloudron server - named intranet running all apps that should only be accessible from whitelisted IP-Addresses like the VPN (public IP of Main Cloudron)
• non-public apps on this Cloudron intranet server
• People who should be allowed to access the intranet server get a VPN client cert
• The Cloudron intranet server can be connected to the Main Cloudron User Directory, thus syncing users for apps that have OIDC/LDAP
• For the Intranet Cloudron server, you'd have to configure the firewall on a hosting provider level to only allow access from the Public IP of the Main Cloudron

Thus isolating public from intranet and still maintaining the comfortable setup of Cloudron User Directory.
Also comes in handy if you don't want your public apps (like Website or Shop) to go offline only when you need to update/reboot the intranet server.

vk182

Hi @james thank you for the detailed response!

You can think of that process like an app update, that only updates the app to use the Cloudron proxyauth add-on and does nothing with the application itself.

Can you please point me to the documentation on how this can be done? I understand now that and app updates itself, isn't it?

If you have apps, that should not be publicly accessible, you could always only allow connections from specific IP-Addresses like e.g. a VPN.

Is it possible to block single app from public access within the same Cloudron instance? I do not want to overcomplicate the configuration and have nested servers...

joseph

I moved this to feature request since it's not implemented yet but feel free to discuss workaround/alt solutions.

robi

How about just basic http auth from the Cloudron nginx config?

james

Hello @vk182

@vk182 said in Hiding apps behind the proxy app to enable cloudron authentication:

Can you please point me to the documentation on how this can be done? I understand now that and app updates itself, isn't it?

I have done so already here

said in Hiding apps behind the proxy app to enable cloudron authentication:

I did a recent post about this, see: https://forum.cloudron.io/post/115963

vk182

@james hi thanks for the article - I have checked it and I can not understand how to force-upgrade-with-custom-manifest. Do I need to fork the app from your repo and build a completely custom app? My goal is to enable proxyAuth to the existing app that has some data and users.