Hiding apps behind the proxy app to enable cloudron authentication

vk182

Hello,

We are using Cloudron (v9) to host several applications that do not support native Cloudron user authentication. To standardise access control, we have introduced a proxy app (running on the same Cloudron instance) that authenticates users and then forwards traffic to the target application. This is done by routing traffic internally using the 172.* Docker network IP and the app’s internal port, ensuring that users must authenticate before reaching the target app.

However, the proxy and the target app each have their own subdomain. The proxy correctly enforces Cloudron authentication, but the target app remains externally accessible via its own subdomain, bypassing the intended protection.

What would be the cleanest, most durable way to prevent external access to the target app’s subdomain, so that it is reachable only through the proxy? We are trying to avoid custom modifications or unsupported hacks that might break updates or interfere with Cloudron’s normal operation.

Thank you in advance for your guidance.

james

Hello @vk182 and welcome to the Cloudron forum

@vk182 said in Hiding apps behind the proxy app to enable cloudron authentication:

host several applications that do not support native Cloudron user authentication

Are these custom apps or are you running them inside e.g.: the LAMP app?

vk182

Hello @james ! Just normal cloudron apps like Mattermost or n8n that does not integrate with cloudron authentication and does not provide SSO

james

Hello @vk182
So you would like the app proxy infront of these apps, as well as their own user management?

vk182

@james hey yes, correct - I do not mind the apps to use their own user management but since we can not control/enforce proper rules over its secutiry we want to add proper cloudron auth on top of it. We are able to configure app proxy jsut fine, but we need a simple way to isolate these apps from the external IP so they will be accessible only via app proxy.

Teiluj

Unless I misunderstand @vk182's post, This seems like something that was described here, here , and here.
As well as some old references here.

Looks like a feature in high demand, with a fair amount of use cases...

james

Hello @vk182
Okay, understood.

@vk182 said in Hiding apps behind the proxy app to enable cloudron authentication:

What would be the cleanest, most durable way to prevent external access to the target app’s subdomain, so that it is reachable only through the proxy? We are trying to avoid custom modifications or unsupported hacks that might break updates or interfere with Cloudron’s normal operation.

Even though you have stated this.
It would be a simple change to the app and the extra maintenance would be somewhat manageable. Depending on how many apps you want to do this with.

I did a recent post about this, see: https://forum.cloudron.io/post/115963

With the same approch you can edit any Cloudron app and add the proxyAuth addon.

robi

It might be simpler to add an Nginx Auth option for any app as part of the App location configuration.

That way there's no way around the gate if configured via app subdomain and no additional proxy app is needed.

vk182

@james thank you for the clarification and the link! Do I understand correctly, that proxyAuth add-on will respect the Access Control setting of the app and allow access only to the allowed users via their Cloudron authentication? The target app may want the extra auth then but that is fine.

Is there a way to add proxyAuth for the existing app? I do understand that documentation says it is impossible, but what if we have quite a big data already in the app that we want to protect and we are not able to just run a fresh install?

p.s. Just as a side note, what is the best way to isolate the particular app from the public interface? This will allow us to be able to hide any app without clear reinstall with proxyAuth. This public-interface disabling also would come handy if we wanted the app to only be allowed on the VPC interface (i.e. on our ZeroTier network, but not on the public).