proxyAuth addon
-
Agree on the default behavior - I imagine it's unlikely that anything more specific than path-level exceptions are unlikely. Perhaps as an extension to the solution that @mehdi suggests, we could extend the existing format of:
{ "proxyAuth": { "path": "/admin" } }
To take exceptions:
{ "proxyAuth": { "path": "/admin" , "exclude": [ "/webhook", "/ ] } }
Or with probably over-the-top features, make everything a map of path and exception(s):
{ "proxyAuth": { "paths": { "/" : [ "/webhook", "/public" ], "/admin": [] } } }
Honestly, I appreciate the minimal-first approach, and I think the middle option of adding a (understood to be auto-wildcarded) array of exclusions is the easier next step. I can't imagine anything that would need the super-complex variant would be something that would or should rely on such a mechanism to secure it.
-
-
@girish Yeah, that would be enough for n8n I think, though if we're going to go that route, I think making paths an array of either path(s) and/or
!
paths makes the most sense in general (at least somehow providing for the option of multiple excluded paths) -
@girish Currently
I have an app that this does not work on - is there something special I need to do in the app beyond adding the addon to the addon list?Edit: I am blind I swear - just formatted the JSON incorrectly for the manifest.
-
@saikarthik Girish answered here : https://forum.cloudron.io/post/23886
Yes, proxyAuth exclusion is implemented. I only implemented a simple approach with a ! pattern for now (not an array).
-
I have a question regarding the proxyAuth addon: If I understand it correctly, it has to added to the manifest file and therefore is only suitable for custom apps. How about an option to enable it for apps that have built-in authentication as well?
In my case, I would like to hide the public site of an Shaarli-instance behind the proxyAuth login. Such that authenticated users can browse the public page and I can additionally login using the builtin auth as admin.
I know, that this usecase is somewhat specific and customary, but it is just meant as an example of possible use cases for an proxyAuth-option with the standard apps. -
@hendrikvl I don't use Shaarli, so I don't know about it very well, but in my opinion, the clean way to do this would be to request the upstream project (Shaarli) to allow an option to protect stuff behind its own auth wall, and have 2 types of users, normal & admin. It seems "hacky" to me to solve this usecase with Cloudron's proxyAuth
-
@hendrikvl Currently, proxyAuth is designed for cases where the app has no user management at all. I think if an app already has user support like shaarli, it's best to ask the upstream project to password protect the public page as @mehdi suggests. BTW, if you post a request upstream, please do post the link here.
-
@girish @mehdi Thanks for your replies. Since Shaarli is designed as a single-user application, I don't see much chances of getting LDAP integration implemented for the public page.
But you're of course right, that my proposal for the Shaarli public page is a bit "hacky". It was rather meant as an example of what a dynamic proxyAuth-option could be used for. My thought was, that others might have a need for such an option in similar situations as well. -
I think it would be nice if more apps supported the option to switch to proxyAuth+
X-REMOTE-USER
-based authentication for multi-user apps. I prefer proxy-based auth for a couple reasons:- I don't trust the login page and password handling to apps. Even if they auth via ldap -- they're still touching the password. Proxy auth eliminates this problem altogether, since they only receive the attestation of the user's identity (the header), no secrets, no cookies. I trust the proxy's auth login page way more.
- Ideally the app is never even accessible to the outside world until you're logged in. Apps often have vulnerabilities that can expose data even if you're not logged in. By putting the app behind an authenticating proxy, one can shield it from general internet access, narrowing the scope of attackers from "everyone that can access my ip" to "users on my cloudron" -- a large improvement.
- It's by far the easiest auth system to implement first if you write something custom.
Of course, all apps may not support this yet, and sometimes you do want a public-facing service, and some apps could never work like this (bitwarden), etc, hence "optional".
-
@infogulch said in proxyAuth addon:
It's by far the easiest auth system to implement first if you write something custom.
I don't think it is.
Cloudron used to have something very similar (in usage, if not technologically), using OAuth. They decided to drop it, because almost no apps supported it.
What you are describing would be indeed quite interesting, but more or less custom to cloudron : i think this would be even more difficult to convince upstream devs to implement, because it's so custom.
Do you know of any apps that currently support a similar thing ?