Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor
  • Default (No Skin)
  • No Skin
Collapse

Cloudron Forum
Apps | Demo | Docs | Install

proxyAuth addon

Scheduled Pinned Locked Moved App Packaging & Development
54 Posts 15 Posters 3.1k Views
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • saikarthikS Offline
    saikarthikS Offline
    saikarthik
    wrote on last edited by
    #21

    @girish is there a way to get the username/email from within the app?

    nebulonN 1 Reply Last reply
    0
  • nebulonN Offline
    nebulonN Offline
    nebulon Staff
    replied to saikarthik on last edited by
    #22

    @saikarthik currently not, I guess the only option would be to add the username/email as a header in the requests?

    jimcavoliJ 1 Reply Last reply
    2
  • jimcavoliJ Offline
    jimcavoliJ Offline
    jimcavoli App Dev
    replied to nebulon on last edited by
    #23

    @nebulon That would seem a sensible approach. Similar to other gateway authentication solutions I've seen. Definitely would need to restrict trust of those headers either in app or sever configuration though to prevent escalation/impersonation/ato attacks

    nebulonN 1 Reply Last reply
    0
  • nebulonN Offline
    nebulonN Offline
    nebulon Staff
    replied to jimcavoli on last edited by
    #24

    @jimcavoli is there any risk or impersonation angle, if the reverse proxy always explicitly overwrites that header?

    jimcavoliJ 1 Reply Last reply
    0
  • jimcavoliJ Offline
    jimcavoliJ Offline
    jimcavoli App Dev
    replied to nebulon on last edited by
    #25

    @nebulon Yes, an always-overwrite would mitigate as well, as long as the edges get tested well, might be the easier solution

    1 Reply Last reply
    0
  • saikarthikS Offline
    saikarthikS Offline
    saikarthik
    wrote on last edited by
    #26

    @nebulon @girish is this something that can be added to cloudron? passing logged in username/email ID to apps through the header? Any comments/issues?

    girishG 1 Reply Last reply
    0
  • girishG Offline
    girishG Offline
    girish Staff
    replied to saikarthik on last edited by
    #27

    @saikarthik yup, can surely be added. probably next release.

    1 Reply Last reply
    2
  • jimcavoliJ Offline
    jimcavoliJ Offline
    jimcavoli App Dev
    wrote on last edited by
    #28

    Related: while re-working the n8n packaging, I happened upon what would probably be reasonably common, where there are selected sub-paths of / which should not be authenticated - example being we want / to require auth, but not /webhook/* paths. It's at least non-obvious if not unsupported by the current docs on how to do this with proxyAuth

    girishG 1 Reply Last reply
    3
  • girishG Offline
    girishG Offline
    girish Staff
    replied to jimcavoli on last edited by
    #29

    @jimcavoli Indeed, that's not something I designed for. How complicated can these rules get ? Atleast, https://docs.n8n.io/reference/security.html does not seems to have any more information. Or should I just add a publicPath property (singular) and that's enough ? I like to under-design these things and extend them as use cases come.

    mehdiM 1 Reply Last reply
    1
  • mehdiM Offline
    mehdiM Offline
    mehdi App Dev
    replied to girish on last edited by
    #30

    @girish I think the best would be to have the path in proxyAuth be an array, where given paths can be either positive or negative. It's the way things like .gitignore work.

    For example, in this case, it would be:

    {
  "proxyAuth": [
    "/",
    "!/webbooks/"
  ]
}
    T 1 Reply Last reply
    3
  • T Offline
    T Offline
    thetomester13 App Dev
    replied to mehdi on last edited by
    #31

    @mehdi I like this solution and its flexibility. It could also be backwards compatible with the currently version - if no paths are specified, everything is auth'ed.

    1 Reply Last reply
    1
  • jimcavoliJ Offline
    jimcavoliJ Offline
    jimcavoli App Dev
    wrote on last edited by
    #32

    Agree on the default behavior - I imagine it's unlikely that anything more specific than path-level exceptions are unlikely. Perhaps as an extension to the solution that @mehdi suggests, we could extend the existing format of:

    {
  "proxyAuth": {
    "path": "/admin" 
  }
}

    To take exceptions:

    {
  "proxyAuth": {
    "path": "/admin" ,
    "exclude": [
      "/webhook",
      "/
    ]
  }
}

    Or with probably over-the-top features, make everything a map of path and exception(s):

    {
  "proxyAuth": {
    "paths": {
      "/" : [
        "/webhook",
        "/public"
      ],
      "/admin": []
    }
  }
}

    Honestly, I appreciate the minimal-first approach, and I think the middle option of adding a (understood to be auto-wildcarded) array of exclusions is the easier next step. I can't imagine anything that would need the super-complex variant would be something that would or should rely on such a mechanism to secure it.

    girishG 1 Reply Last reply
    0
  • njN Offline
    njN Offline
    nj
    replied to girish on last edited by
    #33

    @girish I don't see the 2FA code prompt on the login page of Simple Torrent. Am I missing something?

    Some benefits of having this on the platform side (as opposed in the app are):

    • 2FA login

    Founder & OpenSource Lover. My Cloudron Apps

    mehdiM 1 Reply Last reply
    0
  • mehdiM Offline
    mehdiM Offline
    mehdi App Dev
    replied to nj on last edited by
    #34

    @nj I don't think this is implemented either:

    • Session management in the user's profile page. i.e can logout from apps etc

    I think @girish just meant that it would be possible to implement this in the future, not that it would be in the first version of proxyAuth.

    1 Reply Last reply
    0
  • girishG Offline
    girishG Offline
    girish Staff
    wrote on last edited by
    #35

    @nj I have logged it here - https://git.cloudron.io/cloudron/box/-/issues/748 . As @mehdi said, it wasn't implemented as part of the first iteration of proxyAuth.

    1 Reply Last reply
    0
  • girishG Offline
    girishG Offline
    girish Staff
    replied to jimcavoli on last edited by
    #36

    @jimcavoli Shall I go with path: "!/webhooks" for now? Will this be enough for n8n ?

    jimcavoliJ 1 Reply Last reply
    0
  • jimcavoliJ Offline
    jimcavoliJ Offline
    jimcavoli App Dev
    replied to girish on last edited by
    #37

    @girish Yeah, that would be enough for n8n I think, though if we're going to go that route, I think making paths an array of either path(s) and/or ! paths makes the most sense in general (at least somehow providing for the option of multiple excluded paths)

    girishG 1 Reply Last reply
    0
  • girishG Offline
    girishG Offline
    girish Staff
    replied to jimcavoli on last edited by
    #38

    @jimcavoli won't having it plural cause some confusing semantics if you mix ! and no ! paths ? Let me think 🤔

    mehdiM saikarthikS 2 Replies Last reply
    0
  • mehdiM Offline
    mehdiM Offline
    mehdi App Dev
    replied to girish on last edited by
    #39

    @girish It works for .gitignore files 🤷

    girishG 1 Reply Last reply
    1
  • girishG Offline
    girishG Offline
    girish Staff
    replied to mehdi on last edited by
    #40

    @mehdi great point. I can copy what they do.

    murgeroM 1 Reply Last reply
    1

  • Login
  • Don't have an account? Register
  • Login or register to search.
  • First post
    Last post
0
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks