Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum

Apps | Demo | Docs | Install
  1. Cloudron Forum
  2. App Packaging & Development
  3. proxyAuth addon

proxyAuth addon

Scheduled Pinned Locked Moved App Packaging & Development
54 Posts 15 Posters 10.0k Views 15 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • girishG girish

      @mehdi great point. I can copy what they do.

      murgeroM Offline
      murgeroM Offline
      murgero
      App Dev
      wrote on last edited by murgero
      #41

      @girish Currently I have an app that this does not work on - is there something special I need to do in the app beyond adding the addon to the addon list?

      Edit: I am blind I swear - just formatted the JSON incorrectly for the manifest.

      --
      https://urgero.org
      ~ Professional Nerd. Freelance Programmer. ~

      1 Reply Last reply
      1
      • girishG girish

        @jimcavoli won't having it plural cause some confusing semantics if you mix ! and no ! paths ? Let me think 🤔

        saikarthikS Offline
        saikarthikS Offline
        saikarthik
        wrote on last edited by
        #42

        @girish Hi Girish, what is the status of this? selectively exposing certain paths to public?

        mehdiM 1 Reply Last reply
        0
        • saikarthikS saikarthik

          @girish Hi Girish, what is the status of this? selectively exposing certain paths to public?

          mehdiM Offline
          mehdiM Offline
          mehdi
          App Dev
          wrote on last edited by
          #43

          @saikarthik Girish answered here : https://forum.cloudron.io/post/23886

          Yes, proxyAuth exclusion is implemented. I only implemented a simple approach with a ! pattern for now (not an array).

          1 Reply Last reply
          1
          • H Offline
            H Offline
            hendrikvl
            wrote on last edited by
            #44

            I have a question regarding the proxyAuth addon: If I understand it correctly, it has to added to the manifest file and therefore is only suitable for custom apps. How about an option to enable it for apps that have built-in authentication as well?

            In my case, I would like to hide the public site of an Shaarli-instance behind the proxyAuth login. Such that authenticated users can browse the public page and I can additionally login using the builtin auth as admin.
            I know, that this usecase is somewhat specific and customary, but it is just meant as an example of possible use cases for an proxyAuth-option with the standard apps.

            mehdiM girishG 2 Replies Last reply
            0
            • H hendrikvl

              I have a question regarding the proxyAuth addon: If I understand it correctly, it has to added to the manifest file and therefore is only suitable for custom apps. How about an option to enable it for apps that have built-in authentication as well?

              In my case, I would like to hide the public site of an Shaarli-instance behind the proxyAuth login. Such that authenticated users can browse the public page and I can additionally login using the builtin auth as admin.
              I know, that this usecase is somewhat specific and customary, but it is just meant as an example of possible use cases for an proxyAuth-option with the standard apps.

              mehdiM Offline
              mehdiM Offline
              mehdi
              App Dev
              wrote on last edited by
              #45

              @hendrikvl I don't use Shaarli, so I don't know about it very well, but in my opinion, the clean way to do this would be to request the upstream project (Shaarli) to allow an option to protect stuff behind its own auth wall, and have 2 types of users, normal & admin. It seems "hacky" to me to solve this usecase with Cloudron's proxyAuth

              1 Reply Last reply
              2
              • H hendrikvl

                I have a question regarding the proxyAuth addon: If I understand it correctly, it has to added to the manifest file and therefore is only suitable for custom apps. How about an option to enable it for apps that have built-in authentication as well?

                In my case, I would like to hide the public site of an Shaarli-instance behind the proxyAuth login. Such that authenticated users can browse the public page and I can additionally login using the builtin auth as admin.
                I know, that this usecase is somewhat specific and customary, but it is just meant as an example of possible use cases for an proxyAuth-option with the standard apps.

                girishG Offline
                girishG Offline
                girish
                Staff
                wrote on last edited by
                #46

                @hendrikvl Currently, proxyAuth is designed for cases where the app has no user management at all. I think if an app already has user support like shaarli, it's best to ask the upstream project to password protect the public page as @mehdi suggests. BTW, if you post a request upstream, please do post the link here.

                murgeroM H 2 Replies Last reply
                1
                • girishG girish

                  @hendrikvl Currently, proxyAuth is designed for cases where the app has no user management at all. I think if an app already has user support like shaarli, it's best to ask the upstream project to password protect the public page as @mehdi suggests. BTW, if you post a request upstream, please do post the link here.

                  murgeroM Offline
                  murgeroM Offline
                  murgero
                  App Dev
                  wrote on last edited by
                  #47

                  @girish This plugin works amazing on my alpha build of code-server. Works like a treat.

                  --
                  https://urgero.org
                  ~ Professional Nerd. Freelance Programmer. ~

                  1 Reply Last reply
                  3
                  • girishG girish

                    @hendrikvl Currently, proxyAuth is designed for cases where the app has no user management at all. I think if an app already has user support like shaarli, it's best to ask the upstream project to password protect the public page as @mehdi suggests. BTW, if you post a request upstream, please do post the link here.

                    H Offline
                    H Offline
                    hendrikvl
                    wrote on last edited by
                    #48

                    @girish @mehdi Thanks for your replies. Since Shaarli is designed as a single-user application, I don't see much chances of getting LDAP integration implemented for the public page.
                    But you're of course right, that my proposal for the Shaarli public page is a bit "hacky". It was rather meant as an example of what a dynamic proxyAuth-option could be used for. My thought was, that others might have a need for such an option in similar situations as well.

                    1 Reply Last reply
                    0
                    • infogulchI Offline
                      infogulchI Offline
                      infogulch
                      wrote on last edited by infogulch
                      #49

                      I think it would be nice if more apps supported the option to switch to proxyAuth+X-REMOTE-USER-based authentication for multi-user apps. I prefer proxy-based auth for a couple reasons:

                      • I don't trust the login page and password handling to apps. Even if they auth via ldap -- they're still touching the password. Proxy auth eliminates this problem altogether, since they only receive the attestation of the user's identity (the header), no secrets, no cookies. I trust the proxy's auth login page way more.
                      • Ideally the app is never even accessible to the outside world until you're logged in. Apps often have vulnerabilities that can expose data even if you're not logged in. By putting the app behind an authenticating proxy, one can shield it from general internet access, narrowing the scope of attackers from "everyone that can access my ip" to "users on my cloudron" -- a large improvement.
                      • It's by far the easiest auth system to implement first if you write something custom.

                      Of course, all apps may not support this yet, and sometimes you do want a public-facing service, and some apps could never work like this (bitwarden), etc, hence "optional".

                      mehdiM 1 Reply Last reply
                      1
                      • infogulchI infogulch

                        I think it would be nice if more apps supported the option to switch to proxyAuth+X-REMOTE-USER-based authentication for multi-user apps. I prefer proxy-based auth for a couple reasons:

                        • I don't trust the login page and password handling to apps. Even if they auth via ldap -- they're still touching the password. Proxy auth eliminates this problem altogether, since they only receive the attestation of the user's identity (the header), no secrets, no cookies. I trust the proxy's auth login page way more.
                        • Ideally the app is never even accessible to the outside world until you're logged in. Apps often have vulnerabilities that can expose data even if you're not logged in. By putting the app behind an authenticating proxy, one can shield it from general internet access, narrowing the scope of attackers from "everyone that can access my ip" to "users on my cloudron" -- a large improvement.
                        • It's by far the easiest auth system to implement first if you write something custom.

                        Of course, all apps may not support this yet, and sometimes you do want a public-facing service, and some apps could never work like this (bitwarden), etc, hence "optional".

                        mehdiM Offline
                        mehdiM Offline
                        mehdi
                        App Dev
                        wrote on last edited by
                        #50

                        @infogulch said in proxyAuth addon:

                        It's by far the easiest auth system to implement first if you write something custom.

                        I don't think it is.

                        Cloudron used to have something very similar (in usage, if not technologically), using OAuth. They decided to drop it, because almost no apps supported it.

                        What you are describing would be indeed quite interesting, but more or less custom to cloudron : i think this would be even more difficult to convince upstream devs to implement, because it's so custom.

                        Do you know of any apps that currently support a similar thing ?

                        infogulchI 2 Replies Last reply
                        0
                        • mehdiM mehdi

                          @infogulch said in proxyAuth addon:

                          It's by far the easiest auth system to implement first if you write something custom.

                          I don't think it is.

                          Cloudron used to have something very similar (in usage, if not technologically), using OAuth. They decided to drop it, because almost no apps supported it.

                          What you are describing would be indeed quite interesting, but more or less custom to cloudron : i think this would be even more difficult to convince upstream devs to implement, because it's so custom.

                          Do you know of any apps that currently support a similar thing ?

                          infogulchI Offline
                          infogulchI Offline
                          infogulch
                          wrote on last edited by infogulch
                          #51

                          I did some searching ("reverse proxy authentication", "header proxy auth"). I offer these examples for your consideration:

                          • open source Kanban project management software Kanboard
                            • REMOTE_USER
                          • Jenkins
                            • X-Forwarded-User
                          • Docker suggesting using it to secure access to a registry (Not sure how applicable this one is.)
                          • Microsoft recently published some docs on how to configure Azure AD to do proxy auth, as well as another article
                          • Authelia (?)
                          • Some Oracle enterprise apps
                          • Some stack overflow questions in this area:
                            • https://stackoverflow.com/questions/33368653/how-do-i-set-remote-user-in-a-http-header
                            • https://serverfault.com/questions/180726/remote-user-through-apache-reverse-proxy

                          Perhaps this solution is more common in enterprise apps. Probably for the security reasons I mentioned before.

                          There's also RFC 7615 / Proxy-Authenticate on MDN which seems related.

                          Thoughts?

                          Edit also:

                          • Galaxy Project (?)
                          • odoo community (?)
                          • shibboleth (?)
                          1 Reply Last reply
                          1
                          • mehdiM mehdi

                            @infogulch said in proxyAuth addon:

                            It's by far the easiest auth system to implement first if you write something custom.

                            I don't think it is.

                            Cloudron used to have something very similar (in usage, if not technologically), using OAuth. They decided to drop it, because almost no apps supported it.

                            What you are describing would be indeed quite interesting, but more or less custom to cloudron : i think this would be even more difficult to convince upstream devs to implement, because it's so custom.

                            Do you know of any apps that currently support a similar thing ?

                            infogulchI Offline
                            infogulchI Offline
                            infogulch
                            wrote on last edited by
                            #52

                            @mehdi said in proxyAuth addon:

                            It's by far the easiest auth system to implement first if you write something custom.

                            I don't think it is.

                            I'm just saying that if you can build your app assuming it's behind an authenticating reverse-proxy, it frees you from a LOT of work designing a system to authenticate the user with credentials or whatever. It's just username = request.Headers["X-Forwarded-User"], done. No validation, no encryption, no hmac, no password hashing function, no password storage, no password resets, etc etc etc

                            mehdiM 1 Reply Last reply
                            0
                            • infogulchI infogulch

                              @mehdi said in proxyAuth addon:

                              It's by far the easiest auth system to implement first if you write something custom.

                              I don't think it is.

                              I'm just saying that if you can build your app assuming it's behind an authenticating reverse-proxy, it frees you from a LOT of work designing a system to authenticate the user with credentials or whatever. It's just username = request.Headers["X-Forwarded-User"], done. No validation, no encryption, no hmac, no password hashing function, no password storage, no password resets, etc etc etc

                              mehdiM Offline
                              mehdiM Offline
                              mehdi
                              App Dev
                              wrote on last edited by
                              #53

                              @infogulch That's totally true, but it assumes that apps are built with Cloudron specifically (or something similar) in mind. It's not the case for most Cloudron apps at the moment

                              infogulchI 1 Reply Last reply
                              1
                              • infogulchI infogulch referenced this topic on
                              • mehdiM mehdi

                                @infogulch That's totally true, but it assumes that apps are built with Cloudron specifically (or something similar) in mind. It's not the case for most Cloudron apps at the moment

                                infogulchI Offline
                                infogulchI Offline
                                infogulch
                                wrote on last edited by
                                #54

                                @mehdi I think we can add Firefly III to the list of apps that use this authentication strategy.

                                1 Reply Last reply
                                0
                                Reply
                                • Reply as topic
                                Log in to reply
                                • Oldest to Newest
                                • Newest to Oldest
                                • Most Votes


                                  • Login

                                  • Don't have an account? Register

                                  • Login or register to search.
                                  • First post
                                    Last post
                                  0
                                  • Categories
                                  • Recent
                                  • Tags
                                  • Popular
                                  • Bookmarks
                                  • Search