Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse

Cloudron Forum

Apps | Demo | Docs | Install

Restricting app access to logged-in Cloudron users

Scheduled Pinned Locked Moved Support
sso
5 Posts 3 Posters 446 Views
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • C Offline
    C Offline
    cbeams
    wrote on last edited by girish
    #1

    Assume a Cloudron instance at example.com running two apps at:

    1. ghost.example.com and
    2. wikijs.example.com

    Does Cloudron's security / authentication model allow for allowing public internet access to (1) while restricting access to (2) to signed-in Cloudron users?

    The use case is that the blog at (1) would be intended for public consumption while the wiki would be an organization-internal resource that no one outside the org should be able to access at all.

    I have looked through the SSO docs, and at the per-app Access Control / User Management settings, e.g. to "Allow all users from this Cloudron" or to "Allow the following users or groups", but these options configure who may log in to the app, not who may see the app at all. The app at (2) (Wiki.js) does not appear to have an option to restrict access to logged in users (everything is public by default), so I'm looking for a way to lock it down at the Cloudron / nginx level.

    girishG 1 Reply Last reply
    0
  • girishG Do not disturb
    girishG Do not disturb
    girish Staff
    replied to cbeams on last edited by
    #2

    @cbeams Short answer is yes.

    To give the bigger picture: Cloudron is essentially deploying apps on the server. Then there is a centralized user directory. When possible, apps are pre-integrated to use this centralized user directory as authentication mechanism.

    "When possible" means that app has to support LDAP. When it doesn't support LDAP, the app will have it's own authentication directory. "authentication mechanism" means that only username and password are matched. Any roles/permissions (i.e authorization) are configured inside the app itself.

    Finally, apps on Cloudron are deployed to be internet facing i.e anyone can visit the app. The app itself might choose not show any public content though. As in, it requires auth for users to see anything.

    To take your specific case:

    • Ghost does not have LDAP integration. Cloudron will deploy it as public facing. So, this is what you want already.

    • wikijs does support LDAP integration. Cloudron will deploy it as public facing. What you want is then to check if wikijs can restrict content access only to authenticated users. Which it does. Under Settings look for Public Access.

    a4ca2397-f483-495d-bc96-70a894ca2b11-image.png

    On a side note, if you did want to make Ghost also private, Ghost also has a feature under "Labs" in the settings to password protect the site.

    C 1 Reply Last reply
    1
  • C Offline
    C Offline
    cbeams
    replied to girish on last edited by
    #3

    @girish thanks for the response, makes sense. By the way, it looks like you pasted a screenshot from Bookstack's settings screen, as opposed to wiki.js. So far as I can tell, Wiki.js does not have equivalent "make this instance private to logged in users" functionality.

    Also note that it looks like CloudFlare's "Access" feature could be a way to lock down whole subdomains/apps to logged in Cloudron users, regardless of whether the app explicitly supports doing so. https://www.cloudflare.com/teams/access/

    girishG 1 Reply Last reply
    1
  • nebulonN Offline
    nebulonN Offline
    nebulon Staff
    wrote on last edited by
    #4

    @cbeams indeed, I took a quick look at wikijs and all I could find was some setting on a page level to publish or not publish pages. This apparently makes pages only visible for users logged into wikijs. But I am not sure if this is what you really want, since the wikijs UI then to edit pages and all is also visible on those pages.

    1 Reply Last reply
    0
  • girishG Do not disturb
    girishG Do not disturb
    girish Staff
    replied to cbeams on last edited by girish
    #5

    @cbeams Whoops, you are right. It's indeed bookstack and not wikijs!

    Also, I think using cloudflare as a front to wikijs should work. Let us know if it doesn't.

    1 Reply Last reply
    0

  • Login

  • Don't have an account? Register

  • Login or register to search.
  • First post
    Last post
0
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Login

  • Don't have an account? Register

  • Login or register to search.