Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


    Cloudron Forum

    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular

    Restricting app access to logged-in Cloudron users

    Support
    sso
    3
    5
    423
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cbeams last edited by girish

      Assume a Cloudron instance at example.com running two apps at:

      1. ghost.example.com and
      2. wikijs.example.com

      Does Cloudron's security / authentication model allow for allowing public internet access to (1) while restricting access to (2) to signed-in Cloudron users?

      The use case is that the blog at (1) would be intended for public consumption while the wiki would be an organization-internal resource that no one outside the org should be able to access at all.

      I have looked through the SSO docs, and at the per-app Access Control / User Management settings, e.g. to "Allow all users from this Cloudron" or to "Allow the following users or groups", but these options configure who may log in to the app, not who may see the app at all. The app at (2) (Wiki.js) does not appear to have an option to restrict access to logged in users (everything is public by default), so I'm looking for a way to lock it down at the Cloudron / nginx level.

      girish 1 Reply Last reply Reply Quote 0
      • girish
        girish Staff @cbeams last edited by

        @cbeams Short answer is yes.

        To give the bigger picture: Cloudron is essentially deploying apps on the server. Then there is a centralized user directory. When possible, apps are pre-integrated to use this centralized user directory as authentication mechanism.

        "When possible" means that app has to support LDAP. When it doesn't support LDAP, the app will have it's own authentication directory. "authentication mechanism" means that only username and password are matched. Any roles/permissions (i.e authorization) are configured inside the app itself.

        Finally, apps on Cloudron are deployed to be internet facing i.e anyone can visit the app. The app itself might choose not show any public content though. As in, it requires auth for users to see anything.

        To take your specific case:

        • Ghost does not have LDAP integration. Cloudron will deploy it as public facing. So, this is what you want already.

        • wikijs does support LDAP integration. Cloudron will deploy it as public facing. What you want is then to check if wikijs can restrict content access only to authenticated users. Which it does. Under Settings look for Public Access.

        a4ca2397-f483-495d-bc96-70a894ca2b11-image.png

        On a side note, if you did want to make Ghost also private, Ghost also has a feature under "Labs" in the settings to password protect the site.

        C 1 Reply Last reply Reply Quote 1
        • C
          cbeams @girish last edited by

          @girish thanks for the response, makes sense. By the way, it looks like you pasted a screenshot from Bookstack's settings screen, as opposed to wiki.js. So far as I can tell, Wiki.js does not have equivalent "make this instance private to logged in users" functionality.

          Also note that it looks like CloudFlare's "Access" feature could be a way to lock down whole subdomains/apps to logged in Cloudron users, regardless of whether the app explicitly supports doing so. https://www.cloudflare.com/teams/access/

          girish 1 Reply Last reply Reply Quote 1
          • nebulon
            nebulon Staff last edited by

            @cbeams indeed, I took a quick look at wikijs and all I could find was some setting on a page level to publish or not publish pages. This apparently makes pages only visible for users logged into wikijs. But I am not sure if this is what you really want, since the wikijs UI then to edit pages and all is also visible on those pages.

            1 Reply Last reply Reply Quote 0
            • girish
              girish Staff @cbeams last edited by girish

              @cbeams Whoops, you are right. It's indeed bookstack and not wikijs!

              Also, I think using cloudflare as a front to wikijs should work. Let us know if it doesn't.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Powered by NodeBB