Password Protected Cloudron Nginx
-
When setting up a Cloudron server, there are often sections of the site that you wish to restrict access to. Web applications often provide their own authentication and authorization methods, but the web server itself can be used to restrict access if these are inadequate or unavailable eg. filespizza, Jirafeau, etc.
This tutorial shows how.
Would it make sense to enable this in an easier fashion via the Cloudron Admin interface?
Some users would prefer that their entire Cloudron work server be safer behind a server-level login-password combination.
-
@oj I think that makes sense. If you can point out specific apps, we can simply add the new authProxy addon to the apps. Should be trivial. Did you have any more in mind other than file pizza and Jirafeau? By re-using the auth proxy we can user management + 2FA integration etc automatically.
-
@girish If it were possible to control web-app use/read access, then I would immediate install filepizza, Jirafeau, Prometheus server/ altertmanager, CloudTorrent and Transmission.
Further, if it is could be used to restrict read access to the content in Surfer and WikiJS...then that too.
-
-
@oj ah ok, that is indeed easier then. Still there are at least two choices, we could enable the authproxy addon for apps where it makes sense or we could essentially allow the authproxy for any app. I would prefer a more selective approach, but maybe I don't see all the use-cases. For example putting a matomo behind an auth proxy blindly would essentially render the app useless as far as I can tell.
-
@nebulon Agree.
Essentially, my country's Information Technology rules (and punitive legal actions) have moved towards a concept of "intermediary liability" for the public actions of the users of the services that I host! Hosting and public distribution of so-called "anti-national" content (i.e. content critical of the governments policies/actions) is one such area...if you can believe it! (It may be difficult to believe this if you are in Europe!)
I have no control over these rules...So, as a service provider - in case of a specific, legally binding notice from the government - I could need to control who creates/distributes/reads content via these apps on Cloudron.
-
I have added proxyAuth it some apps like file pizza and hastebin now. We can add it to more as we go. Jirafeau already has some admin page, so I think it will be confusing if we have a login page and another admin password page. jirafeau already has a way to restrict uploads - https://docs.cloudron.io/apps/jirafeau/#restricting-uploads . Maybe one of those will be enough. Alternately, I think we have to look into integrating better with the app somehow.
-
-
@girish thanks for that, it worked. i'm not sure how useful the password protection is in practice, at least in my case, because the receiver of the file pizza link would also need to sign in (and not just the uploader). i've gone back to using file pizza without having to login. wondering if this a security risk in anyway?
