Hiding apps behind the proxy app to enable cloudron authentication

Hello,

We are using Cloudron (v9) to host several applications that do not support native Cloudron user authentication. To standardise access control, we have introduced a proxy app (running on the same Cloudron instance) that authenticates users and then forwards traffic to the target application. This is done by routing traffic internally using the 172.* Docker network IP and the app’s internal port, ensuring that users must authenticate before reaching the target app.

However, the proxy and the target app each have their own subdomain. The proxy correctly enforces Cloudron authentication, but the target app remains externally accessible via its own subdomain, bypassing the intended protection.

What would be the cleanest, most durable way to prevent external access to the target app’s subdomain, so that it is reachable only through the proxy? We are trying to avoid custom modifications or unsupported hacks that might break updates or interfere with Cloudron’s normal operation.

Thank you in advance for your guidance.

@james thank you so much! SOGoMailCustomFromEnabled worked prefectly!

Hello @james ! Just normal cloudron apps like Mattermost or n8n that does not integrate with cloudron authentication and does not provide SSO

Hi @james thank you for the detailed response!

You can think of that process like an app update, that only updates the app to use the Cloudron proxyauth add-on and does nothing with the application itself.

Can you please point me to the documentation on how this can be done? I understand now that and app updates itself, isn't it?

If you have apps, that should not be publicly accessible, you could always only allow connections from specific IP-Addresses like e.g. a VPN.

Is it possible to block single app from public access within the same Cloudron instance? I do not want to overcomplicate the configuration and have nested servers...