Ability to create a user account to secure public facing server install

I have looked around for a while and can’t seem to find anything on this so I’m not sure if its an option or not.

Would it be possible to set an environment variable to force a user to login when visiting the public facing docker container?

Not built-in capability yet. Most users that chooses to expose their install externally put it behind a VPN or a reverse proxy with authentication and encryption. Caddy, nginx, traefik have all been used successfully for this. Even cloudflared.

Here is an example config using caddy

You can find other example by searching this forum.

And here are my Traefik 2 labels on the compose container:

      - traefik.enable=true
      ## HTTP Routers
      - traefik.http.routers.photostructure.entrypoints=https
      - traefik.http.routers.photostructure.rule=Host(`photos.$DOMAINNAME`)
      ## Middlewares
      - traefik.http.routers.photostructure.middlewares=chain-authelia-no-ratelimit@file
      ## HTTP Services
      - traefik.http.routers.photostructure.service=photostructure
      - traefik.http.services.photostructure.loadbalancer.server.port=1787

I define the security headers and such separately.

I currently use caddy for all of my public facing stuff. My concern is the fact that if I navigate to my domain it shows all pictures without any need for user authentication. From what I understand, this is not possible right now? I guess I can remove the domain and just use a tailscale ip.

You can (and absolutely should!) add authentication on your reverse proxy. They all support this. The sample caddy file from the link above shows how (sort of)

# See https://caddyserver.com/docs/caddyfile/directives/basicauth

basicauth * {

Similar, or better capabilities are available with the other reverse proxy tools. Based on @adamf post above, it looks like authelia oauth. I personally use cloudflared with Google oauth to expose anything to the internet.

Several posts of interest:

My own setup (except I don’t use unraid anymore, but the rest is still correct):

Wow, thank you so much for those replies, I somehow missed that link above when search for my answer :man_shrugging:. That is exactly what I needed and was not aware of that caddy functionality. I will certainly be implementing this in other areas as well.