Ability to create a user account to secure public facing server install

njakes · August 22, 2023, 5:21pm

I have looked around for a while and can’t seem to find anything on this so I’m not sure if its an option or not.

Would it be possible to set an environment variable to force a user to login when visiting the public facing docker container?

avdp · August 22, 2023, 8:00pm

Not built-in capability yet. Most users that chooses to expose their install externally put it behind a VPN or a reverse proxy with authentication and encryption. Caddy, nginx, traefik have all been used successfully for this. Even cloudflared.

Here is an example config using caddy

You can find other example by searching this forum.

adamf · August 22, 2023, 8:12pm

And here are my Traefik 2 labels on the compose container:

    labels:
      - traefik.enable=true
      ## HTTP Routers
      - traefik.http.routers.photostructure.entrypoints=https
      - traefik.http.routers.photostructure.rule=Host(`photos.$DOMAINNAME`)
      ## Middlewares
      - traefik.http.routers.photostructure.middlewares=chain-authelia-no-ratelimit@file
      ## HTTP Services
      - traefik.http.routers.photostructure.service=photostructure
      - traefik.http.services.photostructure.loadbalancer.server.port=1787

I define the security headers and such separately.

njakes · August 22, 2023, 8:29pm

I currently use caddy for all of my public facing stuff. My concern is the fact that if I navigate to my domain it shows all pictures without any need for user authentication. From what I understand, this is not possible right now? I guess I can remove the domain and just use a tailscale ip.

avdp · August 22, 2023, 8:46pm

You can (and absolutely should!) add authentication on your reverse proxy. They all support this. The sample caddy file from the link above shows how (sort of)

# See https://caddyserver.com/docs/caddyfile/directives/basicauth

basicauth * {
  USER HASH
}

Similar, or better capabilities are available with the other reverse proxy tools. Based on @adamf post above, it looks like authelia oauth. I personally use cloudflared with Google oauth to expose anything to the internet.

avdp · August 22, 2023, 8:53pm

Several posts of interest:

My own setup (except I don’t use unraid anymore, but the rest is still correct):

njakes · August 22, 2023, 9:06pm

Wow, thank you so much for those replies, I somehow missed that link above when search for my answer . That is exactly what I needed and was not aware of that caddy functionality. I will certainly be implementing this in other areas as well.