I host a few docker containers and use nginx proxy manager to access them externally since I like to have access away from home. Most of them have some sort of login system but there are a few examples where there isn’t so I currently don’t publicly expose them. I would ideally like to be able to use totp for this as well.

@UltraBlack@lemmy.world
link
fedilink
English
11
edit-2
7M

most reverse proxies have SSO tooling that you can set up pretty easily

But honestly, have you considered just using wireguard for these cases? It’s much more secure if you just want a bunch of stuff hidden from the rest of the world

@Teng@lemmy.ml
link
fedilink
English
17M

How to use WireGuard for that? (Noob here)

@UltraBlack@lemmy.world
link
fedilink
English
27M

WireGuard

try wg-easy. it’s on the docker hub and it makes setting up a wireguard tunnel incredibly easy (as in, press the add button). The initial docker configuration process was a bit annoying to me since I had no prior experience, but most of the issues were down to the dns settings, which I eventually figured out.

@emax_gomax@lemmy.world
link
fedilink
English
57M

If you want a richer login authelia + caddy is good.

@CatTrickery@lemmy.world
creator
link
fedilink
English
27M

Ooh that Authelia looks pretty much ideal. I’ll give it a try and see how well it works.

@namelivia@lemmy.world
link
fedilink
English
17M

I use pomerium for that

@node815@lemmy.world
link
fedilink
English
17M

With that, I use Pomerium for apps which accept a HTTP Headers, for example, my Fresh Tomato firmware flashed router, it has a HTTP dialog. This allows me to login from the road if I need to manage something like rebooting it or updating firewall rules etc.

My access flow is this :

router.example.com —> Cloudflare Tunnel —> Pomerium IP —>Authentik —> Router’s Gui.

It works flawlessly. I don’t often use it, but when I do, it helps. I also had it enabled for AdguardHome but moved to Technitium DNS which I prefer and that doesn’t have the HTTP Headers so it’s not fully compatible with Pomerium that I’m aware of.

@namelivia@lemmy.world
link
fedilink
English
17M

What does Authentik do in combination with pomerium? I don’t have it

@node815@lemmy.world
link
fedilink
English
27M

Authentik is my IDP provider so I put it in front of all my publicly facing Apps which support OIDC login. For example, I can log into my Portainer instance from an external network, but to do so, I log into Authentik First which sends it to my service.

For the apps which support HTTP headers, like I said, Pomerium acts as the service which passes my credentials to the device. I admit - Authentik does this also without the need for Pomerium, (through their flow settings) but I found Pomerium to be much easier to set up for this than Authentik and haven’t looked back or felt the need to change it.

@namelivia@lemmy.world
link
fedilink
English
17M

Ah I see! Thanks for the explanation, I have pomerium in front of everything using Google as IDP. Then if the app supports header authentication (like grafana) I get automatically logged in, and for those that don’t I have to log in again (a bit inconvenient) I event went as far as forking one and implementing header authentication myself.

@PeachMan@lemmy.world
link
fedilink
English
17M

It’s pretty easy to do this with Cloudflare Tunnels. You can set them up to use a Google account for SSO. Downside of course is that you’re reliant on Google and CF.

Create a post

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don’t control.

Rules:

  1. Be civil: we’re here to support and learn from one another. Insults won’t be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it’s not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don’t duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

  • 1 user online
  • 76 users / day
  • 109 users / week
  • 241 users / month
  • 850 users / 6 months
  • 1 subscriber
  • 1.53K Posts
  • 8.72K Comments
  • Modlog