I host a few docker containers and use nginx proxy manager to access them externally since I like to have access away from home. Most of them have some sort of login system but there are a few examples where there isn’t so I currently don’t publicly expose them. I would ideally like to be able to use totp for this as well.
- caddy can do that with
basicauth: https://caddyserver.com/docs/caddyfile/directives/basicauth - nginx can 100% do that because it has plugins for everything
- apache can probably do something like that
most reverse proxies have SSO tooling that you can set up pretty easily
But honestly, have you considered just using wireguard for these cases? It’s much more secure if you just want a bunch of stuff hidden from the rest of the world
If you want a richer login authelia + caddy is good.
Ooh that Authelia looks pretty much ideal. I’ll give it a try and see how well it works.
How to use WireGuard for that? (Noob here)
- caddy can do that with
It’s pretty easy to do this with Cloudflare Tunnels. You can set them up to use a Google account for SSO. Downside of course is that you’re reliant on Google and CF.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters CF CloudFlare HTTP Hypertext Transfer Protocol, the Web SSO Single Sign-On nginx Popular HTTP server
[Thread #653 for this sub, first seen 3rd Apr 2024, 23:05] [FAQ] [Full list] [Contact] [Source code]
I use Traefik as reverse proxy and Authentik as SSO IdP. When I connect to my “exposed” service, Traefik middleware determines if I have the appropriate access credentials established. If so, I get access; if not, I’m bounced over to Authentik, where I enter my username, and authenticate via Passkey (modern passwordless gated by private keys behind biometrics unlock). The middleware can also be bypassed based on my pre established private custom HTTP header, so apps doesn’t support the flow (ie mobile client for some apps) can get in directly as well.
I’ve got the same setup! What I love about authentik is that I can even add a Google login as an authentication method. That severely increases the spouse-acceptance factor, as they don’t have to “remember yet another password” or “carry around another thingie”. Personally I use a YubiKey anyway, but for others who aren’t into it “for fun” or for philosophical reasons reducing the friction as much as possible is paramount.
I’m so lucky I got my SO on board with using a password manager early on! However, the passwordless login (after figuring out how send a user to the enroll stage initially) makes it so smiple, don’t even need the federated Google login.
Tailscale, cloud flare, come to mind
I use Nginx Proxy Manager and Authelia for just this. Authelia supports a wide range of identity and MFA providers.
Edit: although Authelia has an article on how to set it up, I found it still missed some key info. This article was the one that helped me most in getting it to work.
I agree with everything everyone else has said here but if you looking for the most basic solution it’s already in NPM. You can configure basic auth in an access list and apply it to the site.
I use pomerium for that
