Reverse proxy + authentication


mikeyrad

Recommended Posts

Hey guys - I just started using unraid and so far I love it! I got it pretty much all set up - a few VMs and a bunch of dockers - everything is working great.

 

I'm trying to figure out the best way of allowing external access to internal sites using a reverse proxy with authentication prior to seeing the target servers landing page. I kind of have it set up like this now using nginx-letsencryt reverse proxy with basic auth - so if you go to some of the sites it'll throw a little pop up, if you auth it will take you to the page. Which is what I want - but it's definitely not pretty.

 

I rather have some page to auth against which will bring up a site with bookmarks to links you're authorized to see - an SSL VPN portal is probably the way to go for that, but wondering what you guys have used if anything other than the edge firewall (I have an ASA but the url bookmarks in the portal redirects don't work particularly well)...openvpn-sa maybe?

Link to comment
  • 3 weeks later...

I think you're getting a bit confused with what services you use for what.

 

OpenVPN-AS which is a VPN is the best way of securing your sites against outside access other than those authorised.  But it requires clients to be setup to use it.

Reverse proxy using authentication (And SSL) is the second best, and the main benefit being no requirement to configure clients.

 

Personally I just use SSL auth as you do, but in the past I have configured a Wordpress site on my reverse proxy container, password protected that and also created menus to my apps from within Wordpress. 

Link to comment

I'm not confused - I'm just looking for an easy elegant solution. I have a Cisco ASA firewall that I've set up SSL clientless VPN on - brings you to a landing page and I have bookmarks set up that give you encrypted access to internal resources that I give your account access to. It then proxies your connection to those resources - problem is, unless the web page is very basic the ASA always has a difficult time with it. I was hoping openvpn-as had something similar but it doesn't (requires a client) so was hoping there was some openvpn-webvpn alternative or something.

 

So far I've just been using nginx reverse proxy with basic auth for the sites I want auth for and now that it's been running for a while it's fine....but I still have to tell people which URLs I want them to hit and they have to type them in manually.

 

The wordpress idea isn't a bad one, but it'll still require direct connections from the clients (and probably a re-auth) instead of tunneling them for you.

Link to comment

Since you guys already seem to have the nginx reverse proxy set up, why don't you just modify the home page to include links to the  various proxied services?

 

Make sure you password protect the home page and all the proxies with the same htpasswd

 

For just web traffic, nginx reverse proxy is great. Vpn is only needed for non web traffic like ssh connections, etc.

 

Link to comment

Is there a guide floating around on how to get this all setup on Unraid?  I currently have a domain name setup with DDClient that allows me to reach one or two local applications but would love a more secure way to get this done.

 

From what I understand, you're running a web server locally that you can connect to using the reverse proxy.  You have a splash page of sorts setup to access local applications, but before you can access anything (the splash page and/or apps) you must authenticate yourself.  This is the ideal setup for me.

 

EDIT: Found this, I forgot what forum I was on...: https://lime-technology.com/forum/index.php?topic=38875.0

 

 

Link to comment

I rather have some page to auth against which will bring up a site with bookmarks to links you're authorized to see

 

https://github.com/causefx/iDashboard-PHP

 

Crude but effective if you just need a difference between yourself and everyone else. Not at all secure probably though.

 

Edit: on the topic of reverse proxy authentication, has any of you seen this?

 

https://github.com/bitly/oauth2_proxy

 

Some further reading,

http://developers.canal-plus.com/blog/install-nginx-reverse-proxy-with-github-oauth2/

https://jasonbarto.com/authenticate-your-services-with-google-nginx-and-oauth2/ (ignore the ssl warning, hes still using a Startcom cert)

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.