I host a few docker containers and use nginx proxy manager to access them externally since I like to have access away from home. Most of them have some sort of login system but there are a few examples where there isn’t so I currently don’t publicly expose them. I would ideally like to be able to use totp for this as well.
I use Traefik as reverse proxy and Authentik as SSO IdP. When I connect to my “exposed” service, Traefik middleware determines if I have the appropriate access credentials established. If so, I get access; if not, I’m bounced over to Authentik, where I enter my username, and authenticate via Passkey (modern passwordless gated by private keys behind biometrics unlock). The middleware can also be bypassed based on my pre established private custom HTTP header, so apps doesn’t support the flow (ie mobile client for some apps) can get in directly as well.
How does this work for you when using an app (E.g. Nextcloud, home assistant, etc) where log in isn’t handled by a browser that can redirect, but instead expects username and password credentials entered in-app?
I don’t use the two you’ve called out, so I cannot guarantee my Google results are accurate, but the principle is similar…
If the app supports external authentication (usually, looking for things like OIDC, SAML, or SSO in the documentation), then I’d configure the app to do that and skip the Traefik middleware piece.
This is what I’d do based on what I’m seeing on this article for NextCloud. That is, when all is said and done, I’d go https://nexcloud.myunexistent.deployment/ and be greeted with the next cloud login screen, where the external authentication option is shown on screen.
I’ve got the same setup! What I love about authentik is that I can even add a Google login as an authentication method. That severely increases the spouse-acceptance factor, as they don’t have to “remember yet another password” or “carry around another thingie”. Personally I use a YubiKey anyway, but for others who aren’t into it “for fun” or for philosophical reasons reducing the friction as much as possible is paramount.
I’m so lucky I got my SO on board with using a password manager early on! However, the passwordless login (after figuring out how send a user to the enroll stage initially) makes it so smiple, don’t even need the federated Google login.
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !selfhosted@lemmy.world
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don’t control.
Rules:
Be civil: we’re here to support and learn from one another. Insults won’t be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it’s not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don’t duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
I use Traefik as reverse proxy and Authentik as SSO IdP. When I connect to my “exposed” service, Traefik middleware determines if I have the appropriate access credentials established. If so, I get access; if not, I’m bounced over to Authentik, where I enter my username, and authenticate via Passkey (modern passwordless gated by private keys behind biometrics unlock). The middleware can also be bypassed based on my pre established private custom HTTP header, so apps doesn’t support the flow (ie mobile client for some apps) can get in directly as well.
How does this work for you when using an app (E.g. Nextcloud, home assistant, etc) where log in isn’t handled by a browser that can redirect, but instead expects username and password credentials entered in-app?
I don’t use the two you’ve called out, so I cannot guarantee my Google results are accurate, but the principle is similar…
If the app supports external authentication (usually, looking for things like OIDC, SAML, or SSO in the documentation), then I’d configure the app to do that and skip the Traefik middleware piece.
This is what I’d do based on what I’m seeing on this article for NextCloud. That is, when all is said and done, I’d go https://nexcloud.myunexistent.deployment/ and be greeted with the next cloud login screen, where the external authentication option is shown on screen.
A similar setup might be achieved with Home Assistant’s commandline authentication provider to delegate authentication out via command line setup. Alternatively, use hass-auth-header plugin along with trusted proxy to delegate authentication out to the reverse proxy.
Hope this points to a relevant direction for you!
I’ve got the same setup! What I love about authentik is that I can even add a Google login as an authentication method. That severely increases the spouse-acceptance factor, as they don’t have to “remember yet another password” or “carry around another thingie”. Personally I use a YubiKey anyway, but for others who aren’t into it “for fun” or for philosophical reasons reducing the friction as much as possible is paramount.
I’m so lucky I got my SO on board with using a password manager early on! However, the passwordless login (after figuring out how send a user to the enroll stage initially) makes it so smiple, don’t even need the federated Google login.