this post was submitted on 16 May 2024
24 points (90.0% liked)

Selfhosted

40006 readers
781 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

I thought I was going to use Authentik for this purpose but it just seems to redirect to an otherwise Internet accessible page. I'm looking for a way to remotely access my home network at a site like remote.mywebsite.com. I have Nginx proxy forwarding with SSL working appropriately, so I need an internal service that receives the traffic, logs me in, and passes me to services I don't want to expose to the Internet.

My issue with Authentik is if I need to access questionable internal websites I have to make an Internet accessible subdomain. I don't want authentik.mywebsite.com to redirect to totallyillegal.mywebsite.com. I want it to redirect to 10.1.1.30:8787.

Is there anything that does that?

all 21 comments
sorted by: hot top controversial new old
[–] [email protected] 20 points 5 months ago

Why not run a wire guard server? If you need to access internal things connect to your wire guard server.

[–] [email protected] 5 points 5 months ago* (last edited 5 months ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
DNS Domain Name Service/System
HTTP Hypertext Transfer Protocol, the Web
IP Internet Protocol
SSO Single Sign-On
VPN Virtual Private Network
nginx Popular HTTP server

[Thread #751 for this sub, first seen 16th May 2024, 06:35] [FAQ] [Full list] [Contact] [Source code]

[–] [email protected] 5 points 5 months ago (3 children)

You need a wildcard cert for ypur subdoman:

*.legal.example.com

Then point that record to 127.0.0.0. This will not resolve for anyone. But you'll have an internal dns enty (useig pihole/adguard/unbound) that redirects to your reverse proxy.

You could also point to your revers proxy internal address instead of 127.0.0.0.

This video could help you: https://www.youtube.com/watch?v=qlcVx-k-02E

[–] [email protected] 3 points 5 months ago (1 children)

This is the way. This is the video I followed.

https://www.youtube.com/watch?v=liV3c9m_OX8

I use traefik as reverse proxy. I have externally accessible domains for and then extra secure internal only domains that require wireguard connection first as an extra layer of security.

Authentik can be used as a forward auth proxy and doesn't care if it's an internal or external domain.

Apps that don't have good login or user management just get Authentik proxy for single sign on (sonarr, radar etc).

Apps that have oAuth integration get that for single sign on (seafile, immich, etc)

To make it work the video will talk about adding both the internal and external domains to the local DNS so that if you access it from outside it works and if you access from wireguard or inside the lan it also works.

[–] [email protected] 1 points 5 months ago

Here is an alternative Piped link(s):

https://www.piped.video/watch?v=liV3c9m_OX8

Piped is a privacy-respecting open-source alternative frontend to YouTube.

I'm open-source; check me out at GitHub.

[–] [email protected] 2 points 5 months ago (1 children)

The only catch is that some ISP or workplaces filler public DNS entries that point to private IPs because they can be indications of certain attacks.

[–] [email protected] 1 points 5 months ago (1 children)

But does this matter if you just want this to be locally accessible and you're running your own dns?

[–] [email protected] 1 points 5 months ago

If it's resolved only on a private DNS server then it's ok.

[–] [email protected] 1 points 5 months ago

Here is an alternative Piped link(s):

https://www.piped.video/watch?v=qlcVx-k-02E

Piped is a privacy-respecting open-source alternative frontend to YouTube.

I'm open-source; check me out at GitHub.

[–] [email protected] 5 points 5 months ago

Does the nginx proxy server not support authentication?

[–] [email protected] 3 points 5 months ago (1 children)

Cloudflare tunnel is an option, you can even scrap your own nginx

[–] [email protected] 3 points 5 months ago

You can try setting up a VPN, eg headscale/tailscale with your home server being an exit node, and then just set up your questionable services on a domain that only resolves locally - and then you don't need to use authentik for authorisation to those services.

This is what I have been trying recently, and seems to work well.

[–] [email protected] 2 points 5 months ago
[–] [email protected] 1 points 5 months ago

I use Cloudflare WARP

[–] [email protected] 1 points 5 months ago* (last edited 5 months ago)

I just set up a Vouch-Proxy for this yesterday. It uses the nginx auth_request directive to authenticate users with an SSO server, and then stores the token in a domain-wide cookie, so you're logged in across all subdomains. Works pretty well so far, you don't even notice it when you're logged in to your SSO provider.

But you do have to tell the proxy where you want to redirect a request somehow, either by subdomain (illegal.yourdomain.com) or port (yourdomain.com:8787) or path (yourdomain.com/illegal). I'm not sure if it works with raw IPs as hosts, but you can add additional restrictions like only allowing local client IPs.

In my special case I'm using the local Synology SSO server, and I have to spin up an additional nginx server because the built-in one doesn't support auth_request.

[–] [email protected] 1 points 5 months ago* (last edited 5 months ago) (1 children)

The exact setup can be achieved by tailscale, a not really known feature is you can point your domain to the, tailscale IP (new ip assigned by tailscale), and it will act just like a normal hosting setup.

Advantage, any device or someone who you do not pre approve can't see anything if they go to the domain and subdomain. They only work if you are connected and authenticated to tailscale network. I have a similar setup, if you need more pointers please ping me.

[–] [email protected] 0 points 5 months ago (1 children)

I ended up going with tailscale. Every other option exposed my secret services to the Internet, even if behind a password. Tailscale was ridiculously easy to set up too. The docker compose I used had Heimdall in it too so I was able put all my links on there. Procedure is connect with tailscale app -> go to http://illegalshit -> click/tap on relevant link. I might pull back on my Nginx proxy targets and port forwards for this more secure system.

What happens if tailscale goes down though?

[–] [email protected] 1 points 5 months ago

I actually use Nginx. The major advantage is if you have to access something directly. For example a client app in your device wants to access a service you host. In that case Heimdall won't be enough. You can still use ip with port, but I prefer subdomains. I use Nginx Proxy Manager to manage everything.

Regarding the network going down, the proprietary part of the tailscale is the coordination server. There is an open source implementation of the same, called headscale. If you are okay with managing your own thing, this is an alternative. Obviously the convenience will be affected.

Apart from that, if you haven't already read this blog post on How tailscale works? I highly recommend reading this. It gives a really good introduction to the infrastructure. Summary is your connections are P2P, using wireguard. I don't think tailscale will have a failure scenario that easily.

I hope this helps.

[–] [email protected] 1 points 5 months ago

it just seems to redirect to an otherwise Internet accessible page.

I'm using authelia with caddy but I'm guessing it could be similar, you need to configure the reverse proxy to expect the token the authentication service adds to each request and redirect to sign in if not. This way all requests to the site are protected (of course you'll need to be aware of APIs or similar non-ui requests)

I have to make an Internet accessible subdomain.

That's true, but you don't have to expose the actual services you're running. An easy solution would be to name it other thing, specially if the people using it trust you.
Another would be to create a wildcard certificate, this way only you and those you share your site with will know the actual sub domain being used.

My advice is from my personal setup, but still all internal being able to remotely access it via tailscale, so do you really need to make your site public to the internet?
Only if you need to share it with multiple people is worth having it public, for just you or a few people is not worth the hassle.