Authentik - https://goauthentik.io/ - easy to use, flexible and versatile identity provider and single-sign-on server
Secure an app without native auth using Authentik without a domain name...
Is it possible with Authentik to secure an app on a local network without using a domain name? In other words, using the app's existing IP address and port only.
I have OliveTin setup to run scripts locally on my media server, makes managing things much easier. OliveTin does not have native authentication. I run a Pi-hole instance on the same network. I CAN set this up with a domain by setting up a local DNS CNAME entry in Pi-hole, and this works to secure the app when it's behind a domain name with Authentik (i.e. olivetin.local). The issue is that the application is still accessible via direct IP and I don't want family members able to run scripts as root on my media server. Is this possible? If not, how can I lock down the app's IP address so it's only available if accessed via domain name (would like to avoid messy firewall rules if possible)?
I'm also using NPM (Nginx Proxy Manager).
I've followed several guides and tried a ton of options but if this is possible I'm obviously missing something. It just keeps directing to the app without hitting Authentik when I try to intercept by IP address and port.
The application is not available to the public.
I also have a Synology NAS with a Let's Encrypt wildcard cert available if it would help to achieve this. And I've figured out how to use the Synology's built in reverse proxy and Authentik without NPM for other apps (only mentioning in case this is the way).
Any ideas?
Why not setup nginx on the same machine, make a reverse proxy to your olive tin, making it listen only on localhost ("I'm not sure if you could directly restrict olivetin to only listen on the authentik server ip then you wouldn't even need nginx)
In Authentik just setup an app that use a proxy provider. Either you use proxy mode or single application mode if you have nginx in front and want to do some "custom things" (I made it so that my calibre web logout route go trough nginx so that I could overwrite the Location header to point to Authentik for example).
You should be able to access it using the domain name only.
That shoud fix your issue if you just wanted to be able to access Olive Tin only through Authentik.
Only using ip adress is not possible I think, because Authentik probably use the hostname to determine the provider. The only way would be to set Host header but I mean your browser don't do that on it's own if you specifically point it to an ip adress.
I have it working fine by hostname but I'm not sure I understand your first statement. I do apologize, but I'm a bit of a newb with networking and authentication. What do you mean by "listen only on localhost" in Nginx Proxy Manager? How do I set that up?
OliveTin, Authentik, and NPM are all on the same machine. Call it "server1". Authentik and NPM are Docker containers. OliveTin runs as a native service with root privileges on the host machine for permission and access reasons.
In Pi-hole I have a local DNS A record entry: "server1" which points to the machine's reserved internal IP (192.168.x.y)
In Pi-hole I have a CNAME entry: "olivetin.server1" subdomain which points to the hostname "server1"
In NPM I have a reverse proxy entry: "olivetin.server1" pointing to the IP of Authentik (192.168.x.y:9000) - OliveTin also requires WebSocket, so that is enabled in NPM
In Authentik I have an application with a reverse proxy provider: "olivetin.server1" pointing to OliveTin's IP 192.168.x.y:1337
In Authentik I'm using the default embedded outpost
This all works fine for accessing OliveTin through Authentik by hostname "olivetin.server1" - I'm stuck on the locking down the IP address part... OR... using strictly the IP address only with Authentik (seems it's not possible, which is fine if I can figure out how to lock down the IP address).
I really appreciate any feedback or help as I have other services that don't have native authentication that I would also like to lock down.