Secure an app without native auth using Authentik without a domain name...
Why not setup nginx on the same machine, make a reverse proxy to your olive tin, making it listen only on localhost ("I'm not sure if you could directly restrict olivetin to only listen on the authentik server ip then you wouldn't even need nginx)
In Authentik just setup an app that use a proxy provider. Either you use proxy mode or single application mode if you have nginx in front and want to do some "custom things" (I made it so that my calibre web logout route go trough nginx so that I could overwrite the Location header to point to Authentik for example).
You should be able to access it using the domain name only.
That shoud fix your issue if you just wanted to be able to access Olive Tin only through Authentik.
Only using ip adress is not possible I think, because Authentik probably use the hostname to determine the provider. The only way would be to set Host header but I mean your browser don't do that on it's own if you specifically point it to an ip adress.
I have it working fine by hostname but I'm not sure I understand your first statement. I do apologize, but I'm a bit of a newb with networking and authentication. What do you mean by "listen only on localhost" in Nginx Proxy Manager? How do I set that up?
OliveTin, Authentik, and NPM are all on the same machine. Call it "server1". Authentik and NPM are Docker containers. OliveTin runs as a native service with root privileges on the host machine for permission and access reasons.
In Pi-hole I have a local DNS A record entry: "server1" which points to the machine's reserved internal IP (192.168.x.y)
In Pi-hole I have a CNAME entry: "olivetin.server1" subdomain which points to the hostname "server1"
In NPM I have a reverse proxy entry: "olivetin.server1" pointing to the IP of Authentik (192.168.x.y:9000) - OliveTin also requires WebSocket, so that is enabled in NPM
In Authentik I have an application with a reverse proxy provider: "olivetin.server1" pointing to OliveTin's IP 192.168.x.y:1337
In Authentik I'm using the default embedded outpost
This all works fine for accessing OliveTin through Authentik by hostname "olivetin.server1" - I'm stuck on the locking down the IP address part... OR... using strictly the IP address only with Authentik (seems it's not possible, which is fine if I can figure out how to lock down the IP address).
I really appreciate any feedback or help as I have other services that don't have native authentication that I would also like to lock down.
Why not setup nginx on the same machine, make a reverse proxy to your olive tin, making it listen only on localhost ("I'm not sure if you could directly restrict olivetin to only listen on the authentik server ip then you wouldn't even need nginx)
In Authentik just setup an app that use a proxy provider. Either you use proxy mode or single application mode if you have nginx in front and want to do some "custom things" (I made it so that my calibre web logout route go trough nginx so that I could overwrite the Location header to point to Authentik for example).
You should be able to access it using the domain name only.
That shoud fix your issue if you just wanted to be able to access Olive Tin only through Authentik.
Only using ip adress is not possible I think, because Authentik probably use the hostname to determine the provider. The only way would be to set Host header but I mean your browser don't do that on it's own if you specifically point it to an ip adress.
I have it working fine by hostname but I'm not sure I understand your first statement. I do apologize, but I'm a bit of a newb with networking and authentication. What do you mean by "listen only on localhost" in Nginx Proxy Manager? How do I set that up?
OliveTin, Authentik, and NPM are all on the same machine. Call it "server1". Authentik and NPM are Docker containers. OliveTin runs as a native service with root privileges on the host machine for permission and access reasons.
In Pi-hole I have a local DNS A record entry: "server1" which points to the machine's reserved internal IP (192.168.x.y)
In Pi-hole I have a CNAME entry: "olivetin.server1" subdomain which points to the hostname "server1"
In NPM I have a reverse proxy entry: "olivetin.server1" pointing to the IP of Authentik (192.168.x.y:9000) - OliveTin also requires WebSocket, so that is enabled in NPM
In Authentik I have an application with a reverse proxy provider: "olivetin.server1" pointing to OliveTin's IP 192.168.x.y:1337
In Authentik I'm using the default embedded outpost
This all works fine for accessing OliveTin through Authentik by hostname "olivetin.server1" - I'm stuck on the locking down the IP address part... OR... using strictly the IP address only with Authentik (seems it's not possible, which is fine if I can figure out how to lock down the IP address).
I really appreciate any feedback or help as I have other services that don't have native authentication that I would also like to lock down.
More replies More replies