Hi,
Would it be possible to have the following based on a 1 node cluster (VPS) with no additional firewall.
- Generic website accessible to public
- Access to all other apps/modules only through 2FA (Authenticator) by users with an account.
TIA
1 Like
Are you talking about implemnting an Authelia infornt of web apps
authelia/authelia: The Single Sign-On Multi-Factor portal for web apps (github.com)
2 Likes
Spot on!
Can I put it on the wish list?
cc: @mrmarkuz is this something that you might be interested in to develop for NS8? Just asking!
1 Like
It looks interesting but oauth and openid seems still beta/not ready and it’s needed for SSO to apps.
I’ll give it a try when I find time…
1 Like
Indeed, so please allow me to discuss a bit further.
I would classify SSO as comfort feature, whilst a defence mechanism like 2FA infront of webapps is a security feature. Needles to so I would vote:
- Security
- Comfort
SSO would be a separate topic in light of Identity and Access management opposed to ‘just’ authenticate against a build in LDAP or AD account provider. IAM is not a simple matter of company size, the biggest breaches were/are caused by bad identity and acess management. But that aside, @oneitonitram is doing a great job with Authentic, but there is much more ground to cover.
Anyway, in short, Suppose ‘we’ focus on the 2FA authentication to be able to access webacces by url or any other public/protocol access, would that ‘simplify’ matters for this moment, for it would cover a great deal of any security and (pubic) access control.
Food for thought?
cc: @danb35 I would appreciate your thoughts on this/these
I think this analysis overlooks that many (all?) of the SSO systems provide 2FA, thus killing two birds with one stone. This, among other similar issues, is why I was pushing to have SSO included in the initial NS8 release–because coming back to change everything once it’s later added will be much more difficult.
That were my sentiments as well. Should Have been a Day One thing, and everyone would have appreciated, both new and existing users…
Overall will do what we can with whats available Hopefully One could be Adopted or Implemnted At Core in Future
Thanks, agree. However, my thought was not to have SSO persé (1 time login based on user/pass and 2FA) but a step earlier, where one needs to login to be able to loin to available webapps with normal user/pass and not SSO specifically, that would be my 2.0 thought.
Hence I like the suggestion of @oneitonitram very much which provides a sort of a server access portal.
There is actuall two apps that provide this kind of access preventions, Authelia and another one i keep forgeting the name, wil update when iget it. that provide a means of putting apps behind authentication.
Dashy Can actually Also do this as well, even for existing NS8 Apps. Let me TEst it, and possibly release Dasy for NS8, then maybe we can test if it can Lock Any Apps access without Authentication.
Traefik Also i think has that function builtin
1 Like
SO i came accross this video Do You Actually Need a Home Server? Setting up a Cloud Media Server! (youtube.com)
And it re-invigorated the idea of Authelia, automatically protecting all the Apps behind Authetlia authentication, whether those apps already have authentication of their own or note.
While watching and assessing the video, the potential implementation.
I had a thorough look at the github repo pointed to it. here GitHub - notthebee/cloud-homeserver
And specifically this part for me cloud-homeserver/compose/compose.yaml at main · notthebee/cloud-homeserver · GitHub GAve me an idea on solving abit
on tackling some components on this topic Defining Shared Folder Access Volume - Development - NethServer Community
@LayLow watch the video, screen through the traefik routes defined for authelia, and we could identify the res ton the internet.
The from Among whats already offerd within ns8 and how the traefik routes have been defined, figure out the potential modifications for the various apps within ns8 and how to protect them behind an Authelia login page.
@LayLow go through this Introduction | defguard (gitbook.io)
i think it might potentially provide a way as well, but putting everything behind a firewall, and authenticating all users to the firewall via SSO, provided, thats authenticated by the internal Ldap…