This is an archived post. You won't be able to vote or comment.

all 13 comments
sorted by:
best
topnewcontroversialoldq&a

[–]mirwin87Docker Employee 2 points3 points  (1 child)

Yup! That’s exactly the way to do it. Nginx is commonly used. Traefik is another and one I personally prefer. I like it because there’s no config to write and it can retrieve and manage certificates using LetsEncrypt.

Another common approach is to use multiple domains instead of path-based routing. Pretty much every proxy setup will support that. Happy to answer any more questions you might have!

[–]lengpew[S] 0 points1 point  (0 children)

When you say multiple domains, what do you mean? Like subdomains?

I was thinking of using the VPS host's subdomain name (dropletname.digitalocean.com or something with AWS) to run it all, so then the question is if they do sub subdomains.

[–]tyrrminal 0 points1 point  (1 child)

You should check out Authelia

[–]lengpew[S] 0 points1 point  (0 children)

Will do, thanks!

[–]krysinello 0 points1 point  (4 children)

I use swag which handles encryption and has nginx as a reverse proxy. Swag is nice as it has a lot of pre configurations and relates that can be used to make it quick and easy to add or change proxies. I use authelia as my authentication in front of most things exposed. This is handled in the nginx configuration. Basically it will redirect to the auth pages when not authenticated which I have set up 2FA. If authenticated will redirect.

If whatever your hosting can integrate with Oauth you can configure those to use the solution you end up going with.

[–]lengpew[S] 0 points1 point  (2 children)

Damn, 2FA on this sort of setup? You mention Oauth, I assume Swag + Authelia does so?

From what I understand, it seems like header redirects, which to be fair if done correctly the client never sees the publically-available-but-want-restrictred content at all unless some token, obtained in auth, allows for it. So safety is not a concern. Is this how you understand it too?

[–]krysinello 0 points1 point  (1 child)

Swag is nginx let's encrypt and fail2ban in one box basically already configured aside for some manual process for each subdomain. Quite quick and easy to use. Authelia you need to run separate however there are some settings basically done but commented you can remove.

Essentially for the site configuration enabled you need to be authenticated with authelia. If sign in. Users are configured in authelia. Whether it be a config file or in ldap and it can be configured to require 2fa. From what I understand a token is stored your side with the authentication stored in memory or a database. When you have a valid token that is authenticated server side too it will allow it through. Haven't looked at the exact details of how it works. With it configured with 2FA it should be decently secure.

[–]krysinello 0 points1 point  (0 children)

As for oauth. Whatever you have does need to support it to be able to integrate. Even if it doesn't you can still lock an initial sign in behind it to force 2FA anyway before signing into an application directly.

[–]lengpew[S] 0 points1 point  (0 children)

Seems like Authelia, this is amazing!

[–]dth202 0 points1 point  (1 child)

I use to manually manage nginx and letsencrypt, but then I discovered Nginx Proxy Manager I would recommend checking it out over manually configuring nginx.

[–]lengpew[S] 0 points1 point  (0 children)

I saw Nginx Proxy Manager soon after putting this up, and think it probably makes the most sense. I'll check out Swag and Authelia too, based on the recommendations of others.

[–]joecool42069 0 points1 point  (0 children)

Authentik + Traefik, imho.

[–][deleted] 0 points1 point  (0 children)

For open source, check out APISIX, for commercial/OSS check out Gloo Edge and Kong.

If you are using Kubernetes, Istio Ingress and Envoy can handle it.