Comment on Looking for a reverse proxy to put any service behind a login for external access.

namelivia@lemmy.world ⁨7⁩ ⁨months⁩ ago

• node815@lemmy.world ⁨7⁩ ⁨months⁩ ago

  With that, I use Pomerium for apps which accept a HTTP Headers, for example, my Fresh Tomato firmware flashed router, it has a HTTP dialog. This allows me to login from the road if I need to manage something like rebooting it or updating firewall rules etc.

  My access flow is this :

  router.example.com —> Cloudflare Tunnel —> Pomerium IP —>Authentik —> Router’s Gui.

  It works flawlessly. I don’t often use it, but when I do, it helps. I also had it enabled for AdguardHome but moved to Technitium DNS which I prefer and that doesn’t have the HTTP Headers so it’s not fully compatible with Pomerium that I’m aware of.

  source

  • namelivia@lemmy.world ⁨7⁩ ⁨months⁩ ago

    What does Authentik do in combination with pomerium? I don’t have it

    source

    • node815@lemmy.world ⁨7⁩ ⁨months⁩ ago

      Authentik is my IDP provider so I put it in front of all my publicly facing Apps which support OIDC login. For example, I can log into my Portainer instance from an external network, but to do so, I log into Authentik First which sends it to my service.

      For the apps which support HTTP headers, like I said, Pomerium acts as the service which passes my credentials to the device. I admit - Authentik does this also without the need for Pomerium, (through their flow settings) but I found Pomerium to be much easier to set up for this than Authentik and haven’t looked back or felt the need to change it.

      source

      • namelivia@lemmy.world ⁨7⁩ ⁨months⁩ ago

        Ah I see! Thanks for the explanation, I have pomerium in front of everything using Google as IDP. Then if the app supports header authentication (like grafana) I get automatically logged in, and for those that don’t I have to log in again (a bit inconvenient) I event went as far as forking one and implementing header authentication myself.

        source