Replies: 1 comment 1 reply
-
A simple alternative for the presented use case that comes to mind is allowing access only from your internal network and letting people VPN into it. Previously this required some networking know-how but nowadays with stuff like Tailscale this is extremely trivial to set up. |
Beta Was this translation helpful? Give feedback.
1 reply
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
To quickly provide a summary: As of today seemingly Wiki.js does not support HTTP Basic Auth due to the GraphQL stuff, which seemingly overwrites the Auth header, thus breaking HTTP Basic Auth, according to my high-level understanding after reading the issue #1095.
HTTP Basic Auth is outdated and insecure - why the hack would you want to use it?
Most people use HTTP Basic Auth to
So we want to hide the web app from malicious actors and showing it to our user base. We don't want a lot of configuration for that. Lets see what possible other solutions we hypothetically have.
Possible solutions
IP Whitelisting?
@NGPixel Offered IP whitelisting as possible solution, highlighting the fact that if the edge handles it correctly it would be more secure and reliable than HTTP Basic Auth, which is generally speaking true, with some exceptions.
What are the drawbacks of IP whitelisting looking from the use-case's perspective?
nginx's HTTP Basic Auth
Speaking about nginx configurations there is the Oauth Access tokens validation build in (Q1) but this requires some Authentication Provider (and Manager/Server) on top of it. A lot more work compared to nginx's HTTP Basic Auth (Q2)
For the reverse proxy stuff just an Authorization header needs to be forwarded, which is another line (or two).
nginx's HTTP Digest Authentication
The other option would be using nginx's HTTP Digest Authentication (Q3) which lacks official and reverse proxy support (Q4) and is still using the Authorization header, yet alone it needs further installation (probably even building of the module) and having multiple configuration lines:
nginx's OIDC / OpenID approach
Further nginx offers a OIDC/OpenID approach using the NGINX Management Suite which seemingly requires a lot more work (and nginx+ ?) but is e.g. Keycloak compatible and allows SSO (Q5). It requires a lot more work, as the Auth Providers Endpoint Urls and the following settings must be configured. Not sure how good it works with reverse proxies to dockered containers 🤷
Nginx's Subrequest Result Authentication
There's also nginx's subrequest result authentication (Q6). Less work but will require an auth endpoint, though this could be implemented using wiki js auth stuff.
Nginx's JWT Authentication
Nginx's JWT Authentication (Q7) seemingly only works in Nginx+ and doesn't offer a nice popup saying "enter your creds". However, it can be connected to an OpenID / Auth Provider like Keycloak, Authentik etc.
There's also the option to by default have more or less secured tokens and to use nested tokens, next to do validation.
Conclusion
My examples clearly show that HTTP Basic Auth is the best (fastest + reliable) solution for this use-case. It is fast to implement and it solves the task (partially granting access and blocking "unknown" access). There might be something faster / better but I am not aware of anything like that at this time.
Sources
Q1: https://www.nginx.com/blog/validating-oauth-2-0-access-tokens-nginx/
Q2: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/
Q3: https://www.nginx.com/resources/wiki/modules/auth_digest/
Q4: https://forum.nginx.org/read.php?2,290359,290365#msg-290365
Q5: https://docs.nginx.com/nginx-management-suite/admin-guides/authentication/oidc/oidc-keycloak/
Q6: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/
Q7: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-jwt-authentication/
Telling people who are well-meaning to switch to another project just because they bring up a very common, legit use-case looks really odd. No matter how well expressed the reasons for rejecting that need are. Instead we all should try to think about possible solutions for this use-case (the problem). Maybe there will be a quick fix that brings both worlds and interests together.
Cheers
Beta Was this translation helpful? Give feedback.
All reactions