this post was submitted on 20 Aug 2024
64 points (97.1% liked)

Selfhosted

60253 readers
445 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Detailed Rules Post

  1. Be civil.

  2. No spam.

  3. Posts are to be related to self-hosting.

  4. Don't duplicate the full text of your blog or readme if you're providing a link.

  5. Submission headline should match the article title.

  6. No trolling.

  7. Promotion posts require active participation, with an account that is at least 30 days old. F/LOSS without a paywall has exceptions, with requirements. See the rules link for details.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
ayyy@sh.itjust.works
curbstickle@anarchist.nexus
curbstickle_lw@lemmy.world
64
What do you guys do about usernames / passwords for your local services? (lemmy.world)
submitted 2 years ago by AMillionMonkeys@lemmy.world to c/selfhosted@lemmy.world
82 comments fedilink hide all child comments
 

Basically every local service is accessed via a web interface, and every interface wants a username and password. Assuming none of these services are exposed to the internet, how much effort do you put into security here?
Personally, I didn't really think about it when I started. I make a half-assed effort at security where I don't use "admin" or anything obvious as the username, and I use a decent-but-not-industrial password - but I started reusing the u/p as the number of services I'm running grew. I have my browsers remember the u/ps.
Should one go farther than this? And if so, what's the threat model? Is there an easier way?

you are viewing a single comment's thread
view the rest of the comments
[–] BrianTheeBiscuiteer@lemmy.world 2 points 2 years ago (1 children)

Never tried Authelia or Authentik but I've heard good things about them. I'm sure one of them will integrate with a reverse proxy.

[–] TCB13@lemmy.world 3 points 2 years ago (1 children)

Those solutions are still way too complex and corporate to my likes. :(

[–] arcayne@lemmy.today 2 points 2 years ago (1 children)

I'd like to encourage you to take another look at Authentik, it sounds like their Proxy Provider is exactly what you're looking for: https://docs.goauthentik.io/docs/providers/proxy/

Authentik can certainly get complex, but only if you want/need it to. It is by far the most user-friendly IDP solution I've found, especially for what it offers. Their docs also have step-by-step guides for how to integrate a lot of popular self-hosted apps.

Only takes a couple mins to spin up a test environment using their Docker compose file: https://docs.goauthentik.io/docs/installation/docker-compose

[–] TCB13@lemmy.world 2 points 2 years ago (1 children)

Thanks, I’ll have another look.

[–] arcayne@lemmy.today 2 points 2 years ago (1 children)

For sure! If you do end up taking it for a spin, feel free to ping me with any questions.

[–] TCB13@lemmy.world 1 points 2 years ago

Too much pieces that can potentially break. I've been looking at http://nginx.org/en/docs/http/ngx_http_auth_request_module.html and there's this https://github.com/kendokan/phpAuthRequest that is way more self contained and simple to maintain long term. The only issue I'm facing with that solution is that I'm yet capable of passing a token / username in a header to the final application.