search

Arksine / moonraker

Web API Server for Klipper
https://moonraker.readthedocs.io
GNU General Public License v3.0
1.07k stars 410 forks source link

Add Basic Auth possibility #553

Open Disinterpreter opened 1 year ago

Disinterpreter commented 1 year ago

Is your feature request related to a problem? Please describe

[web.py:log_exception()] - 401 GET /websocket (46.226.165.173): Basic Auth is not supported

Describe the solution you'd like

Add possibility to work with Basic Auth

Describe alternatives you've considered

-

Additional information

I just wanted to proxy my Mainsail to the internet, but with local Basic Auth (for security), but moonraker told me that it is impossible.

Thanks! Hope you get me.

EricZimmerman commented 1 year ago

Related to this I would love to see the ability to set up an nginx reverse proxy which would solve this problem and open up a ton more flexibility.

Most apps require a urlprefix of some kind for things to work right. I literally spent hours trying to get nginx working with rewrites and other things on mainsail, so then again, maybe this belongs there?

Example apps for reference include sonarr and radar. I can track down some more examples if needed but having it be some to put mailsail behind nginx allows for pretty much anything (ssl, different auth, etc)

Arksine commented 1 year ago

Moonraker supports more robust authentication using JSON Web Tokens, however your front end needs to support it. Fluidd does, I do not believe that Mainsail does. Basic Auth is something that will not be supported in Moonraker itself, however as mentioned it should be possible to implement it using a reverse proxy.

Mainsail OS and FluiddPi both include an nginx configuration that handles the necessary rewrites. I'm sure there is documentation available on getting Basic Auth configured for nginx.

EricZimmerman commented 1 year ago

Ah this is news to me. If you mean this tho:

https://docs.mainsail.xyz/setup/manual-setup/mainsail

That is not what I am speaking of.

I would like to be able to have another instance of nginx feed the web site being fed by the above configuration of website on the pi to the internet at large.

I have a bunch of different internal services that I use a single external facing nginx proxy with authentication and I have not been able to make it work with mailsail.

I will experiment however with the settings in that file above and see if I can't basically replicate nginx settings on the pi with my external facing instance

Arksine commented 1 year ago

The configuration should be similar, just a difference in the address the proxy is listening on. There may be additional changes required for an advanced configuration rewriting multiple services on the same proxy.

One thing I would add more general to the topic...Basic Auth is fine for protecting local instances from children, siblings, roommates, etc. It isnt sufficient for protecting an instance exposed to the WAN. This is the primary reason why Moonraker doesn't have native support. Its better than nothing, but that isn't saying much.

EricZimmerman commented 1 year ago

its not that simple of a difference.

https://github.com/mainsail-crew/mainsail/issues/1163

i will see what they can come up with, if anything.

thanks for the info

Disinterpreter commented 1 year ago

It isnt sufficient for protecting an instance exposed to the WAN.

Sorry, but I disagree. Basic Auth with fail2ban and same options, can work pretty well. It is great that you have your opinion, and it can be true, but please, don't decide for people.

Arksine commented 1 year ago

Indeed, it is my opinion. If you believe that Basic Auth is sufficient for your needs then it is certainly your decision to use it.