oauth or client certificate authentication

NginxProxyManager / nginx-proxy-manager

Docker container for managing Nginx proxy hosts with a simple, powerful interface

https://nginxproxymanager.com

MIT License

23.45k stars 2.72k forks source link

oauth or client certificate authentication #69

Open strongy opened 5 years ago

strongy commented 5 years ago

i was wondering if its possible to use OAuth or Client Certificate for authentication like the OAuth Proxy docker is doing except with your nice gui.

walthowd commented 5 years ago

I would like to see this too!

hallveticapro commented 5 years ago

OAuth would be nice to see, I don't really trust the login forms of applications like Sonarr or Radarr that much but OAuth would be okay in my book.

jc21 commented 5 years ago

What services do you want to oauth with though?

On the topic of login security, passwords are stored in an encrypted state against the database and login tokens are not stored in cookies, they are stored in localstorage. The login token is in JWT format and can be revoked for all users by removing the generated encryption keys in your config file.

hallveticapro commented 5 years ago

One of the biggest reasons I would like OAuth is 2FA. My Google account is secured not only with a complex password but a YubiKey as well. It would be nice to be able to place access to any host behind that to ensure that I am the only able to access them. I'm not saying the included Access Lists is bad but if someone were to get access to a password, they'd have access until I realize and am able to revoke it.

maciekish commented 5 years ago

+1 for client cert auth please

misse commented 5 years ago

I would also like to se 2FA and client certificate auth.

jeroenpardon commented 5 years ago

It's definitely needed for me too +1

Elmardus commented 4 years ago

Is there a way to use the auth_request Nginx module, so a service like Vouch could be used?

If I understood correctly, this would require auth_request /validate; to be set in the 'server' block, the other required config could be entered in the Custom Nginx Configuration in the Advanced tab using the NPM gui.

Simon-CR commented 4 years ago

I to would love for an easy way to add google 2fa auth in front.

cammurray commented 4 years ago

Certificate authentication would be amazing, but with the projects mentality of keeping the barrier for entry low, you could; automate the generation of the CA certificate (so this is hidden from the user), and just tie the user certificates to the ACLs some how, resulting in simple SSO provided by certs, no third-party auth providers, all integrated.

hlidar85 commented 3 years ago

+1 for client cert auth please

cammurray commented 3 years ago

I needed this functionality (it makes it easy and more secure to expose internal services when they're behind a cert auth mechanism), so I created a proxy manager like nginx proxy manager however with caddy instead. Sharing how I went about this for info sharing purposes because I think it would be useful to do a similar approach in nginx proxy manager. I'd personally prefer to use Nginx Proxy Manager if there was cert auth in it.

Certificate Auth Providers (essentially a certificate authority) can be set up from within the proxy manager. You can download the root CA public cert from the proxy manager, and you can generate client certificates (that go on the devices) from the same page.

You can generate as many Root CA's as you want so that you can have different proxy hosts require different certificates.

When creating the proxy host itself, under the auth page you select the Root CA you want to authenticate users against

dmwilson1990 commented 3 years ago

I tinkered around for a bit and figured out how to add certificate authentication. For whatever reason you're very limited in what you can add to the Edit Proxy Host >> Advance >> Custom Nginx Configuration section. However, you can put include. I wanted to authenticate with my smart card so I added two read only binds to the docker-compose stack:

      - /docker/proxy/DoD_CAs.pem:/etc/ssl/certs/DoD_CAs.pem:ro
      - /docker/proxy/cac_auth.conf:/etc/nginx/conf.d/include/cac_auth.conf:ro

Inside the custom nginx configuration section I added include conf.d/include/cac_auth.conf;

You should be able to add any custom nginx config using this method that would otherwise be unsupported in NPM. Here's what is inside my cac_auth.conf.

ssl_client_certificate /etc/ssl/certs/DoD_CAs.pem;
ssl_verify_client on;
if ($ssl_client_s_dn !~ "CN=YOURCERTCOMMONNAMEHERE") {
  return 403;
}

Hope this helps someone!

felix-exon commented 2 years ago

How about integrating with keycloak? That would be super-awesome!

marekful commented 1 year ago

FYI https://github.com/NginxProxyManager/nginx-proxy-manager/pull/2630 @deibertf

cammurray commented 1 year ago

On top of #2630 @wrouesnel has done the work for client certificate auth in #2956

So there are active PR's in for this feature ask - would be great to see if we can get some commitment to pull both of those :)

github-actions[bot] commented 8 months ago

Issue is now considered stale. If you want to keep it open, please comment :+1:

strongy commented 8 months ago

So what’s happening

GregTheHun commented 2 months ago

I would also like this feature

metahertz commented 2 months ago

Please add your support to @wrouesnel's PR here. Have a current build working for testing: https://github.com/NginxProxyManager/nginx-proxy-manager/pull/2956

sametflo commented 2 weeks ago

Yes, please add your support to @wrouesnel's PR. He did most of the work and we've been waiting since May 28th. We all know it require some verification, but it would be a great feature.