Open ka2er opened 1 year ago
This would be extremely useful for public-facing status-page. Right now, there is no difference from a status-page and the dashboard authentication wise. You can authenticate on the public facing status pages, and if we set a domain name, you can even access the dashboard from that domain, which would be unwanted for security reasons. I think being able to whitelist known, read-only apis and safe client side assets would be very useful for running uptime-kuma behind a reverse proxy and adding extra authentication or security in front of the admin side while leaving the status-pages public.
+1 to this issue.
If it's helpful, I was able to find a useful way to secure this somewhat: The dashboard requires Websockets to function, while the status pages do not. You can limit access on status pages by having a separate reverse proxy configuration for them with websockets disabled. I also configured NGINX to prohibit anything but "GET" on the API endpoints for status pages.
Related #2505
⚠️ Please verify that this feature request has NOT been suggested before.
🏷️ Feature Request Type
Other
🔖 Feature description
When I expose uptime-kuma via cloudflare tunnel access I could put an auth wall in front of uptime kuma. What I try to achieve is to have admin part (all except status page /status/) behind cloudflare auth (ok), but put status page behind cloudflare WITHOUT* auth (policy = bypass for /status path).
The problem is that /status page rely on ressources that are on root path like :
✔️ Solution
put all resources that could be public exposed without security concerns under a public subfolder like /public in order to easy reverse proxying.
❓ Alternatives
adding all sub ressources to a new cloudflare tunnel application but I'm concern about :
📝 Additional Context
No response