this post was submitted on 12 Oct 2023
0 points (50.0% liked)

Self-Hosted Main

511 readers
1 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

For Example

We welcome posts that include suggestions for good self-hosted alternatives to popular online services, how they are better, or how they give back control of your data. Also include hints and tips for less technical readers.

Useful Lists

founded 1 year ago
MODERATORS
 

Has anyone tried to configure authelia or authentik with a local nfty server, do you know any way to protect the web interface?

top 12 comments
sorted by: hot top controversial new old
[–] [email protected] 1 points 1 year ago (1 children)

if you're using swag, you can just add to the ntfy container label, swag=enable if swag has auto-proxy enabled.

[–] [email protected] 1 points 1 year ago (2 children)

I don't know what swag is, I currently use authelia with nginx proxy manager and it is impossible to use it with a local ntfy server, I have tried a thousand ways and ntfy https://ntfy.sh/ is not viable without a dashbord web interface protected by a user and pass

[–] [email protected] 1 points 1 year ago (1 children)

And how do you want to send alerts with authelia in front?

Btw are you aware of authentication within ntfy? https://reddit.com/r/selfhosted/s/1IoWDROCD5

[–] [email protected] 1 points 1 year ago (2 children)

So I ask is there any way to password protect the ntfy dashboard on the server?

[–] [email protected] 1 points 1 year ago

Sorry my bad, but why does it matter as long as you secure any channel?

[–] [email protected] 1 points 1 year ago (1 children)

in fact i run ntfy server on docker on a vps tied with a cronjob but it scares me to think that anyone can manipulate and see my complete dashboard.

[–] [email protected] 1 points 1 year ago (1 children)

Then use it through a VPN (e.g. WireGuard), that's how I do it. Only expose services to the internet if you really have to.

[–] [email protected] 1 points 1 year ago

I have it also in a vpn wireguard and I do portforwarding from a local machine using a vps bridge but the point is not that the point is that lan or wan should have an authentication panel is basic in any web application I do not understand how ntfy has not done that yet.

[–] [email protected] 1 points 1 year ago

you have to set the setting to make it reverse proxy aware. swag is a nginx based reverse proxy with a lot of builtin configs for various services and customizations.

if you really don't want anyone to access your topics, you can set default permissions to none and then manually allow per topic for each user (selfhosted ntfy)

[–] [email protected] 1 points 1 year ago (1 children)

For sure set the authentication inside NTFY itself. In terms of protecting NTFY with Authelia that is what I did to allow iOS app to receive notifications and being able to see the messages in the app.

Add below in Authelia configuration.yml

- domain: 'ntfy.example.com'

resources:

- '^/yourtopic/json\?poll=1&'

methods:

- GET

policy: bypass

change domain to your NTFY hostname and 'yourtopic' to your topic name.

I have a default config that protects everything else and bypass only this one so if you try to access your NTFY URL in the browser it will ask you to authenticate, but the iOS app will be able to do get the message from your NTFY server bypassing Authelia. Obviously, the topic itself requires built-in NTFY authentication so no one without the credentials cannot get the messages and no one can push new messages as well.

Not sure how it would work with Android but you can protect your NTFY instance with Authelia and then see in nginx logs what URIs Android app is trying to reach and figure out what is required to get it work. Hope that helps a bit ;)

[–] [email protected] 1 points 11 months ago (1 children)

So do you add 'ntfy.example.com' in your one/two_factor policies? And then a separate 'ntfy.example.com' with the resource regex for bypass policy?

For example:

    - domain:
      - ntfy.example.com
      policy: two_factor
      subject:
      - ["group:admins"]
    
    - domain:
      - ntfy.example.com
      methods:
      - GET
      resources: '^/test([/?].*)?$'
      policy: bypass
[–] [email protected] 1 points 11 months ago

I think it is the other way around. In the config file you first add more specific policy, and then the more general one. Because the first policy that the request matches will apply and next rules will not apply. Please refer to the docs, everything is there. There is also a specific section for rule matching.

https://www.authelia.com/configuration/security/access-control/