You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
My setup
I am exposing ABS via traefik to a https endpoint (LE) on my WAN. When accessing ABS from within my LAN, authelia is skipped by traefik, but from WAN I need to authenticate via authelia (still using ABS's identity management, so I authenticate twice which is not an issue for me).
What I'm trying to do
I would like to let the mobile app through, without authelia getting in the way. The first idea was to just take the API token and open up the /api/ prefix to the outside. But there's no way to enter the API token into the mobile app.
And since I catch myself in a little xy-problem here... What I am ultimately trying to achieve is to secure the ABS endpoint as much as possible from the WAN, needing to rely as little as possible on ABS's own security.
What I'd like to avoid
Reading in other discussions, the app aparently also requests the /ping endpoint. To login it probably uses the /login and /auth endpoints (when using u/p), I assume it also accesses the /status endpoint, which gives out version information about the installed ABS. If that info were exposed without authentication, that would be a definite no-go from a security perspective.
I also have no idea about OIDC, so that route is unfortunately also not an option for me.
Question
Is there a way to configure the API token in the app instead of username/password?
What is the most limited set of URL prefixes to open up for the app to work?
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
My setup
I am exposing ABS via traefik to a https endpoint (LE) on my WAN. When accessing ABS from within my LAN, authelia is skipped by traefik, but from WAN I need to authenticate via authelia (still using ABS's identity management, so I authenticate twice which is not an issue for me).
What I'm trying to do
I would like to let the mobile app through, without authelia getting in the way. The first idea was to just take the API token and open up the /api/ prefix to the outside. But there's no way to enter the API token into the mobile app.
And since I catch myself in a little xy-problem here... What I am ultimately trying to achieve is to secure the ABS endpoint as much as possible from the WAN, needing to rely as little as possible on ABS's own security.
What I'd like to avoid
Reading in other discussions, the app aparently also requests the /ping endpoint. To login it probably uses the /login and /auth endpoints (when using u/p), I assume it also accesses the /status endpoint, which gives out version information about the installed ABS. If that info were exposed without authentication, that would be a definite no-go from a security perspective.
I also have no idea about OIDC, so that route is unfortunately also not an option for me.
Question
Thanks!
Beta Was this translation helpful? Give feedback.
All reactions