• Hello Guest! SynoForum.com is celebrating its 5th anniversary! 🥳🎉 Read more...

2FA for Docker

Currently reading
2FA for Docker

99
8
NAS
DS213J, DS918+
Operating system
  1. macOS
Mobile operating system
  1. iOS
I keep going back and forth with external access. I switched all to Tailscale, but am looking at my options to put audiobookshelf and Jellyfin back onto DDNS with port 443 open on my router to the built in synology reverse proxy as external access is.....well much more convenient (if a little less secure).

While I use 2 factor for log in for synology apps, I don't see a way to get 2 factor for these docker container web apps?
Is there a way to use the built in synology log in (or even LDAP) to also be the log in for my docker apps to at least provide 2 factor for these web apps?
Is there an option for the web apps to have an "auto-block" style feature as well like synology has for the built in apps?
 
I don't see a way to get 2 factor for these docker container web apps?
Not all apps (regardless how they are running) have MFA options. For this you can run something like Authelia portal that will connect to any configured authentication process as well as offer MFA, and only following a successful login will you be redirected to your publicly facing app.

For example that would mean that going to autiobook.domain.com URL, you will be redirected to a login/2fa portal (under your control), you will authenticate, and then redirected back to the target app.

Have a read here (article is a bit dated in terms of Authelia configuration file) to get the look and feel of this process. Maybe it will solve your needs

 
Last edited:
Not all apps (regardless how they are running) have MFA options. For this you can run something like Authelia portal that will connect to any configured authentication process as well as offer MFA, and only following a successful login will you be redirected to your publicly facing app.

For example that would mean that going to autiobook.domain.com URL, you will be redirected to a login/2fa portal (under your control), you will authenticate, and then redirected back to the target app.

Have a read here (article is a bit dated in terms of Authelia configuration file) to get the look and feel of this process. Maybe it will solve your needs

Thanks. I have been looking at Authelia and Authentik (I think authentik may require me to use another RP instead of the built in synology one). And then It sounds like fail2ban might be another option as well to add multiple attempted log ins to be blocked. I don't think this will probably be as safe as Tailscale, but it seems like some clients (aka Jellyfin on Apple TV/roku) may not work with the Authelia in front of it.

Is there a way to make docker only available to certain IPs per port (so I could access on LAN, and then for example add my dad's phone/TV IP and my work IP only). I know there is access control list for synology but doesn't seem like it works for docker and just the built in apps. Would Firewall rule for my docker only allowing my Tailscale IP, local lan, and individual work ports effectively do this?
How unsafe would this be? (from what I understand open port on router 443 to my RP on synology if firewall limited certain IPs only to RP wouldn't that effectively lock my system out from anyone outsider? Or with the 443 port open are there other things I would need to do?
 
I know there is access control list for synology but doesn't seem like it works for docker and just the built in apps.
If you are talking about the access list for the reverse proxy, then that should work just fine for any address configured with that reverse proxy. What are your actual results with this? How is this not working for you exactly?

Would Firewall rule for my docker only allowing my Tailscale IP, local lan, and individual work ports effectively do this?
It should if configured correctly, but that depends on the actual setup

open port on router 443 to my RP on synology if firewall limited certain IPs only to RP wouldn't that effectively lock my system out from anyone outsider?
It would. You can close it down very well that way.
 
If you are talking about the access list for the reverse proxy, then that should work just fine for any address configured with that reverse proxy. What are your actual results with this? How is this not working for you exactly?
I am trying to do it per port (aka for jellyfin then for audiobookshelf). Maybe doing it for "all docker" would be an option.

Sorry as this is probably beginner stuff, I'm out of my element. But would it even make a difference using access control and firewall together if my goal is just accessing the services? As I'm doing all the process in my mind I guess I'm not sure both are necessary. And also as I go through this I'm thinking individual IPs are going to be a pain for each device (aka when traveling and want to log into jellyfin on a TV at say a hotel, now I need to figure out my ip of the hotel TV or my Apple TV I bring with me?) Is there a way to tell what IP are trying to get to the reverse proxy?

I feel like I now know why people just use tailscale.....it probably is easier to just tell other to get tailscale, share it and use IP, and when I travel suck it up and airplay/cast from my phone to Apple TV.
 
If you are the only user of these services then a VPN solution should be strongly considered vs RP. I preferred OpenVPN of DSM over Tailscale because Tailscale seemed just too much for that use. But, as I discovered that my router (Fritzbox) can now handle Wireguard, I finally used that option.

I would advise to search for these options (vpn on NAS or router) as they are easy to setup and handle and they also provide the security and isolation you need.
 
If you are the only user of these services then a VPN solution should be strongly considered vs RP. I preferred OpenVPN of DSM over Tailscale because Tailscale seemed just too much for that use. But, as I discovered that my router (Fritzbox) can now handle Wireguard, I finally used that option.

I would advise to search for these options (vpn on NAS or router) as they are easy to setup and handle and they also provide the security and isolation you need.
I am not the only user. There are 3 users. And the 2 services for media can be put on many devices that don't have tailscale/vpn so it does limit convenience/functionality.
 
I am trying to do it per port (aka for jellyfin then for audiobookshelf). Maybe doing it for "all docker" would be an option.

Sorry as this is probably beginner stuff, I'm out of my element. But would it even make a difference using access control and firewall together if my goal is just accessing the services? As I'm doing all the process in my mind I guess I'm not sure both are necessary. And also as I go through this I'm thinking individual IPs are going to be a pain for each device (aka when traveling and want to log into jellyfin on a TV at say a hotel, now I need to figure out my ip of the hotel TV or my Apple TV I bring with me?) Is there a way to tell what IP are trying to get to the reverse proxy?

I feel like I now know why people just use tailscale.....it probably is easier to just tell other to get tailscale, share it and use IP, and when I travel suck it up and airplay/cast from my phone to Apple TV.
So you want protection with accessibility for selected hosts but no VPN. That’s a reasonable request but not easily implemented without certain maintenance and management.

If we just focus on the streaming element, no streaming will be possible without a valid account so even if someone targets your service it won’t do any good.

For other services, implementing a 2fa login system (if the platform is missing it) you will again have the same situation as with streaming. So with that in place you can minimize IP hunting and FW configuration.

If you do want to harden that element as well then just configure geo firewall and block all the countries that you don’t want access from. Further more you can configure again a fw rule to allow access from your country.

Regarding traveling and access to services, if geo firewall is in place, simply vpn back into that country and access your resources that way. Towards your fw there will be no blocking if the country is on the allow list and you will be able to access your content.

Ofc this will all work fine but 1st you need to have a working reverse proxy access. As I asked before, what are the current results of accessing the RP service? Blank screen, 4xx, 5xx errors anything at all?
 
Last edited:
So you want protection with accessibility for selected hosts but no VPN. That’s a reasonable request but not easily implemented without certain maintenance and management.

If we just focus on the streaming element, no streaming will be possible without a valid account so even if someone targets your service it won’t do any good.

For other services, implementing a 2fa login system (if the platform is missing it) you will again have the same situation as with streaming. So with that in place you can minimize IP hunting and FW configuration.

If you do want to harden that element as well then just configure geo firewall and block all the countries that you don’t want access from. Further more you can configure again a fw rule to allow access from your country.

Regarding traveling and access to services, if geo firewall is in place, simply vpn back into that country and access your resources that way. Towards your fw there will be no blocking if the country is on the allow list and you will be able to access your content.

Ofc this will all work fine but 1st you need to have a working reverse proxy access. As I asked before, what are the current results of accessing the RP service? Blank screen, 4xx, 5xx errors anything at all?
I have a working reverse proxy with all of the above setup on firewall with no issues. As I'm learning more about this I'm trying to lock down more and more.

My initial concern was with WebDAV (I use this to sync my personal documents), so this is now shut off and I use tailscale to access and a separate WebDAV account only allowed access to that share. Then I shut off quick connect for DSM log in (I'm going to keep it active for web apps for wife, it's just easier and I'm ok with "security risk" of synology). My main concern has been with running home assistant on my synology and the concern I may exposing a port and could give control of home devices. I have moved home assistant to another device in the house not connected to internet directly so I think I've mitigated this.

As I continued to research I realized that my docker containers (specifically audiobook shelf and jellyfin have no 2 factor). I think I'm more concerned that I'll screw something up with firewall (and even though I have DDNS->RP on port 443 and firewall) that there is a good chance I missed something as compared to a bad actor who knows more getting in.

I'm aware it's all risk vs benefit, and just trying different options. Tailscale does seem safer without the open port and less maintenance.

I guess my concern is my opening port 443 directed to my reverse proxy, that I would like more security than basic user/pass. For open source audiobookshelf/jellyfin it seems like there is a chance that a bad actor could log in and access my network at that point. If this isn't a concern and by opening up 443 pointing to RP only exposes those 2 apps (as if should), I guess limiting my jellyfin container and audiobookshelf container to only access the media folder should be relatively safe (someone could get to that data and delete it but it's nothing mission critical, would just take forever to re-rip everything).
 
@Rusty
I have went down a couple of different roads and have ended up back where we started, which is I think I need to setup authelia. (Specifically tried tailscale but it doesn't get the wife acceptance so won't get used). Also, I have went back from jellyfin to using plex which uses their own authentication, and then I use my own domain to forward traffic to plex via reverse proxy rather than just opening up 32400 on my router.

I have done a lot of experimenting and reading and think I have a more general sense of what I need to do (but still very beginner). Would appreciate any recommendations/help.

1) With Plex setup via reverse proxy I only have port 443 open on my router. I have remote access off on plex. I have a synology plex username which only has access to my media files and my docker files (I think both are the minimum required to be able to run the plex container and access the media). As I'm dependent on Plex remote authorization (using 2FA) is there anything else recommended to secure this?

2) I have audiobookshelf which I would like to use via reverse proxy rather than tailscale. This is setup and working fine at name.domain.com but does not have 2FA. I use same limited user name for docker and media files access. To get 2FA it sounds like authelia/authentik would be the next step. From looking at your link from previous shows that it requires another reverse proxy and can't use synology built in, is this still true or is there a way to get 2FA with synology RP? (and if I need a separate RP what are thoughts on linuxserver.io swag which seems to incorporate this and fail2ban?)

3) The last service I'm using is webdav via synology. I only use it for devonthink which allows encrypted data. Since you can encrypt data and there is password login i'm honestly not sure if its worth my hassle to use tailscale as compared to just using a strong password for synology account (i have an account limited access to just that webdav folder) and strong encryption password. I would feel better if I could use 2FA however, as I would probably expand what I might use webdav for. Is there a way to use native synology webdav server with 2FA/SSO? If not would there be another "docker" version of webdav server that might more easily integrate with authelia?
 
but it doesn't get the wife acceptance so won't get used
Haha, "user" acceptance has failed, I hear you!

As I'm dependent on Plex remote authorization (using 2FA) is there anything else recommended to secure this?
Well, you are aware of this single-point failure as this is one thing you can't control. Apart from a very complicated password and 2FA not much more you can do, but I am sure others will give their thoughts on the matter if anyone has implemented certain security mechanisms.

requires another reverse proxy and can't use synology built in, is this still true or is there a way to get 2FA with synology RP?
The changes that need to be configured will not be possible with the built-in one and certain features are missing from that version of nginx. Using any other 3rd party one, including the SWAG, will allow for these changes to be applied, so sure, you can use SWAG as well.

Is there a way to use native synology webdav server with 2FA/SSO? If not would there be another "docker" version of webdav server that might more easily integrate with authelia?
Excellent question, but I have no idea. I have not had any need for webdav so never looked myself in that direction. Again, I am sure someone else will comment on the matter if they have had experience with this. Sorry, I can't give any insight on this.
 
Haha, "user" acceptance has failed, I hear you!


Well, you are aware of this single-point failure as this is one thing you can't control. Apart from a very complicated password and 2FA not much more you can do, but I am sure others will give their thoughts on the matter if anyone has implemented certain security mechanisms.


The changes that need to be configured will not be possible with the built-in one and certain features are missing from that version of nginx. Using any other 3rd party one, including the SWAG, will allow for these changes to be applied, so sure, you can use SWAG as well.


Excellent question, but I have no idea. I have not had any need for webdav so never looked myself in that direction. Again, I am sure someone else will comment on the matter if they have had experience with this. Sorry, I can't give any insight on this.
I love the FOSS thing, but wow Plex is just better than jellyfin. Enough so that wife is switching to plexamp and getting rid of streaming. But Tailscale was an absolute no go...... I think i'm ok with my failure point of plex login, at least its 2 factor and i've limited my user to just media. It would be relly annoying to lose all my music and movies, but I can rip them all again as they are all owned on disc anyhow.

Thanks, I was hoping maybe there was a way to update authelia to synology RP. Would be nice to share this, but I may just expose it via RP and strong password and let it ride. The hassle of fail2ban, authelia, and trying to get a new RP up and running sounds like more work than it might be worth for now unless there is an option for a good webdav that would allow me to expose this a bit safer.

As always thanks @Rusty.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

Hi guys, new here Really can't get this to work. I have a docker django + gunicorn + nginx setup. In...
Replies
0
Views
2,821
  • Question
You could try and see if Multiple Gateways option will pass the traffic in while your VPN is alive...
Replies
2
Views
5,304
I've setup a custom DDNS resolver for Cloudflare via Azure functions successfully, however, I was hoping...
Replies
0
Views
1,706

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top