Question password protect docker app?

295
32
NAS
DS1019+ DSM6
Operating system
  1. Windows
Mobile operating system
  1. iOS
I have MKVToolNix running in Docker, and it's accessible via http://192.168.1.2:5800
however, anyone can load it (locally) as it has no authentication for access.

is it possible to add a user/pass authentication so that you can't access it via the browser unless you enter a user/pass?
 
Running it behind a Revers proxy that has an authentification portal comes to mind. That way you would need to authenticate and only after that you would be allowed access to URL behind it (in this case mkvtoolnix container).

By default, reverse proxy in synology does not support authentification unless you customize nginx behind it. This is something that's not safe in the long run considering that this version of nginx is under DSM system configuration and as such can be altered, changed and reset after every DSM update.
 
What web server is the container using? Apache? You could add authentication via .htaccess ... though having HTTPS would be better!
Is it possible to map the web server's document root folder to a NAS folder? Then any mods you make will be retained when the container image is upgraded.
 
you mean go into "terminal" from within the docker container?
when i go there i get a black screen with a flashing cursor, but typing anything (including that command) results in no response back
 
hmm whatever that did, it didn't like it at all

Capture.JPG
 
hmmm.. probably not the best solution.

is there anything stock in DSM that would let me forward http://apps.domain.com/appname to 192.16.1.2:5800 (at least to begin with without any user/pass authentication) ?
Revers proxy that DSM uses (without auth) is in Control Panel > Application Portal > revers proxy
 
Reverse Proxy works on sub-domain URLS such as 'appname.domain.com' not on 'apps.domain.com/appname'. Only the selected Synology packages get to have the appname folder too.


A really hacked solution might be achievable if you don't currently use one of the VPN Server services. This is theoretical because I haven't used it myself.

You'd configure the unused VPN service to only your MKVToolNix users. Then use the DSM firewall to block access to the MKVToolNix ports except from the VPN service.

For a reverse proxy rule there is also the option to assign an access control policy that limits the source IP that can access it. So you'd do the same type of thing that the DSM firewall is doing on the direct container access.
 
hmm sounds too hacky really.
i remember ages ago when i was using a windows server with nginx that you could configure nginx reverse proxy to do apps.domain.com/appname
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

There must be already be some sort of dependency, as the deluge service joins the network namespace of the...
Replies
6
Views
580
Ok got this running.. But how do I specify the custom_user/password settings in the yaml-file? EDIT...
Replies
7
Views
836
For the heck of it, I just checked again in docker container, and it announced an update was available. I...
Replies
4
Views
1,002
  • Question
Do realize, that enabling any user to run docker containers is largely the same as giving that user full...
Replies
6
Views
1,589
Hello, I already have it configured perfectly with wireguard. I was looking at the Gluetun configuration...
Replies
4
Views
1,542
Thanks... I tried something similar with rsync. The docker volume lived in...
Replies
7
Views
1,718

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Back
Top