Question password protect docker app?

Currently reading
Question password protect docker app?

259
28
NAS
DS1019+
Mobile operating system
  1. Android
I have MKVToolNix running in Docker, and it's accessible via http://192.168.1.2:5800
however, anyone can load it (locally) as it has no authentication for access.

is it possible to add a user/pass authentication so that you can't access it via the browser unless you enter a user/pass?
 

Rusty

Moderator
NAS Support
2,845
870
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Running it behind a Revers proxy that has an authentification portal comes to mind. That way you would need to authenticate and only after that you would be allowed access to URL behind it (in this case mkvtoolnix container).

By default, reverse proxy in synology does not support authentification unless you customize nginx behind it. This is something that's not safe in the long run considering that this version of nginx is under DSM system configuration and as such can be altered, changed and reset after every DSM update.
 

fredbert

Moderator
NAS Support
Subscriber
1,836
750
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
What web server is the container using? Apache? You could add authentication via .htaccess ... though having HTTPS would be better!
Is it possible to map the web server's document root folder to a NAS folder? Then any mods you make will be retained when the container image is upgraded.
 

fredbert

Moderator
NAS Support
Subscriber
1,836
750
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
go onto the running container's command line (via Docker) and run apachectl status. If Apache is installed there should be a response.
 
259
28
NAS
DS1019+
Mobile operating system
  1. Android
you mean go into "terminal" from within the docker container?
when i go there i get a black screen with a flashing cursor, but typing anything (including that command) results in no response back
 

fredbert

Moderator
NAS Support
Subscriber
1,836
750
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Click on Create and it will create a new bash session.
 
259
28
NAS
DS1019+
Mobile operating system
  1. Android
hmm whatever that did, it didn't like it at all

Capture.JPG
 

fredbert

Moderator
NAS Support
Subscriber
1,836
750
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Just installed the jlesage/mkvtoolnix container and it responds to starting a terminal session with /bin/sh.

Anyway, looking at the Log output tab there is nginx listed in the output as starting up.

The nginx files are /etc/nginx and the document root is /opt/novnc.
 

fredbert

Moderator
NAS Support
Subscriber
1,836
750
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
It means it's running the nginx web server and you'll have to modify it to enable authentication ... not something I've investigated.
 
259
28
NAS
DS1019+
Mobile operating system
  1. Android
hmmm.. probably not the best solution.

is there anything stock in DSM that would let me forward http://apps.domain.com/appname to 192.16.1.2:5800 (at least to begin with without any user/pass authentication) ?
 

Rusty

Moderator
NAS Support
2,845
870
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
hmmm.. probably not the best solution.

is there anything stock in DSM that would let me forward http://apps.domain.com/appname to 192.16.1.2:5800 (at least to begin with without any user/pass authentication) ?
Revers proxy that DSM uses (without auth) is in Control Panel > Application Portal > revers proxy
 

fredbert

Moderator
NAS Support
Subscriber
1,836
750
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Reverse Proxy works on sub-domain URLS such as 'appname.domain.com' not on 'apps.domain.com/appname'. Only the selected Synology packages get to have the appname folder too.


A really hacked solution might be achievable if you don't currently use one of the VPN Server services. This is theoretical because I haven't used it myself.

You'd configure the unused VPN service to only your MKVToolNix users. Then use the DSM firewall to block access to the MKVToolNix ports except from the VPN service.

For a reverse proxy rule there is also the option to assign an access control policy that limits the source IP that can access it. So you'd do the same type of thing that the DSM firewall is doing on the direct container access.
 
259
28
NAS
DS1019+
Mobile operating system
  1. Android
hmm sounds too hacky really.
i remember ages ago when i was using a windows server with nginx that you could configure nginx reverse proxy to do apps.domain.com/appname
 

fredbert

Moderator
NAS Support
Subscriber
1,836
750
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Maybe there's another container that supports authentication?

nginx may support apps.domain.com/appname but I'm not aware that the DSM interface supports this except for official packages.
 
259
28
NAS
DS1019+
Mobile operating system
  1. Android
i've dropped a message on the github for the container to see if it's possible.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Similar threads

Similar threads

Top