Question password protect docker app?

[chenks]

I have MKVToolNix running in Docker, and it's accessible via http://192.168.1.2:5800
however, anyone can load it (locally) as it has no authentication for access.

is it possible to add a user/pass authentication so that you can't access it via the browser unless you enter a user/pass?

 

[Rusty]

Running it behind a Revers proxy that has an authentification portal comes to mind. That way you would need to authenticate and only after that you would be allowed access to URL behind it (in this case mkvtoolnix container).

By default, reverse proxy in synology does not support authentification unless you customize nginx behind it. This is something that's not safe in the long run considering that this version of nginx is under DSM system configuration and as such can be altered, changed and reset after every DSM update.

 

[chenks]

it's something i had considered.. ie https://apps.domain.com/mkvtoolnix would direct to https://192.168.1.2:5800
then i could have a few apps on the same sub-domain etc.

is nginx the only option?
don't know if it's relevant, but i amusing apache as the backend for the webstation currently.

 

[fredbert]

What web server is the container using? Apache? You could add authentication via .htaccess ... though having HTTPS would be better!

PasswordBasicAuth - HTTPD - Apache Software Foundation

cwiki.apache.org

Is it possible to map the web server's document root folder to a NAS folder? Then any mods you make will be retained when the container image is upgraded.

 

[chenks]

What web server is the container using? Apache?

i have no idea and how would i find out?

 

[fredbert]

go onto the running container's command line (via Docker) and run apachectl status. If Apache is installed there should be a response.

 

[chenks]

you mean go into "terminal" from within the docker container?
when i go there i get a black screen with a flashing cursor, but typing anything (including that command) results in no response back

 

[fredbert]

Click on Create and it will create a new bash session.

 

[chenks]

hmm whatever that did, it didn't like it at all

 

[fredbert]

Just installed the jlesage/mkvtoolnix container and it responds to starting a terminal session with /bin/sh.

Anyway, looking at the Log output tab there is nginx listed in the output as starting up.

The nginx files are /etc/nginx and the document root is /opt/novnc.

 

[chenks]

so what does that mean then?

 

[fredbert]

It means it's running the nginx web server and you'll have to modify it to enable authentication ... not something I've investigated.

 

[chenks]

hmmm.. probably not the best solution.

is there anything stock in DSM that would let me forward http://apps.domain.com/appname to 192.16.1.2:5800 (at least to begin with without any user/pass authentication) ?

 

[Rusty]

hmmm.. probably not the best solution.

is there anything stock in DSM that would let me forward http://apps.domain.com/appname to 192.16.1.2:5800 (at least to begin with without any user/pass authentication) ?

Revers proxy that DSM uses (without auth) is in Control Panel > Application Portal > revers proxy

 

[fredbert]

Reverse Proxy works on sub-domain URLS such as 'appname.domain.com' not on 'apps.domain.com/appname'. Only the selected Synology packages get to have the appname folder too.


A really hacked solution might be achievable if you don't currently use one of the VPN Server services. This is theoretical because I haven't used it myself.

You'd configure the unused VPN service to only your MKVToolNix users. Then use the DSM firewall to block access to the MKVToolNix ports except from the VPN service.

For a reverse proxy rule there is also the option to assign an access control policy that limits the source IP that can access it. So you'd do the same type of thing that the DSM firewall is doing on the direct container access.

 

[chenks]

hmm sounds too hacky really.
i remember ages ago when i was using a windows server with nginx that you could configure nginx reverse proxy to do apps.domain.com/appname

 

[fredbert]

Maybe there's another container that supports authentication?

nginx may support apps.domain.com/appname but I'm not aware that the DSM interface supports this except for official packages.

 

[chenks]

i've dropped a message on the github for the container to see if it's possible.