New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Basic Auth and JWT #2809
Comments
Hi there, |
I want to use portainer's web ui behind nginx reverse proxy with http basic authentication. This conflict makes not possible scheme reverse proxy with basic authentication. |
@a1fred Portainer already provides an authentication mecanism. Why would you try to add another one on top of that? |
@deviantony i dont want to show portainer login page to public, i dont fully trust one authentication mechanism. Access to portainer gives access to all services and access to entire server. Its very important and completely unacceptable. I want more security to allow my paranoia sleep calmly :) |
Just created #2815 . |
Sorry, we've decided that we were not going to support this scenario for the reason that using the We already support advanced authentication scenarios (more secure) by allowing you to use an external OAuth provider where you can enable extra security layers (such as 2FA) and we would recommend this approach for a more secure setup. |
If you proxy it from a random location (say https://portainer.example.com/30aa9eeb-2f1c-49e8-91ec-2037f269a5fc/ ) that should be nearly as good as basic auth. The only danger is that someone accidentally copy & pastes the URL somewhere public, or that the web server lists the location somewhere. Basic auth should still be supported, in my opinion, however. |
It's unfortunate that it costs as much as it does. Great pricing for businesses, not so much for a small home network that isn't generating profit. If there were a residential pricing tier, single user licence, single MFA user account etc, for a quarter of the price, then that would certainly be worthwhile! |
Email me, neil.cresswell@portainer.io for a promo code for home use.
Rgds,
Neil Cresswell
On 18/02/2020, at 1:36 AM, modem7 <notifications@github.com> wrote:
Sorry, we've decided that we were not going to support this scenario for the reason that using the Authorization header is the standard way when using the JWT authentication scenario.
We already support advanced authentication scenarios (more secure) by allowing you to use an external OAuth provider where you can enable extra security layers (such as 2FA) and we would recommend this approach for a more secure setup.
It's unfortunate that it costs as much as it does. Great pricing for businesses, not so much for a small home network that isn't generating profit.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_portainer_portainer_issues_2809-3Femail-5Fsource-3Dnotifications-26email-5Ftoken-3DAFQ2XFKQIRI2DBBTQ5MRFUTRDLKKFA5CNFSM4HDTKV32YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEL7KVPQ-23issuecomment-2D587115198&d=DwMCaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=0fx0h4vB56iTLpw2McH1ZD6TqG_QGpbggVOB-PfMJpM&m=Eq2T1xQoVeeeKatQA52e89mLJ9Lt-RUi-OAA0cKCYts&s=LOATm_SZ4Xv72bC_O_267sSDBfwJF_0tSAd9qJ86oCk&e=>, or unsubscribe<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AFQ2XFNEFDE3LIGEGAB6PT3RDLKKFANCNFSM4HDTKV3Q&d=DwMCaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=0fx0h4vB56iTLpw2McH1ZD6TqG_QGpbggVOB-PfMJpM&m=Eq2T1xQoVeeeKatQA52e89mLJ9Lt-RUi-OAA0cKCYts&s=9aJGF5kPMUMrtpFXmr4hiMlMVETHGdibPMGWQ2f5Lp0&e=>.
|
Actually, it's not the same at all, and I wouldn't say OAuth is more secure. It's just not the same level. Using Basic Authentication (and TLS) with a reverse proxy will prevent the access to any pages, even the one that doesn't need portainer account to access. Anyway, I totally agree on respecting the standard. It should be the job of the reverse proxy |
Hello, Sorry to say that, but I think you miss the point here. Specifically when targeting serious businesses, you must provide a way to allow them to use the security gateway of their choice and not increase the attack surface. You may chose to regard us a paranoid enthousiasts, but as someone who works in IT, not addressing this issue is a no-go. |
Can't secure portainer behind nginx with basic-auth. Portainer's JWT auth and http basic uses same header name and overwrites each other.
May be rename JWT header name or add configuration for change JWT header name?
Related:
The text was updated successfully, but these errors were encountered: