Server: authentication at proxy with basic auth or mTLS

Finkregh · June 9, 2024, 10:40pm

moved over from Feature: server: http basic auth or mTLS · atuinsh/atuin · Discussion #2099 · GitHub

I´d like to make my server usable for friends, but I neither want to have them use VPN foo nor to have the server directly open to the internet.

I’m quite happy with mTLS at a central proxy and creating certificates for people, another idea would be to add a layer of http-basic-auth at the proxy.

Thanks for this lovely project!

ellie · June 12, 2024, 10:39pm

Hey! Thanks for posting here

I’d rather not add mtls or basic auth directly to the server, though the latter is preferable to the former. How would some sort of invite token work for you? Or perhaps allowlisting some usernames?

davidolrik · June 13, 2024, 7:31am

I would very much welcome a shared secret for the whole instance, that would solve the issue nicely.

And to put it over the top, having support for multiple shared secret with and without expiry date would complete the feature.

Finkregh · June 13, 2024, 9:52am

The token would also be a nice thing

What I’d like to achieve is to have something in front of the atuin server, that allows/denies access.
I might be a little paranoid, but with the layered access I don’t have to pay that much attention to version changes, security updates, etc. of everything that is behind the proxy.

Perhaps I’ll proxy from foo.tld/randomrandomrandom/ to the atuin server. Does the sync_address allow folders in the address combined with a rewrite in a proxy?

tessus · June 14, 2024, 1:14am

It does. see Setup an Apache reverse proxy (sublocation)

con-f-use · October 18, 2025, 10:09am

@ellie I was asking myself the question: does Atuin Server do some sort of user-authentication. I’m aware that the data is encrypted in the database, so malicious actors only get cyphertext anyways. But is there some mechanism that prevents me from getting some else’s encrypted shell history? If not should there be? It would probably also help against DoS attacks and could probably done with the existing encryption keys of the users via some sort of callenge-response auth.

(Sorry if I’m hijacking this thread, I just didn’t find any other topic and didn’t think it was worth one)

ellie · October 18, 2025, 4:18pm

It does! When you register you provide a username and password. That’s used for auth. The encryption key is randomly generated and managed by the user

con-f-use · October 18, 2025, 4:38pm

Sure, but I was asking about self-hosting the server. Sorry I didn’t mention that prominently.

ellie · October 18, 2025, 8:57pm

Yeah they’re exactly the same