Server: authentication at proxy with basic auth or mTLS

moved over from Feature: server: http basic auth or mTLS · atuinsh/atuin · Discussion #2099 · GitHub

I´d like to make my server usable for friends, but I neither want to have them use VPN foo nor to have the server directly open to the internet.

I’m quite happy with mTLS at a central proxy and creating certificates for people, another idea would be to add a layer of http-basic-auth at the proxy.

Thanks for this lovely project!

Hey! Thanks for posting here :smiley:

I’d rather not add mtls or basic auth directly to the server, though the latter is preferable to the former. How would some sort of invite token work for you? Or perhaps allowlisting some usernames?

I would very much welcome a shared secret for the whole instance, that would solve the issue nicely.

And to put it over the top, having support for multiple shared secret with and without expiry date would complete the feature.

The token would also be a nice thing

What I’d like to achieve is to have something in front of the atuin server, that allows/denies access.
I might be a little paranoid, but with the layered access I don’t have to pay that much attention to version changes, security updates, etc. of everything that is behind the proxy.

Perhaps I’ll proxy from foo.tld/randomrandomrandom/ to the atuin server. Does the sync_address allow folders in the address combined with a rewrite in a proxy?

It does. see Setup an Apache reverse proxy (sublocation)