Hi
Is there any self-hosted tool around that will proxy an internal website to an external interface securely?
A bit like Apache Guacamole can do for RDP and VNC… or like Fortinet’s SSL VPN “web bookmarks”, or Azure’s App Proxy… or CloudFlare Tunnels?
Or some way of setting up hosts in Cloudflare Tunnels automatically?
My google-fu is failing me today.
Thanks…
HAProxy, Apache, nginx all dont meet this need how?
So you’re looking for… A reverse proxy…?
Am I missing something here?
Wouldn’t guacamole already provide access to internal resources from the RDP host?
Caddy and Traefik are also newer and very popular.
Well, yeah, but an authenticated reverse proxy. I don’t know how else to explain it - a self-hosted CloudFlare tunnel ?
Using Guacamole to RDP to a host to then access the websites definitely achieves the goal. I guess I was looking for something with fewer steps.
Most of the stuff I’m trying to proxy is already behind Traefik, but I suppose I’m trying to put a later of security in front of it for use externally.
HTTP basic auth, Authentik, Authelia. Or a VPN.
An authenticated firefox docker? Or guacamole to a BrowserLinux instance?
Perhaps using mutual TLS authentication on your existing traefik would work for you? - Traefik TLS Documentation - Traefik
Or handle mTLS on another external reverse proxy via another webserver like apache, nginx or caddy.
Wherever you do it, it would require users to present an appropriately signed certificate before they could access the resources behind the reverse proxy
This used to be confusing to setup for most browsers, but I believe it has gotten better in recent years, Firefox works well for me, when visiting a site that needs mTLS auth, I get an error and prompted to browse for the certificate
I suppose I’m trying to put a later of security in front of it for use externally.
OK, then
Or some way of setting up hosts in Cloudflare Tunnels automatically?
Then just add cloudfrare tunnels as you mentioned? What you are looking for is a WAF.
There are guides for doing this with Traefik…
Just setup a wild card cert for the most part and go…