Having a strong layer of authentication is mandatory for self-hosted services that are exposed to the internet. We talking about authentication it's important to remember that is has a double meaning: to recognize a user rather than another use, and to restrict access to your service based on who the user is.

A few assumptions: self-hosting for home access, which means a limited and trusted list of users which doesn't change often in time. Security is important, but ease of use is also important. Simplicity of user management is also important.

There are a few key points that i want to stress on authentication:

• 2FA (Two Factor Authentication) will not be considered
• You want to create users only once, as much as possible.
• Only selected services will need to differentiate between users
• Most services will not need to know who is accessing them
• From outside, all services must require authentication
• From inside, authentication is required only where a specific user makes a difference
• Avoid double authentication when possible

For example, a media server will need to know who is connecting to show your preferred shows and your “resume from here…” movies. The printer control page instead should be accessible by anyone inside home.

Authentication will be required when connecting from outside, always, while will be needed only for selected services from inside.

The most simple and effective approach is to enable the PAM Authentication plugin of NGINX and connect your reverse-proxy authentication to your server user management. So that by adding a new user to your server, that will be automagically added to your services, or at least the ones that can link to reverse-proxy authentication.

You have the following combinations:

• Services that do not require to differentiate the user
• Services that needs to know who is connecting, and can get this info from the reverse-proxy
• Services that needs to know who is connecting, and cannot get this info from the reverse-proxy

You will be able to play with the PAM authentication module of NGINX on a per-service base to achieve this.

The general rule is as follow:

Using PAM Auth on services that cannot understand reverse-proxy auth is great way to increase security as others will not even be able to reach your service, but will require the users to perform the authentication twice and might cause some mobile apps to fail.

Please note that for services that cannot use reverse-proxy auth you will need to create users.

There is a more complex solution which is using something like Authelia or Authentik which support 2FA and OAuth, but again whether your services will support it or not is hit-and-miss, and for my needs is simply too much.

https://www.authelia.com/integration/prologue/get-started/

https://github.com/authelia/authelia/releases

useradd -m authelia

su - authelia

wget https://github.com/authelia/authelia/releases/download/v4.38.10/authelia-v4.38.10-linux-amd64.tar.gz

mkdir bin cd bin tar xvf ../authelia-v4.38.10-linux-amd64.tar.gz cd ..

creare file configuration.yml (vedi esempio)

mkdir config db logs

lancia authelia

NGINX auth_request

www-servers/nginx NGINX_MODULES_HTTP: auth_request auth_pam dav dav_ext gunzip sub realip xslt

crea file org.gardiol/authelia_proxy.conf (file) crea file org.gardiol/login/login.conf (file) crea org.gardiol/authelia_location.conf (file) crea org.gardiol/authelia_authrequest.conf (file)

configura ogni subdomain auth

Creazione passwords: ./authelia-linux-amd64 crypto hash generate –help

authelia

#!/sbin/openrc-run
# Copyright 1999-2021 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2

description="Authelia - authenticator"
pidfile="/run/authelia.pid"
command_background=true
command="/home/authelia/bin/authelia-linux-amd64"
command_args="--config /home/authelia/configuration.yml"
command_user="authelia:authelia"

depend() {
        need net
}