Hiding the waved server behind a reverse proxy #1940

aranvir · 2023-04-22T13:17:26Z

aranvir
Apr 22, 2023

Hi, I looked into using traefik as a reverse proxy for both my wave app and my web api (run with uvicorn). The motivation was to use basic http authentication as a quick workaround to create access control without needing OpenID Connect.

Now, while my web api is only reachable via traefik router (since I serve it on 127.0.0.1), I can still reach the wave server by directly going for the port. For example, my server address is example.com and waved serves to port 10101, then I can reach the wave app at both example.com and example.com:10101 but only for the first one I get prompted for the password. And that beats the purpose of my authentication approach.

So, I was wondering if this is something that could be solved on waved side (e.g., adding a cli argument like -local) or if it's a bit more complicated than that.

Answered by mturoci

Apr 24, 2023

Hi,

the simplest (and the most secure) thing to do is to close all the ports on your server and allow only 80 (HTTP) and 443 (HTTPS).

if this is something that could be solved on waved side (e.g., adding a cli argument like -local)

By default, wave server listens on 0.0.0.0 which means listen on all available addresses. Adding a new host conf option should be super simple so that you could replace it with localhost, but my first suggestion is definitely more secure.

View full answer

mturoci · 2023-04-24T06:32:55Z

mturoci
Apr 24, 2023
Maintainer

Hi,

the simplest (and the most secure) thing to do is to close all the ports on your server and allow only 80 (HTTP) and 443 (HTTPS).

if this is something that could be solved on waved side (e.g., adding a cli argument like -local)

By default, wave server listens on 0.0.0.0 which means listen on all available addresses. Adding a new host conf option should be super simple so that you could replace it with localhost, but my first suggestion is definitely more secure.

1 reply

aranvir Apr 24, 2023
Author

Okay, fair.

I'm still new to all this networking stuff and was looking for a fast solution for an internal server 😅 but I should look into these topics anyway to build a secure application.

aranvir · 2023-04-25T11:51:15Z

aranvir
Apr 25, 2023
Author

@mturoci out of curiosity: would you consider basic http authentication as a feature for the wave server? Or is it considered to be of low/no additional value since OpenID Connect support is already there and solutions like a reverse proxy can be used if a user really wants it.

Just asking because it would be less trouble for me to use if it were an included feature, but I don't know if it's a relevant use case :D

3 replies

mturoci Apr 25, 2023
Maintainer

As you say, since OIDC is superior and the de-facto industry standard, basic auth will most likely not be added, thus reverse proxy in front of your wave server is necessary.

mturoci Jun 6, 2023
Maintainer

@aranvir, if interested, I put up a small repo showcasing how to put Nginx in front of a wave app.

aranvir Jun 7, 2023
Author

Nice, thank you!

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Hiding the waved server behind a reverse proxy #1940

{{title}}

Replies: 2 comments 4 replies

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

Hiding the waved server behind a reverse proxy #1940

aranvir Apr 22, 2023

Replies: 2 comments · 4 replies

mturoci Apr 24, 2023 Maintainer

aranvir Apr 24, 2023 Author

aranvir Apr 25, 2023 Author

mturoci Apr 25, 2023 Maintainer

mturoci Jun 6, 2023 Maintainer

aranvir Jun 7, 2023 Author

aranvir
Apr 22, 2023

Replies: 2 comments 4 replies

mturoci
Apr 24, 2023
Maintainer

aranvir Apr 24, 2023
Author

aranvir
Apr 25, 2023
Author

mturoci Apr 25, 2023
Maintainer

mturoci Jun 6, 2023
Maintainer

aranvir Jun 7, 2023
Author