When we setup applications in our homelab, there are always some applications do not have authentication or authentication that can integrated with you existing system.
Updated at 2018-08-31
The solution I was using was Organizr. While it protects your endpoint, it is not the best solution. If you read the source code, it is just caching IP address which can lead to a lot of problems. Also, it does not redirect you to login page or allow you to setup for remote authentication. It only has limited (admin and user) role to control access and do not play well with other identity providers, like LDAP.
- Keycloak (Admin privilege)
- Docker Compose
Keycloak is an open source identity and access management application. It has integration with many useful services, including SAML, open ID, LDAP, single sign on, etc.
By using Keycloak, you now only have one place to manage user credentials and users only have to remember one account.
In this tutorial, we will use Docker to deploy because it is much easier to install and manage applications.
It is still possible to set it up without Docker, but that will not be covered in this tutorial.
Making use of Docker Compose allow us no long need to remember the long docker command. We can even put the file in a version control system.
First, we login to Keycloak with a admin user.
Then, we create a client with
whoami as Client ID (Any thing you like) and select
openid-connect as Client Protocol.
We change the Access Type to
confidential and add your public url to Valid Redirect URIs, e.g.
http://example.com/*. Remember you have to save it.
We go to Installation and select
Keycloak OIDC JSON as Format Option.
We will need it when we configure Keycloak Security Proxy.
Configure Keycloak Security Proxy
We will create a configuration file at
All the configuration can be found here.
- target-url: This the address to proxy. We use
whoamibecause we are going to to deploy a container with a hostname of
- bind-address: It needs to be
0.0.0.0in order to listen request from outside.
- http-port: The port that it listen to. This does not matter as we have to map it on Docker again.
- base-path: Base path of the application. Since we only have 1 application, we use
- adapter-config: This is generated from Keycloak. Paste the configuration from previous section.
- constraints: Constraints for accessing the application. In this example, all paths can only be access if they have have
I have came across a problem that Keycloak is redirecting to HTTP instead of HTTPS which causes mixed content issue. I found an answer on StackOverflow that you can add
Configure Docker Compose
Then, we create the following
We start it up with
When you try to access it without login, it will redirect you to Keycloak login page. If you logined but you do not match the constraints, you will get a 403 response. If you have logined and you match the constraints, you can just use it normally.