It looks like the author added authentication to support accessing the app from anywhere.
Would it instead be possible/easier to throw it on a VPN and make the VPN accessible from anywhere?
The reason I ask is that I want to be able to access personal web apps securely and I’m trying to figure out the easiest approach. Every time I look at authentication, it’s a labyrinth of concepts, protocols, and libraries. I don’t want to maintain that!
The gold standard easy way of doing this is tailscale. I have a few apps hosted on a Raspberry Pi at home (like home assistant). I have tailscale on that Pi, and on my phone and it works very well. The only auth you have to do is "log into tailscale on each machine".
I really cannot recommend tailscale enough for how easy it is to set up a secure network of your own devices.
In that setup, how does your phone know to access your Pi over the VPN, but use the regular connection for everything else? Subnet mask?
Edit: any pointers on how to set this up would be appreciated! Maybe I’m using the wrong search engine, but I haven’t found this scenario laid out clearly, yet.
In detail, yes the underlying network routing on your device will route the target it to the right network, which means it goes through the tailscale encryption.
In practice though - you don't have to worry about any of this! These are the steps:
* Create a tailscale account (there's a good free plan)
* Set up server. Give it a hostname (I'll use "mypi" in this example)
* Set up your web service on server - check you can get to it locally (e.g. connected by wire or just on http://localhost on that computer)
* Install tailscale on your server, and log in to your tailscale account (tailscale login and follow prompts)
* Install tailscale on your phone/laptop. Log into to tailscale
* On your phone/laptop go to http://mypi and it should Just Work!
On my iPhone I have a wireguard VPN set up with "Allowed IPs" 10.200.200.0/24
When the VPN is on, the phone directs any traffic for 10.200.200.0/24 through the VPN and the rest of the traffic through the normal network stack. This is often called split vpn or split tunnel.
The other end of the VPN needs to be running wireguard and accessible from the internet. I have a VPS for this because my desktop is behind a firewall. But I can connect from my desktop to the VPS over wireguard (same setup) with keepalive, and they can all talk to each other over that private network.
I don't usually have this on, but occasionally if I want to ssh back home from my kid's soccer practice, I'll use it. I ssh to the 10-net address for my laptop after bringing up the split vpn.
My RSS reader runs on my home computer and I log into it with Tailscale.
I have wireguard and caddy set up with docker on my server:
Then in ./appdata/caddy/Caddyfile: So if I'm not on my VPN (or at home) nothing is shown. Other considerations:- You may want a VLAN or separate guest network depending on if you allow guests on your network, what type of services you're running, etc.
- Many of the things I run at home have password authentication and I use them in addition to the VPN restriction.
- This was the first thing I thought of and may be insecure for reasons outside of my expertise.
- The nice thing about this is that I run pihole in the same compose file so when my phone is on my VPN I get remote ad-blocking "for free".
- Tailscale is easier and nicer (UI-wise) to set up, but I stopped using it because it's a battery hog on iOS. The "trusting someone else's server" thing is also an issue, but if not for the battery issue, I would probably still be trading the added risk for the convenience. This was not too bad to set up, though, and I'm happy with it for my simple needs. The Tailscale app also doesn't have a convenience feature that the Wireguard app does: I can tell Wireguard specific networks that I don't want it to run on (i.e. when I'm home) so that it enables automatically when I leave and turns off when I'm home.
What markup do you use to obtain the fixed width font for the yaml/json code?
It'd definitely be possible although, if you're not already using a VPN, I doubt it'd be easier. You could do it a few ways, but the gist would be running the VPN endpoint and the web app in the "same place" (same machine, same network, etc.) and restrict access to the web app from anywhere else.
My thinking was that you could avoid setting up a domain and VPS as well. But you might be right!
I have been quite happy with Basic HTTP authentication for most uses. It's still almost universally supported, thankfully.
For "securing" my application which hosts text snippets I've clipped from other websites and nothing else, it is sufficient.