ettore.dreucci/ettore.dreucci.it
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

New draft blog post

Browse Source
This commit is contained in:
Ettore Dreucci
2025-10-09 22:42:00 +02:00
parent a97dedba6e
commit 7b65855277
2 changed files with 28 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@@ -1 +1,2 @@
public/
.idea

27
content/blog/authentik-block-akadmin-internet.md Normal file
View File

@@ -0,0 +1,27 @@
---
title: "Block Authentik admin user access from the Internet"
tags: ["authentik", "security"]
categories: ["recipe", "security"]
date: 2025-03-01T01:06:12+01:00
author: "Ettore Dreucci"
draft: true
---
## [[recipe]({{< ref "/categories/recipe" >}}), [security]({{< ref "/categories/security" >}})]: How to restrict Authentik admin access from internal networks only
I've recently set up an [Authentik](https://goauthentik.io/) instance in my homelab for SSO authentication. I really like it and I've set it up for authentication with several services that I'm self-hosting, including some that are internet-facing. That required exposing Authentik too, as I need to be able to reach it from outside my network when authenticating to these services.
Exposing to the Internet a core service like an identity provider is not a light-hearted job and even if Authentik is suggesting [some ways](https://docs.goauthentik.io/docs/security/security-hardening) to harden a deployment, I wanted to make sure that admin access is strictly restricted to internal networks only.
### Expose Authentik
You may argue that the best way to access such a sensitive service like one that provides authentication and authorization would be by using a VPN tunnel, so that you don't have to expose it to the outside world at all. However, VPN adds a layer of complexity, and when hosting services used also by non tech-savy relatives, limiting the degree of difficulty in accessing those surely helps preventing sunday morning phone calls.
In exposing internal services to the Internet I'm currently using [NGINX](https://nginx.org/) as a reverse proxy. That is the case as well for exposing my Authentik instance.
Using a reverse proxy I'm also able to manage the SSL context, and therefore certificates, in a single place: this makes possible enabling (and forcing) HTTPS encryption without having to configure public, trusted, SSL certificates on every service.
#### Restrict admin interface
### Limit admin access
#### Prevent admin login from outside local networks