diff --git a/.gitignore b/.gitignore
index 364fdec..823b6fb 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
 public/
+.idea
\ No newline at end of file
diff --git a/content/blog/authentik-block-akadmin-internet.md b/content/blog/authentik-block-akadmin-internet.md
new file mode 100644
index 0000000..1c9068c
--- /dev/null
+++ b/content/blog/authentik-block-akadmin-internet.md
@@ -0,0 +1,27 @@
+---
+title: "Block Authentik admin user access from the Internet"
+tags: ["authentik", "security"]
+categories: ["recipe", "security"]
+date: 2025-03-01T01:06:12+01:00
+author: "Ettore Dreucci"
+draft: true
+---
+
+## [[recipe]({{< ref "/categories/recipe" >}}), [security]({{< ref "/categories/security" >}})]: How to restrict Authentik admin access from internal networks only
+
+I've recently set up an [Authentik](https://goauthentik.io/) instance in my homelab for SSO authentication. I really like it and I've set it up for authentication with several services that I'm self-hosting, including some that are internet-facing. That required exposing Authentik too, as I need to be able to reach it from outside my network when authenticating to these services.
+
+Exposing to the Internet a core service like an identity provider is not a light-hearted job and even if Authentik is suggesting [some ways](https://docs.goauthentik.io/docs/security/security-hardening) to harden a deployment, I wanted to make sure that admin access is strictly restricted to internal networks only.
+
+### Expose Authentik
+
+You may argue that the best way to access such a sensitive service like one that provides authentication and authorization would be by using a VPN tunnel, so that you don't have to expose it to the outside world at all. However, VPN adds a layer of complexity, and when hosting services used also by non tech-savy relatives, limiting the degree of difficulty in accessing those surely helps preventing sunday morning phone calls.
+
+In exposing internal services to the Internet I'm currently using [NGINX](https://nginx.org/) as a reverse proxy. That is the case as well for exposing my Authentik instance.  
+Using a reverse proxy I'm also able to manage the SSL context, and therefore certificates, in a single place: this makes possible enabling (and forcing) HTTPS encryption without having to configure public, trusted, SSL certificates on every service.
+
+#### Restrict admin interface
+
+### Limit admin access
+
+#### Prevent admin login from outside local networks
\ No newline at end of file