2.0 KiB
title, tags, categories, date, author, draft
| title | tags | categories | date | author | draft | ||||
|---|---|---|---|---|---|---|---|---|---|
| Block Authentik admin user access from the Internet |
|
|
2025-03-01T01:06:12+01:00 | Ettore Dreucci | true |
[[recipe]({{< ref "/categories/recipe" >}}), [security]({{< ref "/categories/security" >}})]: How to restrict Authentik admin access from internal networks only
I've recently set up an Authentik instance in my homelab for SSO authentication. I really like it and I've set it up for authentication with several services that I'm self-hosting, including some that are internet-facing. That required exposing Authentik too, as I need to be able to reach it from outside my network when authenticating to these services.
Exposing to the Internet a core service like an identity provider is not a light-hearted job and even if Authentik is suggesting some ways to harden a deployment, I wanted to make sure that admin access is strictly restricted to internal networks only.
Expose Authentik
You may argue that the best way to access such a sensitive service like one that provides authentication and authorization would be by using a VPN tunnel, so that you don't have to expose it to the outside world at all. However, VPN adds a layer of complexity, and when hosting services used also by non tech-savy relatives, limiting the degree of difficulty in accessing those surely helps preventing sunday morning phone calls.
In exposing internal services to the Internet I'm currently using NGINX as a reverse proxy. That is the case as well for exposing my Authentik instance.
Using a reverse proxy I'm also able to manage the SSL context, and therefore certificates, in a single place: this makes possible enabling (and forcing) HTTPS encryption without having to configure public, trusted, SSL certificates on every service.