Traefik Reverse Proxy Security Headers
Hi Ben,
I would just like to see if you already know the answer to this before I dig into the documentation to figure out what the issue is please.
I use Traefik as a reverse proxy to externally access resources within my home network. This excellent guide is what I've used to set this up: https://www.smarthomebeginner.com/traefik-2-docker-tutorial/
All my Docker containers and non-docker apps such as SecuritySpy have security headers set up as described here: https://www.smarthomebeginner.com/traefik-2-docker-tutorial/#Security_Headers_as_Labels
I don't really know what these do or the benefits they bring to the reverse proxy side of things, but I found that if I used them for SecuritySpy, the iOS app doesn't work, yet the web interface is fine. If I remove the security headers option, both the app and web work (it's still using https via Lets Encrypt).
I could continue to run without the secure headers, but I wonder if the connection to SecuritySpy is less secure as a result.
Can you see anything obvious from the above linked security headers that would prevent the iOS app from working by any chance please?
On a related but different issue, what I would really like is the ability to hide SecuritySpy behind either OAuth or Authelia (both in the same guide). The web interface will easily manage behind them, but the app just fails because it can't handle a redirect to OAuth or Authelia. I realise this is well beyond the scope of the app though because your own implementation of Letsencrypt works fine for the majority of users, but I thought I'd mention it in case you have any ideas.
Thanks,
Paul.
I would just like to see if you already know the answer to this before I dig into the documentation to figure out what the issue is please.
I use Traefik as a reverse proxy to externally access resources within my home network. This excellent guide is what I've used to set this up: https://www.smarthomebeginner.com/traefik-2-docker-tutorial/
All my Docker containers and non-docker apps such as SecuritySpy have security headers set up as described here: https://www.smarthomebeginner.com/traefik-2-docker-tutorial/#Security_Headers_as_Labels
I don't really know what these do or the benefits they bring to the reverse proxy side of things, but I found that if I used them for SecuritySpy, the iOS app doesn't work, yet the web interface is fine. If I remove the security headers option, both the app and web work (it's still using https via Lets Encrypt).
I could continue to run without the secure headers, but I wonder if the connection to SecuritySpy is less secure as a result.
Can you see anything obvious from the above linked security headers that would prevent the iOS app from working by any chance please?
On a related but different issue, what I would really like is the ability to hide SecuritySpy behind either OAuth or Authelia (both in the same guide). The web interface will easily manage behind them, but the app just fails because it can't handle a redirect to OAuth or Authelia. I realise this is well beyond the scope of the app though because your own implementation of Letsencrypt works fine for the majority of users, but I thought I'd mention it in case you have any ideas.
Thanks,
Paul.
Comments
[http.middlewares.middlewares-secure-headers.headers.customResponseHeaders]
X-Robots-Tag = "none,noarchive,nosnippet,notranslate,noimageindex,"
server = ""
Specifically, 'server = ""'
If I remove that line it works, so I consider this issue closed.
I would still be interested in your thoughts about redirecting the request for OAuth or Authelia please (my last paragraph).
Thanks.
What I realised when looking at the reverse proxy Traefik logs was that the headers from the iOS app contained the following:
\"User-Agent\":[\"SecuritySpyViewer/123\"],
As a result, I can look for this specific header and send the request to a different middleware. e.g.
rule: "Host(`example.com`) && (HeadersRegexp(`User-Agent`, `SecuritySpyViewer`))"
A full example can be found here:
https://pastebin.com/Bb3Kpzz4
rule: "Host(`example.com`) && (HeadersRegexp(`User-Agent`, `SecuritySpyViewer`) || HeadersRegexp(`User-Agent`, `AppleCoreMedia`))"
2. Also curious if the port bug was fixed. Re: mobile app always goes back to port 8000 or 8001 (I forget now..) no matter what is typed in. When I'm on my home network I just use 8001, but externally I have no easy solution except to pass port 8001 directly through.
3. Last request, and sorry to change the thread a bit, but it's related to reverse proxying. Do you think you can add a subfolder option? I realize this is asking a lot, but it would be epic if security spy could serve from https://0.0.0.0:8001/cameras/ (or a folder/path of ones' choosing). Most of the apps I run are all in their own sub folder on one domain, so I don't need a bunch of host names for each "thing" I run. My reverse proxy config for security spy is ugly, and its success changes with every release: https://github.com/Go-Lift-TV/organizr-nginx/blob/master/golift/securityspy.conf#L11
@paul2000 It is not possible to use an external auth provider with the security spy mobile app. It currently only support basic http auth. Great job getting the rest of it to work out the way you did. That's good stuff!
Thank you!
-captain
PS. Recordings are going very well. Thanks for the support recently!