[GH-ISSUE #9] Possible to add authentication on web interface (port 3000)? #7

New issue

Open

opened 2026-02-27 14:56:53 +03:00 by kerem · 4 comments

kerem commented 2026-02-27 14:56:53 +03:00

Owner

Copy link

Originally created by @aurrak on GitHub (Jul 13, 2021).
Original GitHub issue: https://github.com/netbootxyz/webapp/issues/9

Is it possible to add password protection to the node.js web interface? Would be nice have some sort of protection against malicious tampering on the boot.cfg or the menu entries.

Originally created by @aurrak on GitHub (Jul 13, 2021). Original GitHub issue: https://github.com/netbootxyz/webapp/issues/9 Is it possible to add password protection to the node.js web interface? Would be nice have some sort of protection against malicious tampering on the boot.cfg or the menu entries.

kerem commented 2026-02-27 14:56:54 +03:00

Author

Owner

Copy link

@worldowner commented on GitHub (Aug 1, 2022):

This is a good point. Are there any plans to implement this?

<!-- gh-comment-id:1201105380 --> @worldowner commented on GitHub (Aug 1, 2022): This is a good point. Are there any plans to implement this?

kerem commented 2026-02-27 14:56:54 +03:00

Author

Owner

Copy link

@turegano-equinix commented on GitHub (Nov 28, 2023):

You can put a nginx to protect the port

docker-compose.yaml

---
version: "2.1"
services:
  netbootxyz:
    image: ghcr.io/netbootxyz/netbootxyz
    container_name: netbootxyz
    environment:
      - MENU_VERSION=2.0.47 # optional
    volumes:
      - /netboot.xyz/config:/config # optional
      - /netboot.xyz/assets:/assets # optional
    ports:
      #- 3000:3000
      - 69:69/udp
      - 8080:80 #optional
    restart: unless-stopped
  nginx:
    image: nginx:latest
    container_name: nginx
    volumes:
      - /netboot.xyz/config/nginx/reverse_proxy.conf:/etc/nginx/conf.d/default.conf
      - /netboot.xyz/config/nginx/.htpassw:/etc/nginx/.htpasswd
    ports:
      - 3000:3000
    links:
      - netbootxyz

And the reverse_proxy.conf

server {
  listen 3000;
  server_name netbootxyz;

  location / {
   auth_basic "Restricted";
   auth_basic_user_file  /etc/nginx/.htpasswd;
    proxy_pass    http://netbootxyz:3000/;

  }
}

To generate the .htpassw https://www.web2generators.com/apache-tools/htpasswd-generator

<!-- gh-comment-id:1830231949 --> @turegano-equinix commented on GitHub (Nov 28, 2023): You can put a nginx to protect the port docker-compose.yaml ``` --- version: "2.1" services: netbootxyz: image: ghcr.io/netbootxyz/netbootxyz container_name: netbootxyz environment: - MENU_VERSION=2.0.47 # optional volumes: - /netboot.xyz/config:/config # optional - /netboot.xyz/assets:/assets # optional ports: #- 3000:3000 - 69:69/udp - 8080:80 #optional restart: unless-stopped nginx: image: nginx:latest container_name: nginx volumes: - /netboot.xyz/config/nginx/reverse_proxy.conf:/etc/nginx/conf.d/default.conf - /netboot.xyz/config/nginx/.htpassw:/etc/nginx/.htpasswd ports: - 3000:3000 links: - netbootxyz ``` And the reverse_proxy.conf ``` server { listen 3000; server_name netbootxyz; location / { auth_basic "Restricted"; auth_basic_user_file /etc/nginx/.htpasswd; proxy_pass http://netbootxyz:3000/; } } ``` To generate the .htpassw https://www.web2generators.com/apache-tools/htpasswd-generator

kerem commented 2026-02-27 14:56:55 +03:00

Author

Owner

Copy link

@popy2k14 commented on GitHub (Jun 1, 2025):

Would be nice if netboot.xyz has at least an basic auth out of the box.

<!-- gh-comment-id:2927416412 --> @popy2k14 commented on GitHub (Jun 1, 2025): Would be nice if netboot.xyz has at least an basic auth out of the box.

kerem commented 2026-02-27 14:56:55 +03:00

Author

Owner

Copy link

@luckylinux commented on GitHub (Jan 9, 2026):

Another Option is to use either:

• Authentik Proxy Outpost
• Possibly oauth2-proxy

I set it up with Authentik Proxy Outpost + Caddy + ForwardAuth, that works quite well.

Caddyfile:

# Example and Guide
# https://caddyserver.com/docs/caddyfile/options

# General Options
{
    # (Optional) Debug Mode
    # debug

    # Disable Admin API
    admin off

    # TLS Options
    # (Optional) Disable Certificates Management (only if SSL/TLS Certificates are managed by certbot or other external Tools)
    auto_https disable_certs
}

# (Optional) API Endpoint
#localhost {
#	reverse_proxy /api/* localhost:9001
#}

# Main Hostname
# (Optional) Only if SSL/TLS Certificates are managed by certbot or other external Tools and Custom Logging is required
{$APPLICATION_HOSTNAME} {
    tls /certificates/{$APPLICATION_CERTIFICATE_DOMAIN}/{$APPLICATION_CERTIFICATE_CERT_FILE:fullchain.pem} /certificates/{$APPLICATION_CERTIFICATE_DOMAIN}/{$APPLICATION_CERTIFICATE_KEY_FILE:privkey.pem}
    
    log {
	output file /var/log/server/{$APPLICATION_HOSTNAME}/access_web.json {
		roll_size 100MiB
	        roll_keep 5000
	        roll_keep_for 720h
	        roll_uncompressed
	}
    
        format json
    }

    route {
        # Always forward outpost path to actual outpost
        reverse_proxy /outpost.goauthentik.io/* https://{$OUTPOST_HOSTNAME}:{$OUTPOST_PORT} {
            header_up Host {http.reverse_proxy.upstream.hostport}
        }

        # Forward authentication to outpost
        forward_auth https://{$OUTPOST_HOSTNAME}:{$OUTPOST_PORT} {
            uri /outpost.goauthentik.io/auth/caddy

            # Capitalization of the headers is important, otherwise they will be empty
            copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version

            # (Optional)
            # If not set, trust all private ranges, but for Security Reasons, this should be set to the outposts IP
            trusted_proxies private_ranges
        }
    }

    # Proxy to Application
    reverse_proxy http://0.0.0.0:{$APPLICATION_PORT}
}

# Alias
# (Optional) Only if SSL/TLS Certificates are managed by certbot or other external Tools and Custom Logging is required
{$APPLICATION_HOSTNAME_ALTERNATE_01} {
    tls /certificates/{$APPLICATION_CERTIFICATE_DOMAIN}/{$APPLICATION_CERTIFICATE_CERT_FILE:fullchain.pem} /certificates/{$APPLICATION_CERTIFICATE_DOMAIN}/{$APPLICATION_CERTIFICATE_KEY_FILE:privkey.pem}

    log {
        output file /var/log/server/{$APPLICATION_HOSTNAME_ALTERNATE_01}/access_web.json {
                roll_size 100MiB
                roll_keep 5000
                roll_keep_for 720h
                roll_uncompressed
        }

        format json
    }

    # Redirect to main Hostname
    redir https://{$APPLICATION_HOSTNAME}{uri} permanent
}

# Alias
# (Optional) Only if SSL/TLS Certificates are managed by certbot or other external Tools and Custom Logging is required
{$APPLICATION_HOSTNAME_ALTERNATE_02} {
    tls /certificates/{$APPLICATION_CERTIFICATE_DOMAIN}/{$APPLICATION_CERTIFICATE_CERT_FILE:fullchain.pem} /certificates/{$APPLICATION_CERTIFICATE_DOMAIN}/{$APPLICATION_CERTIFICATE_KEY_FILE:privkey.pem}

    log {
        output file /var/log/server/{$APPLICATION_HOSTNAME_ALTERNATE_02}/access_web.json {
                roll_size 100MiB
                roll_keep 5000
                roll_keep_for 720h
                roll_uncompressed
        }

        format json
    }

    # Redirect to main Hostname
    redir https://{$APPLICATION_HOSTNAME}{uri} permanent
}


# Authentik Outpost
{$OUTPOST_HOSTNAME}:{$OUTPOST_PORT} {
    tls /certificates/{$APPLICATION_CERTIFICATE_DOMAIN}/{$APPLICATION_CERTIFICATE_CERT_FILE:fullchain.pem} /certificates/{$APPLICATION_CERTIFICATE_DOMAIN}/{$APPLICATION_CERTIFICATE_KEY_FILE:privkey.pem}

    log {
        output file /var/log/outpost/{$OUTPOST_HOSTNAME}/access.json {
                roll_size 100MiB
                roll_keep 5000
                roll_keep_for 720h
                roll_uncompressed
        }

	format json
    }

    # IPv4 Reverse Proxy to internal unencrypted Host
    reverse_proxy http://0.0.0.0:9000

    # IPv6 Reverse Proxy to internal unencrypted Host
    # reverse_proxy http://[::1]:9000
}

.env.caddy:

# Define Application Hostname and Aliases
APPLICATION_HOSTNAME=netboot.MYDOMAIN.TLD
APPLICATION_HOSTNAME_ALTERNATE_01=netbootxyz.MYDOMAIN.TLD
APPLICATION_HOSTNAME_ALTERNATE_02=tftpserver1.MYDOMAIN.TLD

# Define Certificate Domain
# In this case: use Wildcard Certificate
APPLICATION_CERTIFICATE_DOMAIN=MYDOMAIN.TLD
APPLICATION_CERTIFICATE_CERT_FILE=fullchain.pem
APPLICATION_CERTIFICATE_KEY_FILE=privkey.pem

# Define Application Port
APPLICATION_PORT=3000

# Define Outpost Hostname
OUTPOST_HOSTNAME=netboot.MYDOMAIN.TLD

# Define Outpost Port (TLS)
OUTPOST_PORT=9443

<!-- gh-comment-id:3729877364 --> @luckylinux commented on GitHub (Jan 9, 2026): Another Option is to use either: - Authentik Proxy Outpost - Possibly `oauth2-proxy` I set it up with Authentik Proxy Outpost + Caddy + ForwardAuth, that works quite well. `Caddyfile`: ``` # Example and Guide # https://caddyserver.com/docs/caddyfile/options # General Options { # (Optional) Debug Mode # debug # Disable Admin API admin off # TLS Options # (Optional) Disable Certificates Management (only if SSL/TLS Certificates are managed by certbot or other external Tools) auto_https disable_certs } # (Optional) API Endpoint #localhost { # reverse_proxy /api/* localhost:9001 #} # Main Hostname # (Optional) Only if SSL/TLS Certificates are managed by certbot or other external Tools and Custom Logging is required {$APPLICATION_HOSTNAME} { tls /certificates/{$APPLICATION_CERTIFICATE_DOMAIN}/{$APPLICATION_CERTIFICATE_CERT_FILE:fullchain.pem} /certificates/{$APPLICATION_CERTIFICATE_DOMAIN}/{$APPLICATION_CERTIFICATE_KEY_FILE:privkey.pem} log { output file /var/log/server/{$APPLICATION_HOSTNAME}/access_web.json { roll_size 100MiB roll_keep 5000 roll_keep_for 720h roll_uncompressed } format json } route { # Always forward outpost path to actual outpost reverse_proxy /outpost.goauthentik.io/* https://{$OUTPOST_HOSTNAME}:{$OUTPOST_PORT} { header_up Host {http.reverse_proxy.upstream.hostport} } # Forward authentication to outpost forward_auth https://{$OUTPOST_HOSTNAME}:{$OUTPOST_PORT} { uri /outpost.goauthentik.io/auth/caddy # Capitalization of the headers is important, otherwise they will be empty copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version # (Optional) # If not set, trust all private ranges, but for Security Reasons, this should be set to the outposts IP trusted_proxies private_ranges } } # Proxy to Application reverse_proxy http://0.0.0.0:{$APPLICATION_PORT} } # Alias # (Optional) Only if SSL/TLS Certificates are managed by certbot or other external Tools and Custom Logging is required {$APPLICATION_HOSTNAME_ALTERNATE_01} { tls /certificates/{$APPLICATION_CERTIFICATE_DOMAIN}/{$APPLICATION_CERTIFICATE_CERT_FILE:fullchain.pem} /certificates/{$APPLICATION_CERTIFICATE_DOMAIN}/{$APPLICATION_CERTIFICATE_KEY_FILE:privkey.pem} log { output file /var/log/server/{$APPLICATION_HOSTNAME_ALTERNATE_01}/access_web.json { roll_size 100MiB roll_keep 5000 roll_keep_for 720h roll_uncompressed } format json } # Redirect to main Hostname redir https://{$APPLICATION_HOSTNAME}{uri} permanent } # Alias # (Optional) Only if SSL/TLS Certificates are managed by certbot or other external Tools and Custom Logging is required {$APPLICATION_HOSTNAME_ALTERNATE_02} { tls /certificates/{$APPLICATION_CERTIFICATE_DOMAIN}/{$APPLICATION_CERTIFICATE_CERT_FILE:fullchain.pem} /certificates/{$APPLICATION_CERTIFICATE_DOMAIN}/{$APPLICATION_CERTIFICATE_KEY_FILE:privkey.pem} log { output file /var/log/server/{$APPLICATION_HOSTNAME_ALTERNATE_02}/access_web.json { roll_size 100MiB roll_keep 5000 roll_keep_for 720h roll_uncompressed } format json } # Redirect to main Hostname redir https://{$APPLICATION_HOSTNAME}{uri} permanent } # Authentik Outpost {$OUTPOST_HOSTNAME}:{$OUTPOST_PORT} { tls /certificates/{$APPLICATION_CERTIFICATE_DOMAIN}/{$APPLICATION_CERTIFICATE_CERT_FILE:fullchain.pem} /certificates/{$APPLICATION_CERTIFICATE_DOMAIN}/{$APPLICATION_CERTIFICATE_KEY_FILE:privkey.pem} log { output file /var/log/outpost/{$OUTPOST_HOSTNAME}/access.json { roll_size 100MiB roll_keep 5000 roll_keep_for 720h roll_uncompressed } format json } # IPv4 Reverse Proxy to internal unencrypted Host reverse_proxy http://0.0.0.0:9000 # IPv6 Reverse Proxy to internal unencrypted Host # reverse_proxy http://[::1]:9000 } ``` `.env.caddy`: ``` # Define Application Hostname and Aliases APPLICATION_HOSTNAME=netboot.MYDOMAIN.TLD APPLICATION_HOSTNAME_ALTERNATE_01=netbootxyz.MYDOMAIN.TLD APPLICATION_HOSTNAME_ALTERNATE_02=tftpserver1.MYDOMAIN.TLD # Define Certificate Domain # In this case: use Wildcard Certificate APPLICATION_CERTIFICATE_DOMAIN=MYDOMAIN.TLD APPLICATION_CERTIFICATE_CERT_FILE=fullchain.pem APPLICATION_CERTIFICATE_KEY_FILE=privkey.pem # Define Application Port APPLICATION_PORT=3000 # Define Outpost Hostname OUTPOST_HOSTNAME=netboot.MYDOMAIN.TLD # Define Outpost Port (TLS) OUTPOST_PORT=9443 ```

kerem referenced this issue 2026-02-27 14:57:00 +03:00

[PR #7] [MERGED] Fix bug that allows whitespace before/after filename #27

kerem referenced this issue 2026-03-01 18:43:55 +03:00

[PR #7] [MERGED] Fix bug that allows whitespace before/after filename #149

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

renovate/alpine-3.x

renovate/ejs-5.x

renovate/codecov-codecov-action-6.x

renovate/systeminformation-5.x

renovate/readdirp-5.x

renovate/isbinaryfile-6.x

renovate/express-5.x

renovate/actions-setup-node-6.x

renovate/node-downloader-helper-2.x

renovate/isbinaryfile-5.x

fix/isbinaryfile-esm-mock

fix/nock-unhandled-error

antonym/add-dark-mode

0.7.6

0.7.5

0.7.4

0.7.3

0.7.2

0.7.1

0.7.0

0.6.9

0.6.8

0.6.7

0.6.6

0.6.5

0.6.4

0.6.3

0.6.2

0.6.1

0.6.0

0.5.3

0.5.2

0.5.1

Labels

Clear labels   

Hacktoberfest

  

bug

  

enhancement

  

no-issue-activity

  

pull-request

Mirrored from GitHub Pull Request

No labels

Hacktoberfest

bug

enhancement

no-issue-activity

pull-request

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/webapp#7

No description provided.