H
Homarr10mo ago
bates

Could I host Homarr publicly?

So as far as I understand, authentication is being worked on, but is said authentication strong enough to host a "public" instance? I would love to host a dashboard for my root server, and Homarr is the best solution I've found yet
18 Replies
ajnart
ajnart10mo ago
We recommend you use a 3rd party auth system like authelia. Homarr has a built-in password feature but beware that the password you use is stored as a cookie in plaintext atm. So anyone that can steal your cookies by hacking your browser will have access to your homarr password. Other than that you’re safe The new auth update will completely fix these issues
bates
bates10mo ago
Gotcha, thank you!
taos[US]
taos[US]10mo ago
There are always risk when opening a service to the public. Remember homarr is a dashboard of you link stuff that cant be accessed from the wan you will not be able to open those app/links. Also if you expose anything with root access use a 3rd party security solution like authelia/authentik. If you just want to be homarr from you phone when you are on the move I would recommend my setup. Set a VM with Tailscale as subnet router and just connect you phone/laptop with the tailscale app. It will let you access everything on you local network if you add your local dns to tailscale
Tailscale
Subnet routers and traffic relay nodes
Learn how to relay traffic from your Tailscale network onto your physical subnet.
Tailscale
DNS in Tailscale
Learn how to automatically assign DNS names for devices in your Tailscale network.
taos[US]
taos[US]10mo ago
The. You dont even need to worry about reverse proxying your services or changing your homarr links. You can use the local links that you set and everything will work outside of your network and secured like if you were in your local network. The dns part is extra if you want to use your local DNS
bates
bates10mo ago
I mean, my current setup is very much public already, because I'm running all my services in docker containers on a hosted rootserver, handling all the routing through an nginx proxy manager container, so accessing things from the outside shouldn't be that much of an issue, although something like authelia might be worth looking into!
taos[US]
taos[US]10mo ago
If you are using the basic auth then homarr will be just as good/bad or maybe better.
bates
bates10mo ago
Right now I'm using each services own authentication system, which is usually just username + password, I was just worried about the password you use is stored as a cookie in plaintext atm. that part :D
Manicraft1001
Manicraft100110mo ago
Yes, the cookie is very bad practice and we don't like it ourselves. Next major update will fix this though by removing it completely and adding a new authentication system.
bates
bates10mo ago
Perfect, then I'll just wait for the next update and deploy then! Thank you all for the help ^^
Manicraft1001
Manicraft100110mo ago
Sure! Note, that the next update won't be auth. We want to push a few bugfixes for 0.13.1 After 0.13.2, we'll push authentication. It's already done. We'll probably do a beta program in #🚀・insider
bates
bates10mo ago
Gotcha!
paradox
paradox10mo ago
If hosted publicly and there are links to lan devices (which won't work obviously), is there any security risk there with them just having the links and ports for eg; sonarr? even if sonarr isn't on the www?
Manicraft1001
Manicraft100110mo ago
No, not directly. But Homarr will act as a proxy. It won't forward any request though - only the ones for getting the movie and series dats for example
Tag
Tag10mo ago
You never know where there could be a vulnerability though, I would still not expose homarr. This is the same for any app. The recommendation for docker and kubernetes is to never expose your apps to the internet
Manicraft1001
Manicraft100110mo ago
Totally agree. The future update will improve security significantly, but I still would be mindful about exposing it. We don't update all dependencies after a few days - they often are open for longer. So you might have smaller vulnerabilities sitting around. If you plan to expose, at least use some kind of Anti-bot net and Captcha with Cloudflare There are generally wayy to many open Homarr instances on Google. You can find them easily. Yours will be there too, if you expose, unless you disallow crawling on your proxy.
Tag
Tag10mo ago
And also, nothing can beat having a dedicated auth system with Authelia/Authentik. Adding a security layer is what they are made for
Manicraft1001
Manicraft100110mo ago
Actually, we will support Authelia in the future, so you can use it as single sign on. But this will still take a few months
Tag
Tag10mo ago
Even the more reason to go that route
Want results from more Discord servers?
Add your server
More Posts
Tile scrollbar in 0.13.1Moving from 0.13.0 to 0.13.1 a scrollbar has been added to each tile that has a long title in my lefStatus Indicators MissingI've added a couple of apps, correct internal and external URLs, configured the HTTP status code andHomarr container not working on 32k page size system.Good day! I have a QNAP NAS TS-431P3 on which i want to run Homarr. Sadly the Homarr container doesAdd Hungarian Language translate option at CrowdinDear developers, Please Add Hungarian (Eng: Hungarian, Hun: magyar ( yeah, lower case)) language oSame app not ping-able from different configsI have a mobile config in addition to the default, but one app shows as pingable in the default confApplication ErrorHi. I have recently setup Homarr through Docker on my Synology. I have created the page on my laptopdns-holeDoes dns-hole require https? I have a two pi-hole instances running with two integrations set up poissues after update 0.13.0Hello, before I updated it was working fine with the buttons for layout left and right. Now after upDash. can't connectcannot acquirewcan't seem to get dashdot to connect to app for widget. app pings fine.Sonarr & Radarr api 4 both doesnt show up in calendarim using 2x sonarr & 2x radarr api 4 and they all dont show up in calendar..