Could I host Homarr publicly?
So as far as I understand, authentication is being worked on, but is said authentication strong enough to host a "public" instance?
I would love to host a dashboard for my root server, and Homarr is the best solution I've found yet
18 Replies
We recommend you use a 3rd party auth system like authelia. Homarr has a built-in password feature but beware that the password you use is stored as a cookie in plaintext atm. So anyone that can steal your cookies by hacking your browser will have access to your homarr password. Other than that you’re safe
The new auth update will completely fix these issues
Gotcha, thank you!
There are always risk when opening a service to the public. Remember homarr is a dashboard of you link stuff that cant be accessed from the wan you will not be able to open those app/links. Also if you expose anything with root access use a 3rd party security solution like authelia/authentik. If you just want to be homarr from you phone when you are on the move I would recommend my setup.
Set a VM with Tailscale as subnet router and just connect you phone/laptop with the tailscale app. It will let you access everything on you local network if you add your local dns to tailscale
Tailscale
Subnet routers and traffic relay nodes
Learn how to relay traffic from your Tailscale network onto your physical subnet.
Tailscale
DNS in Tailscale
Learn how to automatically assign DNS names for devices in your Tailscale network.
The. You dont even need to worry about reverse proxying your services or changing your homarr links. You can use the local links that you set and everything will work outside of your network and secured like if you were in your local network.
The dns part is extra if you want to use your local DNS
I mean, my current setup is very much public already, because I'm running all my services in docker containers on a hosted rootserver, handling all the routing through an nginx proxy manager container, so accessing things from the outside shouldn't be that much of an issue, although something like authelia might be worth looking into!
If you are using the basic auth then homarr will be just as good/bad or maybe better.
Right now I'm using each services own authentication system, which is usually just username + password, I was just worried about
the password you use is stored as a cookie in plaintext atm. that part :DYes, the cookie is very bad practice and we don't like it ourselves. Next major update will fix this though by removing it completely and adding a new authentication system.
Perfect, then I'll just wait for the next update and deploy then!
Thank you all for the help ^^
Sure! Note, that the next update won't be auth. We want to push a few bugfixes for 0.13.1
After 0.13.2, we'll push authentication. It's already done. We'll probably do a beta program in #🚀・insider
Gotcha!
If hosted publicly and there are links to lan devices (which won't work obviously), is there any security risk there with them just having the links and ports for eg; sonarr? even if sonarr isn't on the www?
No, not directly. But Homarr will act as a proxy. It won't forward any request though - only the ones for getting the movie and series dats for example
You never know where there could be a vulnerability though, I would still not expose homarr. This is the same for any app. The recommendation for docker and kubernetes is to never expose your apps to the internet
Totally agree. The future update will improve security significantly, but I still would be mindful about exposing it. We don't update all dependencies after a few days - they often are open for longer. So you might have smaller vulnerabilities sitting around.
If you plan to expose, at least use some kind of Anti-bot net and Captcha with Cloudflare
There are generally wayy to many open Homarr instances on Google. You can find them easily. Yours will be there too, if you expose, unless you disallow crawling on your proxy.
And also, nothing can beat having a dedicated auth system with Authelia/Authentik. Adding a security layer is what they are made for
Actually, we will support Authelia in the future, so you can use it as single sign on. But this will still take a few months
Even the more reason to go that route