Hi folks, I have a situation where I have to put an ignition gateway behind a reverse proxy that requires authentication. At this time, the proxy is just using basic http auth, so when accessing the GW page or Perspective, a user just gets prompted by the browser and is able to get where they need to go.
For the Designer, I can’t seem to figure out how this would work at all. Nginx responds with a 401 (Authorization Required), since no authentication has happened. If it were a normal proxy, I think I could simply add the details to the default launcher jvm options. With this being a reverse proxy, I think the launcher/designer would have to perform the authentication.
Has anyone tried this before? Is it at all possible? is there a way to pass in credentials so that the designer launcher and/or the designer are able to use this reverse proxy?
i dont think its possible to be honest, unless your reverse proxy and ignition share the same idp and then the cookie would remain in the browser? even then I’m a bit skeptical
I would look at using something like tailscale to reach your servers to open the designer.
The issue really is that I don’t even think there’s a way for it to authenticate that I can see, except for maybe some custom logic to launch the designer directly.
Tailscale is great, but it doesn’t really apply as far as I can tell. My use-case is not about reachability, but rather access control to in-house testing resources. Perhaps I’ll dump authentication and go with whitelisting addresses. Not ideal but it would work.
Why can't you just set these gateways up with users/authentication such that only the users you want have access to the Designer? Why are you trying to introduce some out of band authentication / access control?
That’s a good point. These gateways are used by the QA team, and we manage a couple of dozens of short-lived systems at any given time. We’re looking at reducing access to these systems that right now may or may not have default credentials. This is more about not letting everyone access these systems, and not as much about the security of ignition itself.
Doing the authentication at the proxy seemed like the simplest solution. A single place to authenticate rather than having to manage credentials or set up an identity provider on each individual gateway.
I’m not committed to the idea just yet, and it is starting to look like it isn’t the “simplest solution” anymore.