Last Updated 2 months by cneuhaus
A few hours back, I had a straightforward problem: I needed to access my local server securely from the internet without opening it up to unwanted access.
What triggered this need was my own app Free Your Photos – that gets you out of the Google Photo Cloud and hosts your photos on a local server – YOU OWN THEM. Now with this solution I can show my photos on any PC – even without a VPN.
My first instinct was to use a VPN – but this would require a VPN installed on the “browser side”, so I would not be able to access my page from any other computer or phone.
But – what about accessing my local-server from EVERYWHERE without any VPN setup – but still having security?
That’s when I stumbled on the idea of using a reverse proxy with multi-factor authentication (MFA). Instead of opening the whole network like a VPN, a reverse proxy could act as a gatekeeper, allowing access only to the server itself and only to authorized users. I set it up to require Google Authenticator, so even if someone got to the login screen, they’d need a time-based code to get through.
ChatGPT gives a pretty good instructions for all the steps that worked right away for HTTP. But to get HTTPS working I needed some fine-tuning:
My configuration: Using Pything with Gunicorn and nginx on Ubuntu.
What I needed to do special:
Domain Registration
- Register a domain on Cloudflare
- Assure came record is your domain-name and pointing as target to your tunnel, e.g. “345234-1420-4c4e-b8e4-86f8a885ba7a.cfargotunnel.com”
- Download Origin – Certificates: SSL/TLS->Origin Server – that are used to authenticate the local server against Cloudflare, save them in a folder accessible by nginx web server.
Tunnel Configuration
ZeroTrust – Config => Network => Tunnels => Cloudflared
Type: https, URL: localhost:443
TSL: NO TLS Verify
Nginx Config
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name <your domain name>;
ssl_certificate /etc/ssl/certs/cloudflare_cert.pem; # Path to your SSL certificate
ssl_certificate_key /etc/ssl/certs/cloudflare_key.pem; # Path to your private key
location / {
include proxy_params;
proxy_pass http://unix:/home/cneuhaus/FreeYourPhotos/fyp.sock;
}
}
Google Authentification
Access should only be for myself, so I wanted to use Google as authentication provider. For simple steps ChatGPT again is your friend.
But I only wanted access for myself – otherwise everybody with google account can login, for this:
Zero Trust=>Settings=>Authentification=>Login Methods, enter App-ID and Client Secret.
Zero Trust=>Application (create new one) =>Policies=>Configure Rules=> add your full Gmail address here