zoraxy icon indicating copy to clipboard operation
zoraxy copied to clipboard
verified publisher icon tobychui

[ENHANCEMENTS] Allow bypass of Basic Auth for specified subnets

Open Sprooty opened this issue 1 year ago • 9 comments

Is your feature request related to a problem? Please describe. I run services at home that i wish to also access externally, basic auth is a great option for this, however i have seen other similar apps that allow bypass of basic auth for specified subnets, eg 192.168.0/23 or 10.0.0./23

Describe the solution you'd like In basic auth config, allow to specify subnets that will bypass basic auth

Describe alternatives you've considered There is no workaround currently in Zoraxy

Additional context

Sprooty avatar Jul 23 '24 10:07 Sprooty

+1. This could potentially be quite easy to implement with an option of adding an access control list to the basic auth option or, as in NPM, have the option to "satisfy any" so either the access control list OR the basic auth.

FirefoxNL avatar Sep 15 '24 21:09 FirefoxNL

@FirefoxNL Thanks for the input. For basic auth, I kinda want to keep it simple (as it is mostly for legacy browsers / embedded machines).

There is an up-coming Zoraxy SSO + oAuth feature which I guess might be more interesting for these types of uses cases. Though, I will still keep this here just in case someone want to pick it up and create a PR 👍🏻

tobychui avatar Sep 16 '24 02:09 tobychui

+1, this feature would be great just like npm auth if not whitelisted + access ip image image image

neumeier-cloud avatar Oct 28 '24 10:10 neumeier-cloud

I would like this as well. This is the only feature that keeps me away from zoraxy

deluxestyle avatar Feb 01 '25 19:02 deluxestyle

not joking, i went back to npm just because of this, zoraxy >>>>>> npm, but the fact i cant auth some apps unless i can bypass by making them "Trusted ips" is an absolute deal breaker for me

king8084 avatar Feb 08 '25 06:02 king8084

Finally got time to implement this after a year or so.

Image

In the next release you will be able to add IP / CIDR into exclusion list for basic auth.

tobychui avatar Aug 17 '25 06:08 tobychui

@tobychui That looks very good! Looks like this is now implemented per proxy, which is nice! Have you considered implementing this on the access control? I feel like that already covers security and allows you to configure it once and use the exclusion for multiple hosts. :)

FirefoxNL avatar Aug 17 '25 13:08 FirefoxNL

@FirefoxNL Nope, as Authentication Provider and Access Control Rules are two separated modules, they cant be merged together easily without some big rewrite.

tobychui avatar Aug 18 '25 12:08 tobychui

can't IP addresses be spoofed?

AnthonyMichaelTDM avatar Aug 20 '25 00:08 AnthonyMichaelTDM

Closing this as the feature has already been implemented. But in general you should use path prefix instead of IPs as mentioned above, IP can be spoofed and it is not possible for Zoraxy to get client IP in 100% accuracy.

tobychui avatar Nov 28 '25 12:11 tobychui