Aliasvault (self-hosted), Pangolin and custom proxy headers for iOS app?

[luca-salga]

Hello there. I've started experimenting with Aliasvault, self-hosted.

My setup uses Pangolin, providing both authentication and authorization policies and reverse-proxy services to the servers that I am setting up and that sit behind it.

I've tried to find a way to not expose Aliasvault through the reverse proxy directly to the Internet, taking advantage of the authentication/authorization layer provided by Pangolin before letting users through to Aliasvault's authentication page.

This works well with Aliasvault's browser extension, but I can't find a way to make it work with Aliasvault's iOS app.

Immich has solved this by implementing custom proxy headers in their mobile and desktop apps, which in turn are used by Pangolin to let HTTPS requests through to the Immich server based on Pangolin's authentication and authorization policies.

So, here are my questions (finally ;-):

1. Is there a way that Aliasvault, especially its mobile apps, can accept two authentication layers, one when going through the proxy (Pangolin, in my case), and the second one being its own, built in authentication? Am I overlooking a solution here?

2. If the answer to the first question should be "no", is there a plan to implement custom proxy headers, similarly to what the Immich community has done?

I believe that having an independent authentication and authorization layer in front of the Aliasvault server would greatly improve the security of self-hosted setups.

Thanks!
Luca

[lanedirt]

Hi @salgarelli,

Thanks for your question! At this time, AliasVault does not support custom proxy headers for the mobile apps. I'm not familiar with Pangolin personally, so I can't answer to your question if there might be a workaround.

However adding custom header support is something we could consider for the future.

If you have any specific references on how other apps (such as Immich per your example) implemented this so it works for Pangolin users, feel free to share it here or create a feature request issue via the issues page. That would help to evaluate whether we can support a similar solution and in what timeframe.

[luca-salga]

Thanks for the answer. I will definitely write up a feature request issue, thanks. In the meanwhile, if any members of the community have faced the same or similar issues and have ideas on how to solve it (w/o custom proxy headers), please speak up! Thanks!
BTW, Aliasvault seems to be quite on the right track to be an excellent product: thanks for your work.

[luca-salga]

Hi @lanedirt I've created the issue

By the way, I've also found this Obsidian plugin (also open source) that implements the same feature as Immich.

It's working perfectly behind Pangolin.

Please consider adding this feature: the attack surface of Aliasvault for self-hosted installations is much too high without an authenticated-proxy in between, IMHO.

Thanks!
Luca

[luca-salga]

Closed w/ next version of app.

[lanedirt]

This feature is now available in the latest 0.29.0 app which has just been released.

[luca-salga]

Thanks @lanedirt: everything seems to be working as expected!

[baldemar-wuda]

Can we get the exact same thing for the browser extension?

[luca-salga]

You can work around it by using your browser and logging in to the web interface of the (self-hosted) AV server: after that, the browser extension will work.

Having said that, adding proxy-traversing headers to the browser extension would definitely simplify the workflow!