My main use case is using it to protect my exposed Home Assistant instance in a way that doesn’t require a VPN that family can screw up. I can just install the cert into the app for them and it Just Works. I also use it for my own Gotify notifications.
As a more general rule, I apply it to anything I want to expose but can’t easily protect using OIDC logins. I used to put more behind it, but I recently opened up my services to friends and family, so I moved to using Authentik as my primary defense for most things.
I’ve found Authentik’s proxy will break things that don’t support it (like a Jellyfin app; afaik no app supports hitting an Authentik proxy login first). Do you have a way around that? Or are the friends/fam web-browser only unless they get around to the certificate?
Gotchya, so at the reverse proxy stage you have a pathway for “if they have the mTLS certificate, allow in” to let you access your stuff from outside your local network?
If you feel up for answering, what is your use case for wanting to manage your own mTLS?
My main use case is using it to protect my exposed Home Assistant instance in a way that doesn’t require a VPN that family can screw up. I can just install the cert into the app for them and it Just Works. I also use it for my own Gotify notifications.
As a more general rule, I apply it to anything I want to expose but can’t easily protect using OIDC logins. I used to put more behind it, but I recently opened up my services to friends and family, so I moved to using Authentik as my primary defense for most things.
I’ve found Authentik’s proxy will break things that don’t support it (like a Jellyfin app; afaik no app supports hitting an Authentik proxy login first). Do you have a way around that? Or are the friends/fam web-browser only unless they get around to the certificate?
You can use Authentik to setup an LDAP outpost then use a jellyfin LDAP plug-in to sync everything up.
https://github.com/jellyfin/jellyfin-plugin-ldapauth?tab=readme-ov-file
I don’t want to manage my mTLS. That’s why I’m looking for a better solution.
Gotchya, so at the reverse proxy stage you have a pathway for “if they have the mTLS certificate, allow in” to let you access your stuff from outside your local network?