Once your services are exposed to the public internet, security becomes the primary concern. Most applications have User/Auth Services for user registration and login. This article briefly introduces how to add user login functionality to services deployed on the public network.

Nginx Basic Auth

This is the most basic user login, essentially a front-end-less approach with only login functionality. Nginx can handle this. The Stats for Strava image mentioned for Strava data analysis doesn’t include user login. However, if deployed directly on the public internet, anyone can see your Heat Map and roughly guess where you live. Adding this feature becomes very necessary.

For specific configuration, see: Deploying Strava Data Analysis Dashboard with Docker | Kunyang’s Blog

Generally, for read-only services like Strava, a single username and password is sufficient.

Nginx Basic Auth

Cloudflared Zero Trust Access

For services with write permissions (like Portainer, which can control container startup/shutdown) or services involving money (like Freqtrade), I believe username and password alone are insufficient. Fortunately, Cloudflared Zero Trust provides 2FA functionality, allowing you to add email 2FA or other MFA.

Configuration

In Cloudflare → Zero Trust → Access, add an application. Input the domain you want to use, such as strava.kyxie.me. Then add a Policy, select Email, fill in your email address, and finally apply this Policy to the application. This enables Cloudflare’s email 2FA.

Cloudflared Access

Limitations

Cloudflared Access cannot provide fine-grained access control like nginx. For example, Stats for Strava has a webhook endpoint for Strava to update activities in real-time. In this case, Cloudflared might block all paths, causing the webhook to fail.

Cloudflared has solutions, but I found the configuration quite complex and not worth pursuing further.

Authelia

For more powerful IAM (Identity and Access Management) capabilities, you can use Authelia, which also supports Docker deployment. For my use case, it’s completely unnecessary to deploy on my server since only I and other hackers can access it.