My main use case is using it to protect my exposed Home Assistant instance in a way that doesn’t require a VPN that family can screw up. I can just install the cert into the app for them and it Just Works. I also use it for my own Gotify notifications.
As a more general rule, I apply it to anything I want to expose but can’t easily protect using OIDC logins. I used to put more behind it, but I recently opened up my services to friends and family, so I moved to using Authentik as my primary defense for most things. mTLS was great when it was just me, I can easily install the cert into my own browser and all of my Android apps (except Firefox Android…) but friends and family just zone out when I explain why their new phone doesn’t connect, so I had to adjust my systems to compensate.
I’ve found Authentik’s proxy will break things that don’t support it (like a Jellyfin app; afaik no app supports hitting an Authentik proxy login first). Do you have a way around that? Or are the friends/fam web-browser only unless they get around to the certificate?
Gotchya, so at the reverse proxy stage you have a pathway for “if they have the mTLS certificate, allow in” to let you access your stuff from outside your local network?
If you feel up for answering, what is your use case for wanting to manage your own mTLS?
My main use case is using it to protect my exposed Home Assistant instance in a way that doesn’t require a VPN that family can screw up. I can just install the cert into the app for them and it Just Works. I also use it for my own Gotify notifications.
As a more general rule, I apply it to anything I want to expose but can’t easily protect using OIDC logins. I used to put more behind it, but I recently opened up my services to friends and family, so I moved to using Authentik as my primary defense for most things. mTLS was great when it was just me, I can easily install the cert into my own browser and all of my Android apps (except Firefox Android…) but friends and family just zone out when I explain why their new phone doesn’t connect, so I had to adjust my systems to compensate.
I’ve found Authentik’s proxy will break things that don’t support it (like a Jellyfin app; afaik no app supports hitting an Authentik proxy login first). Do you have a way around that? Or are the friends/fam web-browser only unless they get around to the certificate?
You can use Authentik to setup an LDAP outpost then use a jellyfin LDAP plug-in to sync everything up.
https://github.com/jellyfin/jellyfin-plugin-ldapauth?tab=readme-ov-file
I don’t want to manage my mTLS. That’s why I’m looking for a better solution.
To actually answer your question, I use mTLS to protect all my self hosted services. It is highly secure since it operates on the transport layer.
Gotchya, so at the reverse proxy stage you have a pathway for “if they have the mTLS certificate, allow in” to let you access your stuff from outside your local network?