|
| 1 | +--- |
| 2 | +layout: post |
| 3 | +title: How to authenticate your HTTP tunnels with inlets and OAuth. |
| 4 | +description: Learn how to secure your tunnelled HTTP services using the Inlets built-in HTTP authentication. |
| 5 | +author: Han Verstraete |
| 6 | +category: tutorial |
| 7 | +rollup: true |
| 8 | +author_img: welteki |
| 9 | +image: /images/2025-03-authenticate-http-tunnels/background.png |
| 10 | +date: 2025-03-10 |
| 11 | +--- |
| 12 | + |
| 13 | +In this tutorial you will learn how to secure your tunnelled HTTP services using the Inlets built-in HTTP authentication. |
| 14 | + |
| 15 | +While inlets allows you to quickly expose any HTTP application to the public internet, you may not want everyone to be able to access it. Inlets can quickly add authentication to your application without any changes. |
| 16 | + |
| 17 | +At the moment of writing Inlets support three forms of authentication: |
| 18 | + |
| 19 | +- OAuth |
| 20 | +- Basic authentication |
| 21 | +- Bearer token authentication |
| 22 | + |
| 23 | +We will be showing you how to configure each of these authentication methods. |
| 24 | + |
| 25 | +## Prerequisites |
| 26 | + |
| 27 | +We assume you have an Inlets HTTP tunnel server deployed. If you don't have a tunnel yet follow our docs to [create a new HTTP tunnel server](https://docs.inlets.dev/tutorial/automated-http-server/). |
| 28 | + |
| 29 | +For the tunnel client make sure you have the [`inlets-pro` binary](https://github.com/inlets/inlets-pro/releases), version 0.10.0 or higher installed. Earlier versions do not support authentication. |
| 30 | + |
| 31 | + |
| 32 | +## Connect the tunnel client |
| 33 | + |
| 34 | +In this example we will be exposing a Prometheus server so people can access the UI and HTTP API to explore metrics. |
| 35 | + |
| 36 | +Expose the Prometheus upstream without any authentication enabled: |
| 37 | + |
| 38 | +```sh |
| 39 | +inlets-pro http client \ |
| 40 | + --url "wss://157.180.37.179:8123" \ |
| 41 | + --token-file "./token" \ |
| 42 | + --upstream prometheus.demo.welteki.dev=http://127.0.0.1:9090 |
| 43 | +``` |
| 44 | + |
| 45 | +Authentication for tunnels is configured through flags when connecting to the tunnel server. In the next paragraphs we will be going through the configuration for different authentication methods. The `--url` and `--token-file` flags will be left out of the commands for brevity but should be provided when connecting to your own tunnel. |
| 46 | + |
| 47 | +## OAuth with GitHub |
| 48 | + |
| 49 | +If you want to avoid managing and distributing credentials for your application or need fine grained control over who can access the app you can use OAuth to protect tunneled applications. |
| 50 | + |
| 51 | +In this tutorial we will be setting up OAuth with GitHub so that users can login with their GitHub account to access the tunnel. |
| 52 | + |
| 53 | +1. Follow the [GitHub documentation](https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/creating-an-oauth-app) to create a new OAuth app for your tunnel. |
| 54 | +2. Set the Authorization callback URL. In this example we are using the domain `https://prometheus.demo.welteki.dev` to expose the tunnel. The authorization callback for the tunnel will be `https://prometheus.demo.welteki.dev/_/oauth/callback`. |
| 55 | + |
| 56 | + |
| 57 | +> Example GitHub OAuth app configuration |
| 58 | +
|
| 59 | +Once you complete the registration of your OAuth app you will get a client id and secret. Save these in a convenient location. Both values need to be provided through the `--oauth-client-id` and `--oauth-client-secret` to start the tunnel client with OAuth enabled. |
| 60 | + |
| 61 | +```diff |
| 62 | +inlets-pro http client \ |
| 63 | + --upstream prometheus.demo.welteki.dev=http://127.0.0.1:9090 \ |
| 64 | ++ --oauth-provider github \ |
| 65 | ++ --oauth-client-id $(cat ./oauth-client-id) \ |
| 66 | ++ --oauth-client-secret $(cat ./oauth-client-secret) \ |
| 67 | ++ --oauth-acl welteki |
| 68 | +``` |
| 69 | + |
| 70 | +The `oauth-acl` flag is used to provide a list of users that are allowed to access the application. In case of the GitHub provider the ACL value can either be a GitHub username or email. |
| 71 | + |
| 72 | +When trying to access the URl of the tunnel service, users will be asked to login with the configured provider, in this case GitHub, before they are able to access the application. |
| 73 | + |
| 74 | + |
| 75 | +> Login page for tunnels with GitHub OAuth enabled. |
| 76 | +
|
| 77 | +## Basic authentication |
| 78 | + |
| 79 | +The simplest form of authentication supported by Inlets is basic authentication. Enabling basic authentication on the tunnel will protect the HTTP service with a username and password. |
| 80 | + |
| 81 | +When a user visits the URl of the tunneled service they will be prompted for a username and password before they are able to access the application. |
| 82 | + |
| 83 | +Basic auth can be enabled for a tunnel by setting the basic auth flags when connecting the tunnel client. |
| 84 | + |
| 85 | +```diff |
| 86 | +inlets-pro http client \ |
| 87 | + --upstream prometheus.demo.welteki.dev=http://127.0.0.1:9090 \ |
| 88 | ++ --basic-auth-username welteki \ |
| 89 | ++ --basic-auth-password $(cat ./basic-auth-password) |
| 90 | +``` |
| 91 | + |
| 92 | +The `--basic-auth-user` flag is optional, when it is not provided the username will default to `admin`. |
| 93 | + |
| 94 | +For example, the following allows access to [email protected] along with login1 and login2. |
| 95 | + |
| 96 | +```sh |
| 97 | + |
| 98 | +--oauth-acl login1 \ |
| 99 | +--oauth-acl login2 |
| 100 | +``` |
| 101 | + |
| 102 | + |
| 103 | +> Basic auth login for a tunnel endpoint |
| 104 | +
|
| 105 | +## Token authentication |
| 106 | + |
| 107 | +The OAuth flow requires a web-browser and human interaction to authenticate. If you are tunneling a service like a HTTP API that needs to be accessed by a headless client, e.g. a script, mobile app or other non-web clients like a backend API, where it is not possible to complete the OAuth flow you can use Bearer Token Authentication. |
| 108 | + |
| 109 | +In the case of our Prometheus server we have seen how the UI can be protected with basic auth or OAuth but the Prometheus server also exposes an HTTP API that needs to be protected but accessible by other services. |
| 110 | + |
| 111 | +Generate a random token and store it in a file. We will use openssl to generate the token: |
| 112 | + |
| 113 | +```sh |
| 114 | +openssl rand -base64 16 > ./bearer-token |
| 115 | +``` |
| 116 | + |
| 117 | +Start the Inlets client with the `--bearer-token` flag to enable token authentications. |
| 118 | + |
| 119 | +```diff |
| 120 | +inlets-pro http client \ |
| 121 | + --upstream prometheus.demo.welteki.dev=http://127.0.0.1:9090 \ |
| 122 | ++ --bearer-token $(cat ./bearer-token) |
| 123 | +``` |
| 124 | + |
| 125 | +Query the Prometheus API with curl and authenticate by adding the `Authorization` header on the request. |
| 126 | + |
| 127 | +```sh |
| 128 | +curl "https://prometheus.demo.welteki.dev/api/v1/labels" \ |
| 129 | + -H "Authorization: Bearer $(cat ~/.inlets/prometheus-tunnel/token)" |
| 130 | +``` |
| 131 | + |
| 132 | +The Bearer Token Authentication can be used together with both the basic auth and OAuth authentication. Just add the `--bearer-token` along with the flags you would need to configure AOauth or basic authentication. This makes it possible to quickly add authentication to an application like Prometheus where you have a browser based UI and HTTP API. |
| 133 | + |
| 134 | +```diff |
| 135 | +inlets-pro http client \ |
| 136 | + --upstream prometheus.demo.welteki.dev=http://127.0.0.1:9090 \ |
| 137 | + --oauth-provider github \ |
| 138 | + --oauth-client-id $(cat ~/.inlets/prometheus-tunnel/oauth-client-id) \ |
| 139 | + --oauth-client-secret $(cat ./oauth-client-secret) \ |
| 140 | + --oauth-acl welteki \ |
| 141 | ++ --bearer-token $(cat ./bearer-token) |
| 142 | +``` |
| 143 | + |
| 144 | +# Conclusion |
| 145 | + |
| 146 | +Inlets tunnels can be used to quickly add different types of authentication to your HTTP services without changing your applications. We showed how to configure and use the different authentication types supported by Inlets and discussed which one to pick for different use cases: |
| 147 | + |
| 148 | +- Use OAuth if you need to expose a UI or browser based application. AOauth gives you fine grained control over who can access the tunneled service through Access Control Lists without the need to share credentials. |
| 149 | +- Basic Authentication is the simplest form of authentication for your tunnels. It allows users to log in with a username and password and can be used as an alternative when using OAuth is not an option for you. Basic auth can also be used by headless clients without human interaction. |
| 150 | +- Bearer Token Authentication is recommended if you are exposing an HTTP API that needs to be accessible by headless clients. It can be used as the only authentication option or in combination with both OAuth and basic authentication. |
| 151 | + |
| 152 | +Inlets has support for multiple OAuth providers like GitHub and Google. As a commercial user you get access to all providers. Please [get in touch with the Inlets team](https://inlets.dev/contact) if the OAuth provider you need is missing. |
0 commit comments