DockFlare v3.0.1 is here, and it's all about tightening up security. I've added OAuth support, letting you protect the main management interface with your existing accounts from providers like Google, GitHub, and more.
✨ New Feature: OAuth Authentication
DockFlare's management interface can now be secured using OAuth 2.0 and OpenID Connect (OIDC). This allows you to delegate user authentication to a trusted third-party provider, adding a robust layer of security to DockFlare itself.
- Secure the Dashboard: Protect access to the DockFlare UI and API, ensuring only authorized users can manage your services.
- Provider Integration: Easily add and configure OAuth providers directly through the settings interface.
- User Authorization: Manage a list of authorized users (by their email address) who are allowed to access the DockFlare dashboard.
OAuth Configuration & Best Practices
To secure the DockFlare dashboard with an access policy (e.g., restricting by IP) and use OAuth, you must create a bypass rule for the OAuth callback path. This ensures that users can authenticate with the provider even if their IP isn't on the allow list, while the main interface remains protected.
Here is an example configuration:
services:
dockflare:
image: alplat/dockflare:stable
labels:
# Secure the main DockFlare interface with your access policy
- "dockflare.enable=true"
- "dockflare.hostname=dockflare.example.com"
- "dockflare.service=http://dockflare:5000"
- "dockflare.access.group=team" # Your custom access policy (e.g., IP whitelist)
# Create a bypass policy for the OAuth callback path
- "dockflare.0.hostname=dockflare.example.com"
- "dockflare.0.path=/auth/google/callback" # The path for your specific provider
- "dockflare.0.service=http://dockflare:5000"
- "dockflare.0.access.policy=bypass"This configuration ensures that your main DockFlare interface is protected, while the OAuth authentication flow works seamlessly without security compromises.
Migration Notes
No breaking changes in this release. All existing configurations remain compatible. The new OAuth feature for the dashboard is optional and can be configured as needed.
Known Issues
- OAuth provider configuration changes may require a brief moment to propagate through the system.
- Ensure OAuth callback URLs in your provider's dashboard match the bypass path in your DockFlare configuration exactly.
What's Changed
Technical Details
- Implemented the OAuth 2.0 / OIDC authentication flow for the main Flask application.
- Added a new UI section in Settings for adding OAuth providers and managing authorized users for the dashboard.
- Created documentation and examples for configuring OAuth, including the callback path bypass method.
- Updated the
docker-compose.ymlfile with commented-out examples for the new OAuth functionality.
Files Modified
dockflare/app/templates/settings.html- Added UI for OAuth management.dockflare/app/web/api_v2_routes.py- Added API endpoints for OAuth configuration.dockflare/app/templates/docs/OAuth-Provider-Setup.md- Added setup documentation.docker-compose.yml- Added commented OAuth callback examples.
Security
Security Assessment
- DockFlare has undergone comprehensive security testing as documented in
security_assessment_report.md. This security assessment will be repeated with every major feature addition to ensure no vulnerabilities are introduced through new functionality.
Security Reporting
- If you discover any security issues or have security concerns, please report them through the project's GitHub issues or contact me directly. I take security seriously and appreciate responsible disclosure.
Thank You
I want to thank the community for its continued support and feedback. Your contributions, bug reports, and suggestions help make DockFlare better and more secure with each release.
A special thanks to everyone who participates in making DockFlare a robust and reliable tool for the community.
Happy tunneling! 🚀