Basic access authentication

Hi, I’m looking for a simple access authentication for the Rhasspy Web UI (port 12101)
The use case: avoid unwanted configuration changes by young family members.
Is it already possible ? If not, any hints where and what to look for (in the code) would be appreciated.
Thanks for a great solution !

Hi !
I don’t think Rhasspy support authentication natively.

One solution could be to install a reverse proxy server like nginx, and add a password in nginx configuration.

You will have also to block the 12101 port with the firewall. So the only way to access UI would be through nginx.

1 Like

Hi and thank you !
As I understand it, the nginx would sit in front of Rhasspy applications and forward client requests. This sounds like a great idea, but if port 12101 is blocked, how does the nginx application communicate with Rhasspy ?
Thank you in advance !

What @tjiho meant, was that you install any type of reverse proxy.

your browser → reverse proxy → rhasspy

The reverse proxy will demand credentials from your browser while rhasspy doesn’t require any from the reverse proxy.

Of course this scenario only makes sense if your instance of rhasspy is not available from your kids’ devices. For example you could try to have it listen on localhost only.

1 Like

OK so Rhasspy should close all ports and only allow ‘internal’ communication (i.e. the localhost) to/from the reverse proxy application.
I’m not sure how the communication between the reverse proxy and Rhasspy application will be implemented, or if I can allow only traffic to/from localhost ?

The reverse proxy in that scenario would need to run on the device where the rhasspy container is running.
If you want 1 reverse proxy for several rhasspy instances we’re talking about separating your network into vlans or physical networks and using a firewall to only allow access from the reverse proxy to them.

In all those situations, if you have a master and satellites, keep in mind that if you use http for communication, the satellites also need to be able to reach the master.

All in all - not optimal.

Should you want to go through with the reverse proxy:
I haven’t attempted that myself, yet. But you can tell docker to listen on localhost only:

The reverse proxy would then try to talk to http://localhost:12101

1 Like

Thanks, now I understand. And you’re right about the HTTP Base/Satellites communication, it will be more complicated. Possibly MQTT is a work-around. Thank you for your support!