simplify public exposure vs authenticated ressources #1489

New issue

Open

opened 2026-02-28 02:23:02 -05:00 by deekerman · 4 comments

deekerman commented 2026-02-28 02:23:02 -05:00

Owner

Copy link

Originally created by @ka2er on GitHub (Oct 17, 2022).

⚠️ Please verify that this feature request has NOT been suggested before.

• I checked and didn't find similar feature request

🏷️ Feature Request Type

Other

🔖 Feature description

When I expose uptime-kuma via cloudflare tunnel access I could put an auth wall in front of uptime kuma.
What I try to achieve is to have admin part (all except status page /status/*) behind cloudflare auth (ok), but put status page behind cloudflare WITHOUT auth (policy = bypass for /status path).

The problem is that /status page rely on ressources that are on root path like :

• /assets/
• /api/status-page/

✔️ Solution

put all resources that could be public exposed without security concerns under a public subfolder like /public in order to easy reverse proxying.

❓ Alternatives

adding all sub ressources to a new cloudflare tunnel application but I'm concern about :

• security issues by exposing api that could allow more than needed
• it may be difficult to maintain if new ressources are added in other path

📝 Additional Context

No response

Originally created by @ka2er on GitHub (Oct 17, 2022). ### ⚠️ Please verify that this feature request has NOT been suggested before. - [X] I checked and didn't find similar feature request ### 🏷️ Feature Request Type Other ### 🔖 Feature description When I expose uptime-kuma via cloudflare tunnel access I could put an auth wall in front of uptime kuma. What I try to achieve is to have admin part (all except status page /status/*) behind cloudflare auth (ok), but put status page behind cloudflare *WITHOUT* auth (policy = bypass for /status path). The problem is that /status page rely on ressources that are on root path like : - /assets/ - /api/status-page/ ### ✔️ Solution put all resources that could be public exposed without security concerns under a public subfolder like /public in order to easy reverse proxying. ### ❓ Alternatives adding all sub ressources to a new cloudflare tunnel application but I'm concern about : - security issues by exposing api that could allow more than needed - it may be difficult to maintain if new ressources are added in other path ### 📝 Additional Context _No response_

deekerman added the

feature-request

A:core

security

labels 2026-02-28 02:23:02 -05:00

deekerman commented 2026-02-28 02:23:05 -05:00

Author

Owner

Copy link

@DusterTheFirst commented on GitHub (Nov 15, 2022):

This would be extremely useful for public-facing status-page. Right now, there is no difference from a status-page and the dashboard authentication wise. You can authenticate on the public facing status pages, and if we set a domain name, you can even access the dashboard from that domain, which would be unwanted for security reasons. I think being able to whitelist known, read-only apis and safe client side assets would be very useful for running uptime-kuma behind a reverse proxy and adding extra authentication or security in front of the admin side while leaving the status-pages public.

@DusterTheFirst commented on GitHub (Nov 15, 2022): This would be extremely useful for public-facing status-page. Right now, there is no difference from a status-page and the dashboard authentication wise. You can authenticate on the public facing status pages, and if we set a domain name, you can even access the dashboard from that domain, which would be unwanted for security reasons. I think being able to whitelist known, read-only apis and safe client side assets would be very useful for running uptime-kuma behind a reverse proxy and adding extra authentication or security in front of the admin side while leaving the status-pages public.

deekerman commented 2026-02-28 02:23:05 -05:00

Author

Owner

Copy link

@rdbahm commented on GitHub (Jan 6, 2023):

+1 to this issue.

If it's helpful, I was able to find a useful way to secure this somewhat: The dashboard requires Websockets to function, while the status pages do not. You can limit access on status pages by having a separate reverse proxy configuration for them with websockets disabled. I also configured NGINX to prohibit anything but "GET" on the API endpoints for status pages.

@rdbahm commented on GitHub (Jan 6, 2023): +1 to this issue. If it's helpful, I was able to find a useful way to secure this somewhat: The dashboard requires Websockets to function, while the status pages do not. You can limit access on status pages by having a separate reverse proxy configuration for them with websockets disabled. I also configured NGINX to prohibit anything but "GET" on the API endpoints for status pages.

deekerman commented 2026-02-28 02:23:05 -05:00

Author

Owner

Copy link

@CommanderStorm commented on GitHub (Dec 7, 2023):

Related #2505

@CommanderStorm commented on GitHub (Dec 7, 2023): Related #2505

deekerman commented 2026-02-28 02:23:05 -05:00

Author

Owner

Copy link

@CompeyDev commented on GitHub (Feb 27, 2025):

This would be useful! I spent quite a bit with Traefik trying to reverse proxy such that one domain has the status page, and the other has the dashboard.

However, the status page domain always redirects back to the dashboard because I have to pass /assets/ through to the dashboard's router, which returns a JS module that fetches an /api/ route to get what the route it should redirect to. With Nginx, I believe you could rewrite what the API route returns for the status page router to return something favorable, but that is not possible with Traefik. I think this would be possible though, if what this issue demands was implemented.

@CompeyDev commented on GitHub (Feb 27, 2025): This would be useful! I spent quite a bit with Traefik trying to reverse proxy such that one domain has the status page, and the other has the dashboard. However, the status page domain always redirects back to the dashboard because I have to pass `/assets/` through to the dashboard's router, which returns a JS module that fetches an `/api/` route to get what the route it should redirect to. With Nginx, I believe you could rewrite what the API route returns for the status page router to return something favorable, but that is not possible with Traefik. I think this would be possible though, if what this issue demands was implemented.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

npm-update

3.0.X

dev-better-auth

copilot/remove-password-complexity-requirements

2.2.X

copilot/sub-pr-6355

1.23.X

api-via-socketio-client

2.1.3

2.1.2

2.1.1

2.1.0

2.1.0-beta.3

2.1.0-beta.2

2.1.0-beta.1

2.1.0-beta.0

2.0.2

2.0.1

1.23.17

2.0.0

2.0.0-beta.4

2.0.0-beta.3

2.0.0-beta.2

2.0.0-beta.2-temp

2.0.0-beta.1

1.23.16

2.0.0-beta.0

1.23.15

1.23.14

1.23.13

1.23.12

1.23.11

1.23.10

1.23.9

1.23.8

1.23.7

1.23.6

1.23.5

1.23.5-beta.0

1.23.4

1.23.3

1.23.2

1.23.1

1.23.0

1.23.0-beta.1

1.23.0-beta.0

1.22.1

1.22.0

1.22.0-beta.0

1.21.3

1.21.2

1.21.2-beta.0

1.21.1

1.21.0

1.21.0-beta.1

1.21.0-beta.0

1.20.2

1.20.1

1.20.0

1.20.0-beta.0

1.19.6

1.19.5

1.19.4

1.19.3

1.19.2

1.19.1

1.19.0

1.19.0-beta.2

1.19.0-beta.1

1.19.0-beta.0

1.18.5

1.18.4

1.18.3

1.18.2

1.18.1

1.18.0

1.18.0-beta.0

1.17.1

1.17.0

1.17.0-beta.1

1.17.0-beta.0

1.16.1

1.16.0

1.16.0-beta.0

1.15.1

1.15.0

1.15.0-beta.1

1.14.1

1.15.0-beta.0

1.14.0

1.14.0-beta.2

1.13.2

1.14.0-beta.1

1.14.0-beta.0

1.13.1

1.13.0

1.13.0-beta.2

1.13.0-beta.1

1.13.0-beta.0

1.12.1

1.12.0

1.11.4

1.11.3

1.11.2

1.11.1

1.11.0

1.10.2

1.10.1

1.10.0

1.9.2

1.9.1

1.9.0

1.8.0

1.7.3

1.7.2

1.7.1

1.7.0

1.6.3

1.6.2

1.6.1

1.6.0

1.5.3

1.5.2

1.5.1

1.5.0

1.3.2

1.3.1

1.3.0

1.2.0

1.1.0

1.0.10

1.0.9

1.0.8

1.0.7

1.0.6

1.0.5

1.0.4

1.0.3

1.0.2

1.0.1

1.0.0

Labels

Clear labels   

A:accessibility

  

A:api

  

A:cert-expiry

  

A:core

  

A:dashboard

  

A:deployment

  

A:documentation

  

A:domain expiry

  

A:incidents

  

A:maintenance

  

A:metrics

  

A:monitor

  

A:notifications

  

A:reports

  

A:settings

  

A:status-page

  

A:ui/ux

  

A:user-management

  

Stale

  

ai-slop

  

blocked

  

blocked-upstream

  

bug

  

cannot-reproduce

  

dependencies

  

discussion

  

duplicate

  

feature-request

  

feature-request

  

good first issue

  

hacktoberfest

  

help

  

help wanted

  

house keeping

  

invalid

  

invalid-format

  

invalid-format

  

question

  

releaseblocker 🚨

  

security

  

spam

  

type:enhance-existing

  

type:new

  

wontfix

No labels

A:accessibility

A:api

A:cert-expiry

A:core

A:dashboard

A:deployment

A:documentation

A:domain expiry

A:incidents

A:maintenance

A:metrics

A:monitor

A:notifications

A:reports

A:settings

A:status-page

A:ui/ux

A:user-management

Stale

ai-slop

blocked

blocked-upstream

bug

cannot-reproduce

dependencies

discussion

duplicate

feature-request

feature-request

good first issue

hacktoberfest

help

help wanted

house keeping

invalid

invalid-format

invalid-format

question

releaseblocker 🚨

security

spam

type:enhance-existing

type:new

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/uptime-kuma#1489

No description provided.