[GH-ISSUE #620] [Feature] allow an anonymous "localhost user" for the Private instance #464

New issue

Closed

opened 2026-05-07 00:24:26 +02:00 by BreizhHardware · 9 comments

BreizhHardware commented 2026-05-07 00:24:26 +02:00

Owner

Copy link

Originally created by @LuckyTurtleDev on GitHub (Feb 19, 2023).
Original GitHub issue: https://github.com/binwiederhier/ntfy/issues/620

Application servers needs anonymous write access to ntfy. I am not a big fan of allowing everyone to upload data to my server.
Since ntfy is running on the same server as the application servers , I wonder if it would possible to give only localhost/docker anonymous write access to ntfy.

Originally created by @LuckyTurtleDev on GitHub (Feb 19, 2023). Original GitHub issue: https://github.com/binwiederhier/ntfy/issues/620 Application servers needs anonymous write access to ntfy. I am not a big fan of allowing everyone to upload data to my server. Since ntfy is running on the same server as the application servers , I wonder if it would possible to give only localhost/docker anonymous write access to ntfy.

BreizhHardware 2026-05-07 00:24:26 +02:00

• closed this issue
• added the
  question
  server
  labels

BreizhHardware commented 2026-05-07 00:24:27 +02:00

Author

Owner

Copy link

@binwiederhier commented on GitHub (Feb 19, 2023):

I am not a big fan of allowing everyone to upload data to my server.

I'm sure you've seen the section about access control in the docs (https://docs.ntfy.sh/config/#access-control), so you can define granular access controls based on users.

For your specific problem, you could define default permissions as deny-all, and then create ACL entries to allow anonymous write access to a topic:

server.yml

auth-default-access: deny-all

Define ACL:

ntfy access everyone sometopic write-only

And then you could restrict access to /sometopic in nginx (or whatever your proxy is) to only local IP addresses.

I do not intend to add IP restrictive access to ntfy itself (for now).

<!-- gh-comment-id:1435997526 --> @binwiederhier commented on GitHub (Feb 19, 2023): > I am not a big fan of allowing everyone to upload data to my server. I'm sure you've seen the section about access control in the docs (https://docs.ntfy.sh/config/#access-control), so you can define granular access controls based on users. For your specific problem, you could define default permissions as `deny-all`, and then create ACL entries to allow anonymous write access to a topic: server.yml ``` auth-default-access: deny-all ``` Define ACL: ``` ntfy access everyone sometopic write-only ``` And then you could restrict access to `/sometopic` in nginx (or whatever your proxy is) to only local IP addresses. I do not intend to add IP restrictive access to ntfy itself (for now).

BreizhHardware commented 2026-05-07 00:24:27 +02:00

Author

Owner

Copy link

@binwiederhier commented on GitHub (Feb 19, 2023):

Alternatively, if you have listen-unix defined, you can directly write to the unix socket, e.g. curl -d hi --unix-socket /tmp/ntfy.sock http://127.0.0.1/sometopic

<!-- gh-comment-id:1435998483 --> @binwiederhier commented on GitHub (Feb 19, 2023): Alternatively, if you have `listen-unix` defined, you can directly write to the unix socket, e.g. `curl -d hi --unix-socket /tmp/ntfy.sock http://127.0.0.1/sometopic`

BreizhHardware commented 2026-05-07 00:24:27 +02:00

Author

Owner

Copy link

@binwiederhier commented on GitHub (Feb 20, 2023):

Hope this was answered. If not, feel free to comment or re-open.

<!-- gh-comment-id:1437557163 --> @binwiederhier commented on GitHub (Feb 20, 2023): Hope this was answered. If not, feel free to comment or re-open.

BreizhHardware commented 2026-05-07 00:24:27 +02:00

Author

Owner

Copy link

@LuckyTurtleDev commented on GitHub (Feb 20, 2023):

Yes it was answered. Thanks. I will try out your solution soon.
Maybe this can be keep open for the feature request?

<!-- gh-comment-id:1437579198 --> @LuckyTurtleDev commented on GitHub (Feb 20, 2023): Yes it was answered. Thanks. I will try out your solution soon. Maybe this can be keep open for the feature request?

BreizhHardware commented 2026-05-07 00:24:28 +02:00

Author

Owner

Copy link

@LuckyTurtleDev commented on GitHub (Feb 21, 2023):

@binwiederhier sadly I am not allowed to reopen the issue

<!-- gh-comment-id:1438711183 --> @LuckyTurtleDev commented on GitHub (Feb 21, 2023): @binwiederhier sadly I am not allowed to reopen the issue

BreizhHardware commented 2026-05-07 00:24:28 +02:00

Author

Owner

Copy link

@binwiederhier commented on GitHub (Feb 21, 2023):

I don't think I want to implement IP-based access control in ntfy. That seems like something that has to live or be solved outside it. In a proxy, as I said. You can easily solve this in nginx.

<!-- gh-comment-id:1438930991 --> @binwiederhier commented on GitHub (Feb 21, 2023): I don't think I want to implement IP-based access control in ntfy. That seems like something that has to live or be solved outside it. In a proxy, as I said. You can easily solve this in nginx.

BreizhHardware commented 2026-05-07 00:24:28 +02:00

Author

Owner

Copy link

@LuckyTurtleDev commented on GitHub (Feb 22, 2023):

If I restrict access to /sometopic would not this effect also reading the topic?

Maybe it is a better idea to add the authorization header if the request does come from localhost?

<!-- gh-comment-id:1439987738 --> @LuckyTurtleDev commented on GitHub (Feb 22, 2023): If I restrict access to `/sometopic` would not this effect also reading the topic? Maybe it is a better idea to add the authorization header if the request does come from localhost?

BreizhHardware commented 2026-05-07 00:24:28 +02:00

Author

Owner

Copy link

@LuckyTurtleDev commented on GitHub (Mar 13, 2023):

I have now simple add a autheader at the reverse proxy for local ips. Works without any issue
Caddyfile:

push.example.com {
	respond /robots.txt 200 {
		body "User-agent: *
Disallow: /"
	}

	@local remote_ip private_ranges
	reverse_proxy @local localhost:16480 {
		header_up Authorization "Basic SomeBase64"
	}
	
	reverse_proxy localhost:16480 {
		header_down Referrer-Policy "strict-origin-when-cross-origin"
		header_down Strict-Transport-Security "max-age=15768000"
		header_down X-Frame-Options "sameorigin"
	}
}

<!-- gh-comment-id:1466568792 --> @LuckyTurtleDev commented on GitHub (Mar 13, 2023): I have now simple add a autheader at the reverse proxy for local ips. Works without any issue `Caddyfile`: ``` push.example.com { respond /robots.txt 200 { body "User-agent: * Disallow: /" } @local remote_ip private_ranges reverse_proxy @local localhost:16480 { header_up Authorization "Basic SomeBase64" } reverse_proxy localhost:16480 { header_down Referrer-Policy "strict-origin-when-cross-origin" header_down Strict-Transport-Security "max-age=15768000" header_down X-Frame-Options "sameorigin" } }

BreizhHardware commented 2026-05-07 00:24:28 +02:00

Author

Owner

Copy link

@binwiederhier commented on GitHub (Mar 13, 2023):

Very elegant. Nice.

<!-- gh-comment-id:1466736636 --> @binwiederhier commented on GitHub (Mar 13, 2023): Very elegant. Nice.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

dependabot/npm_and_yarn/web/fast-uri-3.1.2

email-verification

attachment-no-http2

attachment-fixes

attachment-s3

config-generator

postgres-replica

dockers-v2

postgres-support

postgres-webpush+user+message

postgres-webpush+user

postgres-webpush

1364-copy-action

crashfix

user-header

scalar-api-docs

cancel-scheduled

update-available

windows-server

303-update-notifications

postgres

admin-ui

require-login

http-clipboard

message-cache-lock

debian-stripe

predefined-users

busy-timeout

template-dir

ipv6

client-ip-header

apns-fix

feat_optional_require_login

security-updates

pg-message-cache

templating-disallow

templating-3

templating-2

message-size-limit+delay-limit

remove-rate-topics

html-emails

cf-priority

acl-underscores

auth-user-header

markdown

img-attach

web-improvements

utf8-headers

matrix-507-reject

http-response-writer

new-homepage-design

e2e

canary

windows

electron

update-messages

webhook-templating

v2.22.0

v2.21.0

v2.20.1

v2.20.0

v2.19.2

v2.19.1

v2.19.0

v2.18.0

v2.17.0

v2.16.0

v2.15.0

v2.14.0

v2.13.0

v2.12.0

v2.11.0

v2.10.0

v2.9.0

v2.8.0

v2.7.0

v2.6.2

v2.6.1

v2.6.0

v2.5.0

v2.4.0

v2.3.1

v2.3.0

v2.2.0

v2.1.2

v2.1.1

v2.1.0

v2.0.1

v2.0.0

v1.31.0

v1.30.1

v1.29.1

v1.29.0

v1.28.0

v1.27.2

v1.27.1

v1.26.0

v1.25.2

v1.25.1

v1.25.0

v1.24.0

v1.23.0

v1.22.0

v1.21.2

v1.21.1

v1.21.0

v1.20.0

v1.19.0

v1.18.1

v1.18.0

v1.17.1

v1.17.0

v1.16.0

v1.15.0

v1.14.1

v1.14.0

v1.13.0

v1.12.1

v1.12.0

v1.11.1

v1.11.2

v1.11.0

v1.10.0

v1.9.0

v1.8.0

v1.7.0

v1.6.1

v1.6.0

v1.5.3

v1.5.2

v1.5.1

v1.5.0

v1.4.8

v1.4.7

v1.4.6

v1.4.5

v1.4.4

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.3.2

v1.3.3

v1.3.1

v1.3.0

v1.2.5

v1.2.4

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.0

v0.0.5

v0.0.4

v0.0.3

v0.0.2

v0.0.1

Labels

Clear labels   

ai-generated

  

android-app

  

android-app

  

android-app

  

🪲 bug

  

build

  

build

  

dependencies

  

docs

  

enhancement

  

enhancement

  

🔥 HOT

  

in-progress 🏃

  

ios

  

prio:low

  

prio:low

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

🔒 security

  

server

  

server

  

unified-push

  

web-app

  

website

No labels

ai-generated

android-app

android-app

android-app

🪲 bug

build

build

dependencies

docs

enhancement

enhancement

🔥 HOT

in-progress 🏃

ios

prio:low

prio:low

pull-request

question

🔒 security

server

server

unified-push

web-app

website

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/ntfy#464

No description provided.