Hi, thanks for replying
On Sat, Jun 20, 2026 at 10:10:54AM -0400, Nick Holland wrote:
I think you need to tell us what task you are attempting to accomplish,
rather than what tool you are trying to avoid to accomplish it.
The end result I'd like is access to a web resource for one or
two users without opening up that resource to the entire world.
The people needing this resource may or may not be on a dynamic ip.
But ... my quick answer based on my interpretation of your
request would be that you are trying to restrict access to a web
server
yes
(but I fail to see how fail2ban helps with this).
fail2ban is basically me spitballing, sorry for the haphazard
"logic" in my initial post. It's a thing to consider if there
was no other alternative, and I'd want to discourage things trying
basic auth over and over.
A couple
easy ways to do that without htpasswd would be authpf(8) -- log
into an account via ssh with the authpf shell and your IP address
is opened up in PF for accessing the web server,
This is a great suggestion and I'm looking at it rn. Although I had heard of
authpf I had no knowledge of what it did or how it could be used.
For cases with a small number of skilled users, I'm fond of ssh
tunnels, as they solve the end-to-end encryption (don't need to worry
about ssl certs) and you can channel a lot of different applications
through one tunnel.
I use this too. The machine is headless and I run a vnc desktop through
a tunnel. It's surprisingly quick, even on a rpi4, even using things like
firefox and thunderbird and libreoffice. But this method would be beyond the
ken of this client.
The authpf method sounds perfect:
1. "double click here" (ssh logs in with key)
2. "now go here: <url>"
thanks again for the suggestion
--
