New User - Couple of questions on Implementation and Configuration

[BITsmartIT]

I have managed to get Shlink installed and at least in part operational. It is running in Docker Containers, managed by Portainer on Proxmox. My knowledge of all of the above is basic, so please bare with me. ;-).

I have configured the backend and the db on the private docker IP range (as I could not get the backend to run on the host network). I have the gui installed on the host network with a port forward allowing it to communicate with the backend.

I have a few questions.

1. I would like to have both the gui presented on https as well as communicate with the backend via https. I do not see any settings allowing to set the gui to https and port #. When I changed the config of the backend to "- IS_HTTPS_ENABLED=true", the connection from the gui to the backend started failing. If enabled does this automatically handle certificates etc and what port is then opened for the endpoint to connect to?

2. Ideally I will make a GUI endpoint publicly available. Is it possible to have some sort of login so that existing sURLs are available to anyone, while the ability to create new sURLs are restricted to certain users or APIs. Or some other way of just publishing a list of sURLs?

3. I noted that different API permissions are available, so does that mean I could create an 'admin' GUI with access to all sURLs and a public API with a subset of sURLs.

4. in the above scenario is it possible to adjust sURL visibility after creation? ie assign visibility to another API other than the one that created it?

The current version of the Stack that I am using to install is below.

Thanks for any assistance or advice you can provide.

version: "4"

services:
  shlink:
    image: shlinkio/shlink:stable
    #network_mode: "host"
    restart: always
    container_name: shlink-backend
    environment:
      - TZ="Australia/Sydney"
      - DEFAULT_DOMAIN=shlink.domain.it #no http/https. no trailing slash
      - IS_HTTPS_ENABLED=false
      - GEOLITE_LICENSE_KEY=ZZZZZ #we'll need to get this key from maxmind.com
      - DB_DRIVER=maria
      - DB_USER=Shlink
      - DB_NAME=Shlink
      - DB_PASSWORD=XXXXX #change this
      - DB_HOST=database
    depends_on:
      - database
    ports:
      - 80:8080

  database:
    image: mariadb:lts #11.6
    #network_mode: "host"
    restart: always
    container_name: shlink-database
    environment:
      - MARIADB_ROOT_PASSWORD=YYYYY #change this
      - MARIADB_DATABASE=Shlink
      - MARIADB_USER=Shlink
      - MARIADB_PASSWORD=XXXXX #change this
    volumes:
      - /var/lib/docker/volumes/shlink:/var/lib/mysql

  shlink-web-client:
    image: shlinkio/shlink-web-client:latest
    network_mode: "host"
    restart: always
    container_name: shlink-gui
    depends_on:
      - shlink
    #ports:
    #  - 8081:8080

[acelaya]

1. I would like to have both the gui presented on https as well as communicate with the backend via https. I do not see any settings allowing to set the gui to https and port #. When I changed the config of the backend to "- IS_HTTPS_ENABLED=true", the connection from the gui to the backend started failing. If enabled does this automatically handle certificates etc and what port is then opened for the endpoint to connect to?

The IS_HTTPS_ENABLED option in the backend is not used to set-up certificates and such, but just to inform Shlink you have set-up HTTPS, and it has to use that when generating absolute URLs.

That's why there's not an equivalent setting in shlink-web-client, because it doesn't care if you are using HTTPS or not.

So long story short, it's up to you to configure certificates in the load balancer/reverse proxy for both Shlink and shlink-web-client.

2. Ideally I will make a GUI endpoint publicly available. Is it possible to have some sort of login so that existing sURLs are available to anyone, while the ability to create new sURLs are restricted to certain users or APIs. Or some other way of just publishing a list of sURLs?

No, shlink-web-client does not support authentication, as it runs 100% in the browser. There's work in progress to provide a more advanced frontend that will have its own backend, with user management and a few other improvements.

3. I noted that different API permissions are available, so does that mean I could create an 'admin' GUI with access to all sURLs and a public API with a subset of sURLs.

Permissions can be set on a per API-key level, but yes, you should be able to do that. However, the subset of URLs is implicit to the role/s set to the API key.

You can find more info about API key roles in the docs: https://shlink.io/documentation/api-docs/api-key-roles/

4. in the above scenario is it possible to adjust sURL visibility after creation? ie assign visibility to another API other than the one that created it?

No, that's not possible.