Comment by zie

It does, it's not perfect, but nothing ever is.

I haven't tried putting it behind Authentik or Authelia. They make it known in the Authelia guide what it is they care about being always exposed, vs password protected. Hopefully you get it figured out and you can update the docs so the next person doesn't have the same headache!

I just put it behind a <uuid>.mydomain.com with a domain TLS cert and use the built-in auth.

The wildcard TLS cert keeps the <uuid> from being public in the cert log. The only way you know the URL is if you have access to my DNS queries or have a MITM setup. Plus you still have to know my password.

Good Enough for me.

If I cared a bit more I'd put it behind Tailscale/Nebula/etc instead of having it publicly accessible. Maybe next time I'm bored I'll do that.