Websites

A website resource in StrongDM is the combination of an IP/DNS address and authentication information used to connect to a web-based resource, such as a Redash or Grafana dashboard.

When a User or Role is assigned a website resource, that entity inherits the ability to access the resource via a proxy set up on their local device.

Example: Alice wishes to access an internal website, such as a CI tool, which is already set up in StrongDM as a website resource. Alice sets up her StrongDM user, which is then given permission via a role to access the website. She installs StrongDM Client on her laptop, then is able to quickly access the site after connecting to it via the desktop app.

Validation of the token is not strictly necessary since the connection comes through StrongDM (and thus already is authenticated and authorized), but if you wish to manually validate it, you may do so with the VerifyJWT method in the SDKs. Each SDK has a version of this function, which reports whether the given JWT token is valid.

Currently, StrongDM supports websites with no authentication, basic HTTP authentication, or header-based authentication. Interactive logins and websites secured with SSO are not supported.

Add the Resource in StrongDM

Next, add the resource in StrongDM. This section provides instructions for adding the resource in either the StrongDM Admin UI, CLI, Terraform provider, or SDKs.

Set up and Manage With the Admin UI

If using the Admin UI to add the resource to StrongDM, use the following steps.

Log in to the Admin UI and go to Infrastructure > Servers.
Click Add Resource.
For Auth Type, select one of the following:
1. HTTP: This type of connection does not attempt to perform any authentication via StrongDM, so it has no additional fields required. Just make sure your URL is correct.
2. HTTP Basic Auth: This option uses standard HTTP authentication (username/password). Choosing this option exposes two additional fields: Digest Auth User (username) and Digest Auth Password (password).
3. HTTP Custom Auth: This option sends custom auth data using the Authorization header. Once selected the field Authorization Header is exposed.
Set other resource properties.
Click create to save the resource.
Click the resource name to view status, diagnostic information, and setting details. After the server is created, the Admin UI displays that resource as unhealthy until the health checks run successfully. When the resource is ready, the Health icon indicates a positive, green status.

Set up and Manage With the CLI

This section provides general steps on how to configure and manage the resource using the StrongDM CLI. For more information and examples, please see the CLI Reference documentation.

In your terminal or Command Prompt, log in to StrongDM:
```
sdm login
```

Run sdm admin websites add --help to view the help text for the command, which shows you how to use the command and what options (properties) are available. Note which properties are required and collect the values for them.

NAME:
   sdm admin websites add - add one or more websites

USAGE:
   sdm admin websites add command [command options] [arguments...]

COMMANDS:
   http, httpNoAuth, http-no-auth    create HTTP website
   http-basic, httpBasic, basicauth  create HTTP Basic Auth website
   http-header-auth, headerauth      create HTTP Custom Auth website

OPTIONS:
   --file value, -f value  load from a JSON file
   --stdin, -i             load from stdin
   --timeout value         set time limit for command
   --help, -h              show help

Do the same for the auth type you wish you configure. For example, for HTTP:

$ sdm admin websites add http --help
NAME:
   sdm admin websites add http - create HTTP website

USAGE:
   sdm admin websites add http [command options] <name>

OPTIONS:
   --bind-interface value     bind interface (default: "127.0.0.1")
   --default-path value       Automatically redirect to this path upon connecting.
   --egress-filter value      apply filter to select egress nodes e.g. 'field:name tag:key=value ...'
   --headers-exclusion value  Enter the header name (e.g. Authorization), and its contents will be omitted from logs.
   --health-path value        This path will be used to check the health of your site. (required)
   --host-override value      The host header will be overwritten with this field.
   --http-subdomain value     This will be used as your local DNS address. (e.g. app-prod1 would turn into http://app-prod1.<your-org-name>.sdm.network/) (required)
   --port-override value      port profile override (default: -1)
   --tags value               tags e.g. 'key=value,...'
   --template, -t             display a JSON template
   --timeout value            set time limit for command
   --url value                The base address of your website without the path. (required)

Run sdm admin websites add http|http-basic|http-header-auth <RESOURCE_NAME> to add the resource in StrongDM. Set all required properties with their values. For example:

# Add an HTTP Website (no authentication)
sdm admin websites add http "intranet-http"
  --base-url "http://intranet.acme.internal"
  --bind-interface "default"
  --port-override -1
  --egress-filter 'field:name tag:env=prod tag:region=us-west'
  --tags "env=prod,protocol=http,team=infra"
  --timeout 30

# Add an HTTP Basic Auth Website
sdm admin websites add http-basic "admin-http-basic"
  --base-url "https://admin.acme.internal"
  --username "webadmin"
  --password "StrongPassword123!"
  --bind-interface "default"
  --port-override -1
  --proxy-cluster-id "plc_0123456789abcdef"
  --tags "env=prod,protocol=https,auth=basic,team=web"
  --timeout 30

# Add an HTTP Custom Auth Website
sdm admin websites add http-header-auth "api-http-custom"
  --base-url "https://api.acme.internal"
  --headers "Authorization: Bearer abcd1234efgh5678"
  --bind-interface "default"
  --port-override -1
  --egress-filter 'field:name tag:env=prod tag:region=us-west'
  --secret-store-id "ss_abcdef0123456789"
  --tags "env=prod,protocol=https,auth=header,team=api"
  --timeout 30

Check that the resource has been added. The output of the following command should show the resource's name:
```
sdm admin resources list
```

Set up and Manage With Terraform

This section provides an example of how to configure and manage the resource using the Terraform provider. For more information and examples, please see the Terraform provider documentation.

# Install StrongDM provider
terraform {
  required_providers {
    sdm = {
      source  = "strongdm/sdm"
      version = "5.1.0"
    }
  }
}

# Configure StrongDM provider
provider "sdm" {
  # Add API access key and secret key from the Admin UI
  api_access_key = "njjSn...5hM"
  api_secret_key = "ziG...="
}

# Create Website (HTTP - no auth)
resource "sdm_resource" "web_http_prod_01" {
  website_http {
    # Required
    name            = "web-http-prod-01"                 # <name>
    url             = "http://intranet.acme.internal"    # --url (base address)
    http_subdomain  = "intranet-prod01"                  # --http-subdomain (local DNS)
    health_path     = "/status"                          # --health-path

    # Optional UX/routing
    default_path    = "/home"                            # --default-path
    host_override   = "intranet.acme.internal"           # --host-override

    # Common networking options
    bind_interface  = "default"                          # --bind-interface ("default" | "loopback" | "vnm")
    port_override   = -1                                 # --port-override (-1 = auto-allocate)
    egress_filter   = "field:name tag:env=prod tag:region=us-west"  # --egress-filter

    # Optional integrations
    proxy_cluster_id = "plc_0123456789abcdef"            # --proxy-cluster-id
    secret_store_id  = "ss_abcdef0123456789"             # --secret-store-id (not used for no-auth but allowed)

    # Tags
    tags = {                                             # --tags
      env      = "prod"
      protocol = "http"
      auth     = "none"
      team     = "infrastructure"
    }
  }
}

# Create Website (HTTP Basic Auth)
resource "sdm_resource" "web_http_basic_prod_01" {
  website_http_basic {
    # Required
    name            = "web-http-basic-prod-01"           # <name>
    url             = "https://admin.acme.internal"      # --url
    http_subdomain  = "admin-prod01"                     # --http-subdomain
    health_path     = "/healthz"                         # --health-path
    username        = "webadmin"                         # --username
    password        = "StrongPassword123!"               # --password (use secret store for production)

    # Optional UX/routing
    default_path    = "/dashboard"                       # --default-path
    host_override   = "admin.acme.internal"              # --host-override

    # Common networking options
    bind_interface  = "default"                          # --bind-interface
    port_override   = -1                                 # --port-override
    egress_filter   = "field:name tag:env=prod tag:region=us-west"  # --egress-filter

    # Optional integrations
    proxy_cluster_id = "plc_0123456789abcdef"            # --proxy-cluster-id
    secret_store_id  = "ss_abcdef0123456789"             # --secret-store-id (recommended for creds)

    # Tags
    tags = {
      env      = "prod"
      protocol = "https"
      auth     = "http_basic"
      team     = "web"
    }
  }
}

# Create Website (HTTP Custom Header Auth)
resource "sdm_resource" "web_http_header_prod_01" {
  website_http_header_auth {
    # Required
    name            = "api-http-header-prod-01"          # <name>
    url             = "https://api.acme.internal"        # --url
    http_subdomain  = "api-prod01"                       # --http-subdomain
    health_path     = "/health"                          # --health-path
    auth_header     = "Authorization: Bearer abcd1234..."# --auth-header (use secret store for production)

    # Optional security/privacy
    headers_exclusion = "Authorization"                  # --headers-exclusion (omit from logs)

    # Optional UX/routing
    default_path    = "/v1/status"                       # --default-path
    host_override   = "api.acme.internal"                # --host-override

    # Common networking options
    bind_interface  = "default"                          # --bind-interface
    port_override   = -1                                 # --port-override
    egress_filter   = "field:name tag:env=prod tag:region=us-west"  # --egress-filter

    # Optional integrations
    proxy_cluster_id = "plc_0123456789abcdef"            # --proxy-cluster-id
    secret_store_id  = "ss_abcdef0123456789"             # --secret-store-id (recommended for tokens)

    # Tags
    tags = {
      env      = "prod"
      protocol = "https"
      auth     = "header"
      team     = "api"
    }
  }
}

Resource Properties

Property

Requirement

Description

Display Name

Required

Meaningful name to display the resource throughout StrongDM; exclude special characters like quotes (") or angle brackets (< or >)

Auth Type

Required

Select HTTP, HTTP Basic Auth, or HTTP Custom Auth; find a description for each in the Auth Types section

Proxy Cluster

Required

Defaults to "None (use gateways)"; if using proxy clusters, select the appropriate cluster to proxy traffic to this resource

Base URL

Required

Base address and port for the website to add as a resource (for example, http://dashboard.strongdm.com:9021)

Connectivity Mode

Required

Select either Virtual Networking Mode, which lets users connect to the resource with a software-defined, IP-based network; or Loopback Mode, which allows users to connect to the resource using the local loopback adapter in their operating system; this field is shown if Virtual Networking Mode enabled for your organization

IP Address

Optional

If Virtual Networking Mode is the selected connectivity mode, an IP address value in the configured Virtual Networking Mode subnet in the organization network settings; if Loopback Mode is the selected connectivity mode, an IP address value in the configured Loopback IP range in the organization network settings (by default, 127.0.0.1); if not specified, an available IP address in the configured IP address space for the selected connectivity mode will be automatically assigned; this field is shown if Virtual Networking Mode and/or multi-loopback mode is enabled for your organization

Port Override

Optional

If Virtual Networking Mode is the selected connectivity mode, a port value between 1 and 65535 that is not already in use by another resource with the same IP address; if Loopback Mode is the selected connectivity mode, a port value between 1024 to 64999 that is not already in use by another resource with the same IP address; when left empty with Virtual Networking Mode, the system assigns the default port to this resource; when left empty for Loopback Mode, an available port that is not already in use by another resource is assigned; preferred port also can be modified later from the Port Overrides settings

DNS

Optional

If Virtual Networking Mode is the selected connectivity mode, a unique hostname alias for this resource; when set, causes the desktop app to display this resource's human-readable DNS name (for example, k8s.my-organization-name) instead of the bind address that includes IP address and port (for example, 100.64.100.100:5432)

HTTP Subdomain

Required

If Loopback Mode is the selected connectivity mode, a unique string to use as your local DNS address (for example, app-prod1 turns into http://app-prod1.production111.sdm.network/); be sure to input URL-safe characters

Default Path

Optional

Path that serves as the starting page when accessing the resource, for example, set /_plugins/kibana

Healthcheck Path

Optional

Change the healthcheck from the default / to a more specific URL; the path provided should return a healthy status code, such as 200

Headers exclusion

Optional

Headers to exclude from logging; by default, the logs in StrongDM include all of the headers passed to the website

Host Override

Optional

Value to overwrite the host header

Resource Tags

Optional

Datasource Tags consisting of key-value pairs <KEY>=<VALUE> (for example, env=dev)

Auth Types

The "HTTP" in the names of each auth type is a only part of the descriptor of the authentication type. Website resources that are protected by SSL (HTTPS) are also supported.

HTTP: This type of connection does not attempt to perform any authentication via StrongDM, so it has no additional fields required. Just make sure your URL is correct.
HTTP Basic Auth: This option uses standard HTTP authentication (username/password). Choosing this option exposes two additional fields: Digest Auth User (username) and Digest Auth Password (password).
HTTP Custom Auth: This option sends custom auth data using the Authorization header. Once selected the field Authorization Header is exposed.

Proxy Configuration

Once a user has access to a website, they also need to configure their local system proxy. Users can add the following PAC file to their system to accomplish this task: https://app.strongdm.com/proxy.pac.

The PAC file in the link above automatically configures your system to proxy traffic for your websites. For more detailed setup instructions, read Connect to Websites.

Headers

StrongDM modifies headers in the following ways:

Changes are made to the Location header (as with most proxies).
If the User-Agent header is missing, it is added with a blank value.
In the case of HTTP (Basic Auth) and HTTP (Custom Auth) resource types, StrongDM adds or modifies the related auth headers.
The X-Forwarded-User header contains the email of the StrongDM user.
The X-Sdm-Token header contains a JSON Web Token (JWT) that can be used to verify the user's authentication.

These headers are modified for internal use, but the information is presented here because there may be some use cases where you may wish to configure or modify your web applications to anticipate or use some of these headers.

Test the Connection

In the Admin UI, locate your new website resource and check its health status. A green indicator means StrongDM can reach the site’s base URL and health path.
From a user machine with the StrongDM desktop app or CLI running, open your browser and navigate to:
```
https://<HTTP_SUBDOMAIN>.<ORGANIZATION>.sdm.network/
```
(or include your configured default path if set).
Confirm that the website loads successfully:
- For HTTP Basic Auth, verify login with the configured credentials.
- For HTTP Custom Auth, confirm your application responds normally using the injected header.
- For No Auth, confirm the site opens without prompts.
If the site doesn’t load:
- Verify the health path returns a 200 OK status.
- Check your PAC file or proxy settings if you’re using automatic proxy configuration.
- Ensure that the StrongDM node can reach the target URL.
Once the website loads correctly and the health status shows green, the resource is ready for use.

If you encounter issues, please consult the StrongDM Help Center.

Last updated 20 days ago

Was this helpful?

hashtagAdd the Resource in StrongDM

hashtagResource Properties

hashtagAuth Types

hashtagProxy Configuration

hashtagHeaders

hashtagTest the Connection

Add the Resource in StrongDM

Resource Properties

Auth Types

Proxy Configuration

Headers

Test the Connection