# Websites A website resource in StrongDM is the combination of an IP/DNS address and authentication information used to connect to a web-based resource, such as a Redash or Grafana dashboard. When a **User** or **Role** is assigned a website resource, that entity inherits the ability to access the resource via a proxy set up on their local device. **Example:** Alice wishes to access an internal website, such as a CI tool, which is already set up in StrongDM as a website resource. Alice sets up her StrongDM user, which is then given permission via a role to access the website. She installs [StrongDM Client](https://app.gitbook.com/s/HaY8OFbXUreWEF61MhKm/client "mention") on her laptop, then is able to quickly access the site after connecting to it via the desktop app. Validation of the token is not strictly necessary since the connection comes through StrongDM (and thus already is authenticated and authorized), but if you wish to manually validate it, you may do so with the `VerifyJWT` method in the SDKs. Each SDK has a version of this function, which reports whether the given JWT token is valid. {% hint style="info" %} Currently, StrongDM supports websites with no authentication, basic HTTP authentication, or header-based authentication. Interactive logins and websites secured with SSO are not supported. {% endhint %} ### HTTP Resource Types {% hint style="info" %} The "HTTP" in the names of each type is a only part of the descriptor of the authentication type. Website resources that are protected by SSL (HTTPS) are also supported. Additionally, all three HTTP resource types include an Enforce HTTPS option. This option is enabled by default for new HTTP resources. {% endhint %} The following website resource types are available at StrongDM, differentiated by their authentication type, or lack thereof: * **HTTP:** This type of connection does not attempt to perform any authentication via StrongDM, so it has no additional fields required. Just make sure your URL is correct. * **HTTP Basic Auth:** This option uses standard HTTP authentication (username/password). Choosing this option exposes two additional fields: **Digest Auth User** (username) and **Digest Auth Password** (password). * **HTTP Custom Auth:** This option sends custom auth data using the `Authorization` header. Once selected the field **Authorization Header** is exposed. ### Add the Resource in StrongDM Next, add the resource in StrongDM. This section provides instructions for adding the resource in either the StrongDM Admin UI, CLI, Terraform provider, or SDKs. {% tabs %} {% tab title="Admin UI" %} **Set up and Manage With the Admin UI** If using the Admin UI to add the resource to StrongDM, use the following steps. 1. Log in to the Admin UI and go to **Resources** > **Managed Resources**. 2. Click **Add Resource** and select a name. 3. For **Resource Type**, select one of the following: 1. **HTTP:** This type of connection does not attempt to perform any authentication via StrongDM, so it has no additional fields required. Just make sure your URL is correct. 2. **HTTP Basic Auth:** This option uses standard HTTP authentication (username/password). Choosing this option exposes two additional fields: **Digest Auth User** (username) and **Digest Auth Password** (password). 3. **HTTP Custom Auth:** This option sends custom auth data using the `Authorization` header. Once selected the field **Authorization Header** is exposed. 4. Set other [resource properties](#resource-properties). 5. Click **create** to save the resource. 6. Click the resource name to view status, diagnostic information, and setting details. After the server is created, the Admin UI displays that resource as unhealthy until the health checks run successfully. When the resource is ready, the **Health** icon indicates a positive, green status. {% endtab %} {% tab title="CLI" %} **Set up and Manage With the CLI** This section provides general steps on how to configure and manage the resource using the StrongDM CLI. For more information and examples, please see the [CLI Reference](https://docs.strongdm.com/references/cli) documentation. 1. In your terminal or Command Prompt, log in to StrongDM: ```sh sdm login ``` 2. Run `sdm admin websites add --help` to view the help text for the command, which shows you how to use the command and what options (properties) are available. Note which [properties](#resource-properties) are required and collect the values for them. ```sh NAME: sdm admin websites add - add one or more websites USAGE: sdm admin websites add command [command options] [arguments...] COMMANDS: http, httpNoAuth, http-no-auth create HTTP website http-basic, httpBasic, basicauth create HTTP Basic Auth website http-header-auth, headerauth create HTTP Custom Auth website OPTIONS: --file value, -f value load from a JSON file --stdin, -i load from stdin --timeout value set time limit for command --help, -h show help ``` 3. Do the same for the auth type you wish you configure. For example, for HTTP: ``` $ sdm admin websites add http --help NAME: sdm admin websites add http - create HTTP website USAGE: sdm admin websites add http [command options] OPTIONS: --bind-interface value bind interface (default: "127.0.0.1") --default-path value Automatically redirect to this path upon connecting. --egress-filter value apply filter to select egress nodes e.g. 'field:name tag:key=value ...' --headers-exclusion value Enter the header name (e.g. Authorization), and its contents will be omitted from logs. --health-path value This path will be used to check the health of your site. (required) --host-override value The host header will be overwritten with this field. --http-subdomain value This will be used as your local DNS address. (e.g. app-prod1 would turn into http://app-prod1..sdm.network/) (required) --port-override value port profile override (default: -1) --tags value tags e.g. 'key=value,...' --template, -t display a JSON template --timeout value set time limit for command --url value The base address of your website without the path. (required) ``` 4. Run `sdm admin websites add http|http-basic|http-header-auth ` to add the resource in StrongDM. Set all required properties with their values. For example: ```sh # Add an HTTP Website (no authentication) sdm admin websites add http "intranet-http" --base-url "http://intranet.acme.internal" --bind-interface "default" --port-override -1 --egress-filter 'field:name tag:env=prod tag:region=us-west' --tags "env=prod,protocol=http,team=infra" --timeout 30 # Add an HTTP Basic Auth Website sdm admin websites add http-basic "admin-http-basic" --base-url "https://admin.acme.internal" --username "webadmin" --password "StrongPassword123!" --bind-interface "default" --port-override -1 --proxy-cluster-id "plc_0123456789abcdef" --tags "env=prod,protocol=https,auth=basic,team=web" --timeout 30 # Add an HTTP Custom Auth Website sdm admin websites add http-header-auth "api-http-custom" --base-url "https://api.acme.internal" --headers "Authorization: Bearer abcd1234efgh5678" --bind-interface "default" --port-override -1 --egress-filter 'field:name tag:env=prod tag:region=us-west' --secret-store-id "ss_abcdef0123456789" --tags "env=prod,protocol=https,auth=header,team=api" --timeout 30 ``` 5. Check that the resource has been added. The output of the following command should show the resource's name: ```sh sdm admin resources list ``` {% endtab %} {% tab title="Terraform" %} **Set up and Manage With Terraform** This section provides an example of how to configure and manage the resource using the Terraform provider. For more information and examples, please see the [Terraform provider](https://github.com/strongdm/terraform-provider-sdm) documentation. ``` # Install StrongDM provider terraform { required_providers { sdm = { source = "strongdm/sdm" version = "16.5.0" } } } # Configure StrongDM provider provider "sdm" { # Add API access key and secret key from the Admin UI api_access_key = "njjSn...5hM" api_secret_key = "ziG...=" } # Create Website (HTTP - no auth) resource "sdm_resource" "web_http_prod_01" { website_http { # Required name = "web-http-prod-01" # url = "http://intranet.acme.internal" # --url (base address) http_subdomain = "intranet-prod01" # --http-subdomain (local DNS) health_path = "/status" # --health-path # Optional UX/routing default_path = "/home" # --default-path host_override = "intranet.acme.internal" # --host-override # Common networking options bind_interface = "default" # --bind-interface ("default" | "loopback" | "vnm") port_override = -1 # --port-override (-1 = auto-allocate) egress_filter = "field:name tag:env=prod tag:region=us-west" # --egress-filter # Optional integrations proxy_cluster_id = "plc_0123456789abcdef" # --proxy-cluster-id secret_store_id = "ss_abcdef0123456789" # --secret-store-id (not used for no-auth but allowed) # Tags tags = { # --tags env = "prod" protocol = "http" auth = "none" team = "infrastructure" } } } # Create Website (HTTP Basic Auth) resource "sdm_resource" "web_http_basic_prod_01" { website_http_basic { # Required name = "web-http-basic-prod-01" # url = "https://admin.acme.internal" # --url http_subdomain = "admin-prod01" # --http-subdomain health_path = "/healthz" # --health-path username = "webadmin" # --username password = "StrongPassword123!" # --password (use secret store for production) # Optional UX/routing default_path = "/dashboard" # --default-path host_override = "admin.acme.internal" # --host-override # Common networking options bind_interface = "default" # --bind-interface port_override = -1 # --port-override egress_filter = "field:name tag:env=prod tag:region=us-west" # --egress-filter # Optional integrations proxy_cluster_id = "plc_0123456789abcdef" # --proxy-cluster-id secret_store_id = "ss_abcdef0123456789" # --secret-store-id (recommended for creds) # Tags tags = { env = "prod" protocol = "https" auth = "http_basic" team = "web" } } } # Create Website (HTTP Custom Header Auth) resource "sdm_resource" "web_http_header_prod_01" { website_http_header_auth { # Required name = "api-http-header-prod-01" # url = "https://api.acme.internal" # --url http_subdomain = "api-prod01" # --http-subdomain health_path = "/health" # --health-path auth_header = "Authorization: Bearer abcd1234..."# --auth-header (use secret store for production) # Optional security/privacy headers_exclusion = "Authorization" # --headers-exclusion (omit from logs) # Optional UX/routing default_path = "/v1/status" # --default-path host_override = "api.acme.internal" # --host-override # Common networking options bind_interface = "default" # --bind-interface port_override = -1 # --port-override egress_filter = "field:name tag:env=prod tag:region=us-west" # --egress-filter # Optional integrations proxy_cluster_id = "plc_0123456789abcdef" # --proxy-cluster-id secret_store_id = "ss_abcdef0123456789" # --secret-store-id (recommended for tokens) # Tags tags = { env = "prod" protocol = "https" auth = "header" team = "api" } } } ``` {% endtab %} {% tab title="SDKs" %} **Set up and Manage With SDKs** In addition to the Admin UI, CLI, and Terraform, you may configure and manage your resource with any of the following SDK options: Go, Java, Python, and Ruby. Please see the following references for more information and examples. | Go | ​[pkg.go.dev](https://pkg.go.dev/github.com/strongdm/strongdm-sdk-go/v16)​ | ​[strongdm-sdk-go](https://github.com/strongdm/strongdm-sdk-go)​ | ​[Go SDK Examples](https://github.com/strongdm/strongdm-sdk-go-examples)​ | | ------------- | -------------------------------------------------------------------------- | ------------------------------------------------------------------------ | --------------------------------------------------------------------------------- | | Java | ​[javadoc](https://strongdm.github.io/strongdm-sdk-java-docs/)​ | ​[strongdm-sdk-java](https://github.com/strongdm/strongdm-sdk-java)​ | ​[Java SDK Examples](https://github.com/strongdm/strongdm-sdk-java-examples)​ | | Python | ​[pdocs](https://strongdm.github.io/strongdm-sdk-python-docs/)​ | ​[strongdm-sdk-python](https://github.com/strongdm/strongdm-sdk-python)​ | ​[Python SDK Examples](https://github.com/strongdm/strongdm-sdk-python-examples)​ | | Ruby | ​[RubyDoc](https://www.rubydoc.info/gems/strongdm)​ | ​[strongdm-sdk-ruby](https://github.com/strongdm/strongdm-sdk-ruby)​ | ​[Ruby SDK Examples](https://github.com/strongdm/strongdm-sdk-ruby-examples)​ | | {% endtab %} | | | | | {% endtabs %} | | | | ### Resource Properties These are the properties available to all website resource types.
PropertyRequirementDescription
Display NameRequiredMeaningful name to display the resource throughout StrongDM; exclude special characters like quotes (") or angle brackets (< or >)
Proxy ClusterRequiredDefaults to "None (use gateways)"; if using proxy clusters, select the appropriate cluster to proxy traffic to this resource
Base URLRequiredBase address and port for the website to add as a resource (for example, http://dashboard.strongdm.com:9021)
Connectivity ModeRequiredSelect either Virtual Networking Mode, which lets users connect to the resource with a software-defined, IP-based network; or Loopback Mode, which allows users to connect to the resource using the local loopback adapter in their operating system; this field is shown if Virtual Networking Mode enabled for your organization
IP AddressOptionalIf Virtual Networking Mode is the selected connectivity mode, an IP address value in the configured Virtual Networking Mode subnet in the organization network settings; if Loopback Mode is the selected connectivity mode, an IP address value in the configured Loopback IP range in the organization network settings (by default, 127.0.0.1); if not specified, an available IP address in the configured IP address space for the selected connectivity mode will be automatically assigned; this field is shown if Virtual Networking Mode and/or multi-loopback mode is enabled for your organization
Port OverrideOptionalIf Virtual Networking Mode is the selected connectivity mode, a port value between 1 and 65535 that is not already in use by another resource with the same IP address; if Loopback Mode is the selected connectivity mode, a port value between 1024 to 64999 that is not already in use by another resource with the same IP address; when left empty with Virtual Networking Mode, the system assigns the default port to this resource; when left empty for Loopback Mode, an available port that is not already in use by another resource is assigned; preferred port also can be modified later from the Port Overrides settings
DNSOptionalIf Virtual Networking Mode is the selected connectivity mode, a unique hostname alias for this resource; when set, causes the desktop app to display this resource's human-readable DNS name (for example, k8s.my-organization-name) instead of the bind address that includes IP address and port (for example, 100.64.100.100:5432)
HTTP SubdomainRequiredIf Loopback Mode is the selected connectivity mode, a unique string to use as your local DNS address (for example, app-prod1 turns into http://app-prod1.production111.sdm.network/); be sure to input URL-safe characters
Secret StoreOptionalCredential store location; defaults to none (credentials are stored in StrongDM resource configuration); to learn more, see Secret Store options
Default PathOptionalPath that serves as the starting page when accessing the resource, for example, set /_plugins/kibana
Healthcheck PathOptionalChange the healthcheck from the default / to a more specific URL; the path provided should return a healthy status code, such as 200
Headers exclusionOptionalHeaders to exclude from logging; by default, the logs in StrongDM include all of the headers passed to the website
Host OverrideOptionalValue to overwrite the host header
Custom HeadersOptionalCustom headers (Name and Value) to send with the request; can be marked Secret to mask value; if marked Secret with a Secret Store selected, the Value is replaced by Value (path), the path to the value within the chosen secret store
Enforce HTTPSOptionalEnabled by default; when enabled, StrongDM requires HTTPS for the website resource
Resource TagsOptionalDatasource Tags consisting of key-value pairs <KEY>=<VALUE> (for example, env=dev)
#### Resource Type Specific Fields There are a few additional fields that are unique to the **HTTP (Basic Auth)** and **HTTP (Custom Auth)** resource types. {% tabs %} {% tab title="HTTP (Basic Auth)" %} | Property | Requirement | Description | | ------------------------------ | ----------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Basic Auth User** | Optional | Username for the user connecting to this website; displays when Secret Store integration is not configured for your organization | | **Basic Auth User (path)** | Optional | Path to the secret in your Secret Store location (for example, `path/to/credential?key=optionalKeyName` where key argument is optional); required when using a Secret Store | | **Basic Auth Password** | Optional | Password for the user connecting to this website; displays when Secret Store integration is not configured for your organization | | **Basic Auth Password (path)** | Optional | Path to the secret in your Secret Store location (for example, `path/to/credential?key=optionalKeyName` where key argument is optional); required when using a Secret Store | | {% endtab %} | | | {% tab title="HTTP (Custom Auth)" %} | Property | Requirement | Description | | ------------------------------- | ----------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Authorization Header** | Required | The authorization header that you wish to send along with the request | | **Authorization Header (path)** | Required | Path to the secret in your Secret Store location (for example, `path/to/credential?key=optionalKeyName` where key argument is optional); required when using a Secret Store | | {% endtab %} | | | | {% endtabs %} | | | ## Proxy Configuration Once a user has access to a website, they also need to configure their local system proxy. Users can add the following PAC file to their system to accomplish this task: `https://app.strongdm.com/proxy.pac`. The PAC file in the link above automatically configures your system to proxy traffic for your websites. For more detailed setup instructions, read [Connect to Websites](https://app.gitbook.com/s/HaY8OFbXUreWEF61MhKm/connect/connect-websites "mention"). ### Secret Store options By default, secrets are stored directly with StrongDM. However, these secrets can also be saved in a secrets management tool. Non-StrongDM options appear in the **Secret Store** dropdown if they are created under **Settings** > **Secrets Management**. When you select another Secret Store type, its unique properties display. For more details, see [Configure Secret Store Integrations](https://docs.strongdm.com/admin/access/secret-stores). ## Headers StrongDM modifies headers in the following ways: * Changes are made to the Location header (as with most proxies). * If the User-Agent header is missing, it is added with a blank value. * In the case of HTTP (Basic Auth) and HTTP (Custom Auth) resource types, StrongDM adds or modifies the related auth headers. * The X-Forwarded-User header contains the email of the StrongDM user. * The X-Sdm-Token header contains a JSON Web Token (JWT) that can be used to verify the user's authentication. These headers are modified for internal use, but the information is presented here because there may be some use cases where you may wish to configure or modify your web applications to anticipate or use some of these headers. #### Custom Headers Additionally, you may add custom headers as well. Custom headers each have a specified name and value. They can can be marked as secret to mask their values. If you wish to store these header values in a secret store, you may select a secret store for the resource, mark custom headers as secret, and fill in the path to that value in the secret store. ## Test the Connection 1. In the Admin UI, locate your new website resource and check its health status. A green indicator means StrongDM can reach the site’s base URL and health path. 2. From a user machine with the StrongDM desktop app or CLI running, open your browser and navigate to: ``` https://..sdm.network/ ``` (or include your configured default path if set). 3. Confirm that the website loads successfully: * For **HTTP Basic Auth**, verify login with the configured credentials. * For **HTTP Custom Auth**, confirm your application responds normally using the injected header. * For **No Auth**, confirm the site opens without prompts. 4. If the site doesn’t load: * Verify the health path returns a `200 OK` status. * Check your PAC file or proxy settings if you’re using automatic proxy configuration. * Ensure that the StrongDM node can reach the target URL. 5. Once the website loads correctly and the health status shows green, the resource is ready for use. If you encounter issues, please consult the [StrongDM Help Center](https://help.strongdm.com/hc/en-us). --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.strongdm.com/admin/resources/websites.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.