Connection Setup Guides

SSH Terminal

Secure Shell provides encrypted command-line access to remote servers. Portal opens a full terminal emulator in your browser via WebSocket.

Requirements

• OpenSSH server (or compatible) running on the remote host
• Port 22 (or custom) accessible from the Portal server
• Valid user account with password or SSH key authentication

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select SSH Terminal type (or Quick Add → SSH)
3. Enter the remote host IP/hostname and port (default: 22)
4. Choose authentication method: Password (prompted on connect) or Private Key (paste PEM key)
5. Optionally select an SSH key from your managed keys
6. Optionally override the default login shell (bash, zsh, fish)

Security Considerations

• Use SSH key authentication instead of passwords whenever possible
• Disable root login on the remote server (PermitRootLogin no)
• Use AllowUsers or AllowGroups to restrict SSH access
• Consider changing the default SSH port to reduce automated attacks
• Private keys stored in Portal are encrypted at rest with Fernet encryption

SFTP File Transfer

SFTP provides secure file transfer over SSH. Portal's dual-pane file manager lets you browse, upload, download, and manage files on remote servers.

Requirements

• SSH server with SFTP subsystem enabled (default in OpenSSH)
• Port 22 accessible from the Portal server
• User account with appropriate file permissions

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select SFTP File Transfer type
3. Enter host, port, and credentials (same as SSH)
4. Access via Dashboard → File Manager → Remote SFTP tab
5. With 2+ SFTP connections, the commander-style dual-pane view enables drag-and-drop between servers

Security Considerations

• Use chroot jails to restrict SFTP users to their home directory
• Apply the same SSH hardening as above (keys, restricted users)
• SFTP connections in Portal are ephemeral — opened per-request, not persistent

VNC Desktop

Virtual Network Computing provides remote graphical desktop access. Portal uses noVNC to render the VNC session directly in your browser.

Requirements

• VNC server running on the remote host (TigerVNC, TightVNC, RealVNC, x11vnc, etc.)
• Port 5900+ accessible from the Portal server
• VNC password configured on the server

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select VNC Desktop type (or Quick Add → VNC)
3. Enter host and port (default: 5900; display :1 = port 5901)
4. You'll be prompted for the VNC password on connect

Security Considerations

• VNC traffic through Portal is encrypted via WSS (WebSocket over TLS)
• Always set a strong VNC password on the server
• Consider using SSH tunneling for an additional encryption layer
• Bind VNC to localhost only and access through Portal's tunnel
• Disable clipboard sharing if not needed

RDP Desktop

Remote Desktop Protocol provides graphical access to Windows desktops and servers. Portal proxies the RDP connection through your browser.

Requirements

• Remote Desktop enabled on the Windows machine
• Port 3389 accessible from the Portal server
• User account with Remote Desktop Users group membership

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select RDP Desktop type (or Quick Add → RDP)
3. Enter the Windows host IP and port (default: 3389)
4. Enter Windows username and password when connecting

Security Considerations

• Enable Network Level Authentication (NLA) on the Windows host
• Use strong passwords and consider enabling 2FA for Windows login
• Keep Windows updated to patch RDP vulnerabilities
• Restrict RDP access via Windows Firewall to Portal's IP only
• All traffic is encrypted via Portal's TLS connection

SPICE Console

SPICE (Simple Protocol for Independent Computing Environments) provides high-performance remote access to virtual machines, commonly used with KVM/QEMU/Proxmox.

Requirements

• SPICE server configured on the VM (KVM/QEMU/Proxmox)
• SPICE port accessible from the Portal server
• SPICE viewer support via Portal's web client

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select SPICE Console type
3. Enter the hypervisor host and SPICE port for the VM
4. For Proxmox VMs, the SPICE port is assigned dynamically — check the VM settings

Security Considerations

• Configure SPICE with TLS encryption on the hypervisor
• Set a SPICE password for the VM
• Restrict SPICE port access to the Portal server IP only

Telnet

Telnet provides unencrypted remote terminal access. Used primarily for legacy network equipment (switches, routers) that don't support SSH.

Requirements

• Telnet service running on the remote host
• Port 23 accessible from the Portal server

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select Telnet type
3. Enter host and port (default: 23)

Security Considerations

• Warning: Telnet transmits credentials and data in plaintext
• Only use for legacy devices on isolated/trusted networks
• Portal's TLS encrypts the browser-to-Portal leg, but Portal-to-device is unencrypted
• Migrate to SSH wherever possible
• Use VLANs or firewall rules to isolate Telnet-only devices

Plex

Plex is a media server that organizes your movies, TV shows, music, and photos and streams them to any device.

Requirements

• Plex Media Server installed and running
• Port 32400 accessible from the Portal server
• Plex account configured (or local auth enabled)

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select Plex type (or Quick Add → Plex)
3. Enter the Plex server host and port (default: 32400)
4. Access the Plex web interface through Portal's proxy

Security Considerations

• Enable Plex's built-in HTTPS (Settings → Network → Secure connections: Required)
• Set List of IP addresses and networks that are allowed without auth to only include Portal's IP
• Disable DLNA if not needed
• Keep Plex Media Server updated

Jellyfin

Jellyfin is a free, open-source media server — a fork of Emby. It manages and streams your media library without requiring an account on external servers.

Requirements

• Jellyfin server installed and running
• Port 8096 (HTTP) or 8920 (HTTPS) accessible from Portal
• Admin account created during initial setup

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select Jellyfin type (or Quick Add → Jellyfin)
3. Enter host and port (default: 8096 for HTTP, 8920 for HTTPS)
4. Log in with your Jellyfin credentials through Portal

Security Considerations

• Enable HTTPS in Jellyfin (Dashboard → Networking)
• Set Known proxies to Portal's IP address
• Enable login rate limiting in Jellyfin settings
• Disable remote access if only accessing through Portal

Emby

Emby is a media server that automatically organizes your personal media and streams it to any device.

Requirements

• Emby Server installed and running
• Port 8096 (HTTP) or 8920 (HTTPS) accessible
• Emby account configured

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select Emby type
3. Enter host and port (default: 8096)
4. Access Emby's web dashboard through Portal

Security Considerations

• Enable HTTPS in Emby's network settings
• Configure Emby's API key for trusted applications
• Set up user-level permissions for library access

Navidrome

Navidrome is a self-hosted music server and streamer compatible with Subsonic/Airsonic clients.

Requirements

• Navidrome installed and running
• Port 4533 accessible from Portal
• Music library configured

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select Navidrome type
3. Enter host and port (default: 4533)
4. Create your admin account on first access

Security Considerations

• Set ReverseProxyWhitelist to Portal's IP in Navidrome config
• Enable password complexity requirements
• Use HTTPS (configure TLS or rely on Portal's proxy)

Audiobookshelf

Audiobookshelf is a self-hosted audiobook and podcast server with a web player, mobile apps, and library management.

Requirements

• Audiobookshelf installed and running
• Port 13378 accessible from Portal
• Audiobook/podcast library configured

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select Audiobookshelf type
3. Enter host and port (default: 13378)
4. Log in with your Audiobookshelf credentials

Security Considerations

• Set a strong admin password during initial setup
• Configure trusted proxies if using Portal as reverse proxy
• Enable server-side backups for library metadata

Sonarr

Automated TV show downloading and management. Monitors RSS feeds, searches indexers, and manages your TV library.

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select Sonarr type
3. Enter host and port (default: 8989)
4. Access the web UI through Portal

Radarr

Automated movie downloading and management. Finds, downloads, and organizes your movie collection.

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select Radarr type
3. Enter host and port (default: 7878)
4. Access the web UI through Portal

Lidarr

Automated music downloading and management. Monitors artists and albums across indexers.

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select Lidarr type
3. Enter host and port (default: 8686)
4. Access the web UI through Portal

Readarr

Automated ebook and audiobook management. Tracks authors and books across indexers.

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select Readarr type
3. Enter host and port (default: 8787)
4. Access the web UI through Portal

Prowlarr

Indexer manager for the *arr stack. Centralizes indexer configuration and syncs to Sonarr, Radarr, Lidarr, etc.

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select Prowlarr type
3. Enter host and port (default: 9696)
4. Access the web UI through Portal

Bazarr

Automated subtitle downloading companion for Sonarr and Radarr.

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select Bazarr type
3. Enter host and port (default: 6767)
4. Access the web UI through Portal

Jellyseerr

Media request and discovery tool for Jellyfin. Users can request movies and TV shows which auto-download via Sonarr/Radarr.

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select Jellyseerr type
3. Enter host and port (default: 5055)
4. Access the web UI through Portal

Overseerr

Media request and discovery tool for Plex. The Plex equivalent of Jellyseerr.

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select Overseerr type
3. Enter host and port (default: 5055)
4. Access the web UI through Portal

Tautulli

Plex monitoring and statistics dashboard. Tracks viewing history, user activity, and server health.

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select Tautulli type
3. Enter host and port (default: 8181)
4. Access the web UI through Portal

SABnzbd

SABnzbd is an open-source Usenet download client with a web interface.

Requirements

• SABnzbd installed and running
• Port 8080 accessible
• Usenet provider configured

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select SABnzbd type
3. Enter host and port (default: 8080)
4. Log in with SABnzbd credentials

Security Considerations

• Enable SABnzbd's built-in authentication
• Set host_whitelist to include Portal's hostname
• Use an API key for automated access from *arr apps

qBittorrent

qBittorrent is an open-source BitTorrent client with a feature-rich web UI.

Requirements

• qBittorrent installed with Web UI enabled
• Port 8080 accessible
• Web UI authentication configured

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select qBittorrent type
3. Enter host and port (default: 8080)
4. Log in with qBittorrent Web UI credentials (default: admin/adminadmin)

Security Considerations

• Change the default password immediately (admin/adminadmin)
• Enable HTTPS in qBittorrent settings if available
• Bind the Web UI to localhost and access only through Portal
• Set Bypass authentication for clients on localhost carefully

Transmission

Transmission is a lightweight BitTorrent client with a clean web interface.

Requirements

• Transmission daemon running with web UI enabled
• Port 9091 accessible
• RPC authentication configured

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select Transmission type
3. Enter host and port (default: 9091)
4. Configure rpc-whitelist in settings.json to include Portal's IP

Security Considerations

• Set rpc-authentication-required: true in settings.json
• Configure rpc-whitelist to only allow Portal's IP
• Use a strong RPC password

Nextcloud

Nextcloud is a self-hosted productivity platform — file sync, calendar, contacts, office documents, and hundreds of apps.

Requirements

• Nextcloud server installed (with Apache/Nginx and PHP)
• Port 443 (HTTPS) or 80 (HTTP) accessible
• Admin account created

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select Nextcloud type (or Quick Add → Nextcloud)
3. Enter host and port (default: 443 for HTTPS)
4. Log in with your Nextcloud credentials

Security Considerations

• Always use HTTPS — Nextcloud strongly recommends it
• Add Portal's domain to trusted_domains in config.php
• Set trusted_proxies to Portal's IP address
• Enable 2FA in Nextcloud for all users
• Configure brute force protection (bruteforce app)

Immich

Immich is a self-hosted Google Photos alternative with machine learning-powered face recognition, object detection, and smart search.

Requirements

• Immich server running (Docker recommended)
• Port 2283 accessible
• PostgreSQL database configured (included in Docker setup)

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select Immich type
3. Enter host and port (default: 2283)
4. Create admin account on first access

Security Considerations

• Set IMMICH_TRUSTED_PROXIES to Portal's IP
• Use strong admin password
• Back up the PostgreSQL database regularly
• GPU recommended for ML features but not required

PhotoPrism

PhotoPrism is an AI-powered self-hosted photo management app with automatic tagging, face recognition, and map views.

Requirements

• PhotoPrism running (Docker recommended)
• Port 2342 accessible
• At least 2 CPU cores and 4GB RAM recommended

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select PhotoPrism type
3. Enter host and port (default: 2342)
4. Log in with admin credentials (set via PHOTOPRISM_ADMIN_PASSWORD)

Security Considerations

• Set a strong admin password via environment variable
• Enable read-only mode if only viewing
• Configure PHOTOPRISM_SITE_URL to match Portal's proxy URL

Syncthing

Syncthing is a continuous file synchronization program that syncs files between devices in real time, without a central server.

Requirements

• Syncthing running on the host
• Web GUI port 8384 accessible
• Sync protocol port 22000 accessible between sync peers

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select Syncthing type
3. Enter host and port (default: 8384)
4. Access the Syncthing web GUI through Portal

Security Considerations

• Set a GUI password in Syncthing settings
• Configure gui.insecureAdminAccess carefully
• Use device IDs for peer authentication (built-in)

Paperless-ngx

Paperless-ngx is a document management system that scans, indexes, and archives your physical documents with OCR.

Requirements

• Paperless-ngx running (Docker recommended)
• Port 8000 accessible
• OCR dependencies installed (Tesseract, included in Docker)

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select Paperless-ngx type
3. Enter host and port (default: 8000)
4. Log in with superuser credentials created during setup

Security Considerations

• Set PAPERLESS_URL to match the Portal proxy URL
• Add Portal's IP to PAPERLESS_TRUSTED_PROXIES
• Use strong passwords — documents contain sensitive info
• Enable automatic document encryption if available

Calibre-Web

Calibre-Web is a web app for browsing, reading, and downloading ebooks from a Calibre library database.

Requirements

• Calibre-Web running
• Calibre library database (metadata.db) accessible
• Port 8083 accessible

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select Calibre-Web type
3. Enter host and port (default: 8083)
4. Default credentials: admin / admin123 — change immediately

Security Considerations

• Change default admin password on first login
• Enable upload protection
• Configure user permissions per-library

Komga

Komga is a media server for comics, mangas, BDs, and magazines with OPDS support and a web reader.

Requirements

• Komga running (Java 17+ required)
• Port 25600 accessible
• Comic/manga library configured

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select Komga type
3. Enter host and port (default: 25600)
4. Create admin account on first access

Security Considerations

• Set a strong admin password
• Configure user-level library permissions
• Komga supports API key authentication for automated access

File Browser

File Browser is a lightweight web-based file manager with upload/download, editing, and sharing capabilities.

Requirements

• File Browser installed and running
• Port 8080 accessible
• File system path configured

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select File Browser type
3. Enter host and port (default: 8080)
4. Default credentials: admin / admin — change immediately

Security Considerations

• Change default credentials immediately
• Restrict the base directory scope
• Enable HTTPS if accessing directly
• Configure user permissions to limit file access

Proxmox VE

Proxmox Virtual Environment is an open-source server virtualization platform for KVM VMs and LXC containers.

Requirements

• Proxmox VE installed on the host
• Port 8006 (HTTPS) accessible from Portal
• User account with appropriate permissions (PVEAdmin or custom role)

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select Proxmox VE type (or Quick Add → Proxmox)
3. Enter the Proxmox host and port (default: 8006)
4. Portal connects via the Proxmox API — enter your Proxmox credentials when prompted

Security Considerations

• Proxmox uses self-signed certificates by default — Portal can handle this
• Create a dedicated API user with limited permissions instead of using root
• Use API tokens instead of passwords: Datacenter → Permissions → API Tokens
• Enable Proxmox 2FA for admin accounts
• Restrict Proxmox web access to Portal's IP via firewall

Cockpit

Cockpit is a web-based Linux server management interface. It provides real-time system monitoring, terminal access, container management, and storage administration.

Requirements

• Cockpit installed (apt install cockpit on Debian/Ubuntu)
• Port 9090 accessible
• Linux user account with sudo access

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select Cockpit type
3. Enter host and port (default: 9090)
4. Log in with your Linux system credentials

Security Considerations

• Cockpit uses system PAM authentication — same as SSH
• Configure /etc/cockpit/cockpit.conf to set allowed origins for Portal
• Enable certificate-based authentication if available
• Restrict access via firewall rules

Home Assistant

Home Assistant is an open-source home automation platform that integrates with 2000+ smart home devices and services.

Requirements

• Home Assistant running (HAOS, Docker, or Core)
• Port 8123 accessible from Portal
• Admin account configured

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select Home Assistant type (or Quick Add → Home Assistant)
3. Enter host and port (default: 8123)
4. Log in with your Home Assistant credentials

Security Considerations

• Add Portal's IP to trusted_proxies in configuration.yaml:
• Set use_x_forwarded_for: true in the HTTP integration
• Generate a Long-Lived Access Token for API integrations
• Enable 2FA (TOTP) for all Home Assistant accounts
• Keep Home Assistant and integrations updated

Node-RED

Node-RED is a flow-based programming tool for wiring IoT devices, APIs, and online services with a browser-based editor.

Requirements

• Node-RED installed and running (Node.js required)
• Port 1880 accessible
• Admin authentication configured

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select Node-RED type
3. Enter host and port (default: 1880)
4. Access the flow editor through Portal

Security Considerations

• Enable authentication — Node-RED has no auth by default
• Set adminAuth in settings.js with bcrypt-hashed passwords
• Configure httpNodeAuth to protect HTTP endpoints in flows
• Restrict editor access to admin users only

n8n

n8n is a workflow automation tool similar to Zapier/Make but self-hosted, with 200+ integrations and a visual flow editor.

Requirements

• n8n running (Docker or npm install)
• Port 5678 accessible
• Owner account configured

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select n8n type
3. Enter host and port (default: 5678)
4. Log in with your n8n owner credentials

Security Considerations

• Set N8N_PROTOCOL=https if terminating TLS at n8n
• Configure N8N_HOST and WEBHOOK_URL to match Portal proxy URL
• Enable user management for multi-user setups
• Review workflow permissions — workflows can execute arbitrary code

Vaultwarden

Vaultwarden is an unofficial Bitwarden-compatible server written in Rust. It provides password management with full Bitwarden client compatibility.

Requirements

• Vaultwarden running (Docker recommended)
• Port 80 or 443 accessible
• HTTPS strongly recommended (required for browser extensions)

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select Vaultwarden type
3. Enter host and port (default: 80)
4. Create your account on first access

Security Considerations

• HTTPS is mandatory for Bitwarden clients to work
• Set ADMIN_TOKEN environment variable to protect the admin panel
• Disable new user signups after creating your accounts: SIGNUPS_ALLOWED=false
• Enable 2FA for all vault accounts
• Back up the SQLite database and attachments/ directory regularly

Authelia

Authelia is an authentication and authorization server that provides SSO (Single Sign-On) and 2FA for your applications via a reverse proxy.

Requirements

• Authelia running (Docker recommended)
• Port 9091 accessible
• Reverse proxy (Traefik/Nginx) configured for auth forwarding

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select Authelia type
3. Enter host and port (default: 9091)
4. Access the Authelia portal for login/2FA management

Security Considerations

• Configure LDAP or file-based user backend
• Enable 2FA (TOTP, WebAuthn, or Duo)
• Set up access control rules per-domain or per-path
• Use a strong JWT secret and encryption key

Uptime Kuma

Uptime Kuma is a self-hosted monitoring tool with a beautiful UI, supporting HTTP/TCP/DNS/ping monitors and notification integrations.

Requirements

• Uptime Kuma running (Docker or Node.js)
• Port 3001 accessible

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select Uptime Kuma type
3. Enter host and port (default: 3001)
4. Create admin account on first access

Security Considerations

• Set a strong admin password
• Enable 2FA in user settings
• Status pages can be public — configure carefully

Pi-hole

Pi-hole is a network-wide ad blocker that acts as a DNS sinkhole, filtering ads and trackers for all devices on your network.

Requirements

• Pi-hole installed and running
• Web interface port 80 accessible
• DNS port 53 configured on your network

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select Pi-hole type (or Quick Add → Pi-hole)
3. Enter host and port (default: 80)
4. Access the admin dashboard at /admin

Security Considerations

• Set a strong web interface password (pihole -a -p)
• Restrict DNS queries to your local network only
• Keep gravity lists updated regularly
• Pi-hole v6+ has improved authentication

AdGuard Home

AdGuard Home is a network-wide ad and tracker blocker with DNS-over-HTTPS, DNS-over-TLS, and parental controls.

Requirements

• AdGuard Home installed and running
• Web UI port 3000 accessible (setup) or 80 (after setup)
• DNS port 53 configured

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select AdGuard Home type
3. Enter host and port (default: 3000 for setup, then typically 80)
4. Complete initial setup wizard on first access

Security Considerations

• Set a strong admin password during setup
• Enable DNS-over-HTTPS for encrypted DNS queries
• Configure access control lists for the DNS service
• The web UI port changes from 3000 to 80 after initial setup

Nginx Proxy Manager

Nginx Proxy Manager is a web UI for managing Nginx reverse proxy configurations with Let's Encrypt SSL certificate support.

Requirements

• Nginx Proxy Manager running (Docker)
• Admin port 81 accessible
• Ports 80 and 443 for proxy traffic

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select Nginx Proxy Manager type
3. Enter host and port (default: 81)
4. Default login: admin@example.com / changeme

Security Considerations

• Change default credentials immediately
• Use strong passwords for all proxy host authentications
• Enable SSL for all proxy hosts
• Restrict admin access to trusted IPs

Traefik

Traefik is a modern reverse proxy and load balancer with automatic service discovery, Let's Encrypt, and Docker integration.

Requirements

• Traefik running with dashboard enabled
• Dashboard port 8080 accessible
• API enabled in Traefik config

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select Traefik type
3. Enter host and port (default: 8080 for dashboard)
4. Access the Traefik dashboard

Security Considerations

• Enable dashboard authentication — it's open by default
• Use BasicAuth or ForwardAuth middleware
• Expose the dashboard only on internal networks
• Configure TLS for all entrypoints

Portainer

Portainer is a container management UI for Docker, Kubernetes, and Nomad with a clean web interface.

Requirements

• Portainer running (Docker)
• Port 9443 (HTTPS) or 9000 (HTTP) accessible
• Docker socket mounted

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select Portainer type
3. Enter host and port (default: 9443 for HTTPS)
4. Create admin account on first access (within 5 minutes)

Security Considerations

• Use HTTPS (port 9443) instead of HTTP (9000)
• Create the admin account immediately — the setup expires after 5 minutes
• Use Portainer teams and roles to restrict access
• Be cautious with Docker socket access — it grants root-level control

Netdata

Netdata is a real-time performance monitoring tool with per-second metrics for CPU, memory, disk, network, and applications.

Requirements

• Netdata agent installed and running
• Port 19999 accessible

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select Netdata type
3. Enter host and port (default: 19999)
4. Dashboard is accessible immediately — no login required by default

Security Considerations

• Netdata dashboard has no authentication by default
• Restrict access via firewall or use Portal as the only access point
• Configure [web].allow connections from in netdata.conf
• Consider Netdata Cloud for centralized access with auth

Dozzle

Dozzle is a real-time log viewer for Docker containers with a clean web interface. No database required — it reads directly from Docker.

Requirements

• Dozzle running (Docker)
• Port 8080 accessible
• Docker socket mounted read-only

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select Dozzle type
3. Enter host and port (default: 8080)
4. Container logs are visible immediately

Security Considerations

• Enable authentication: set DOZZLE_USERNAME and DOZZLE_PASSWORD
• Mount Docker socket as read-only (/var/run/docker.sock:/var/run/docker.sock:ro)
• Container logs may contain sensitive information

Homepage

Homepage is a modern, fully static, fast dashboard with service integrations, bookmarks, and widgets.

Requirements

• Homepage running (Docker recommended)
• Port 3000 accessible
• Configuration via YAML files

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select Homepage type
3. Enter host and port (default: 3000)

Security Considerations

• Homepage has no built-in authentication — rely on Portal for access control
• API keys for service widgets should use read-only tokens
• Sensitive service URLs are exposed in the config

Homarr

Homarr is a customizable dashboard for your self-hosted services with drag-and-drop tiles, integrations, and a clean UI.

Requirements

• Homarr running (Docker)
• Port 7575 accessible

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select Homarr type
3. Enter host and port (default: 7575)
4. Customize your dashboard layout in the web UI

Security Considerations

• Enable Homarr's built-in authentication
• Use read-only API keys for service integrations
• Password-protect the settings page

Organizr

Organizr is a dashboard that combines all your self-hosted services into one tabbed interface with user management and SSO.

Requirements

• Organizr running (PHP + web server)
• Port 80 accessible

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select Organizr type
3. Enter host and port (default: 80)
4. Complete the setup wizard on first access

Security Considerations

• Set a strong admin password during setup
• Configure user groups and tab permissions
• Enable Organizr's built-in authentication for all tabs

TrueNAS

TrueNAS is a network-attached storage OS (based on FreeBSD/Linux) with a web-based management interface for ZFS pools, shares, and plugins.

Requirements

• TrueNAS installed on dedicated hardware or VM
• Web UI port 443 (HTTPS) or 80 (HTTP) accessible
• Admin account configured

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select TrueNAS type
3. Enter host and port (default: 443)
4. Log in with your TrueNAS admin credentials

Security Considerations

• Always use HTTPS for the web interface
• Set a strong root/admin password
• Enable 2FA for the web interface
• Configure network ACLs for management access
• Keep TrueNAS updated for ZFS and security patches

pfSense

pfSense is an open-source firewall and router platform based on FreeBSD with a comprehensive web-based management interface.

Requirements

• pfSense installed on dedicated hardware or VM
• Web UI port 443 (HTTPS) accessible from Portal
• Admin account configured

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select pfSense type
3. Enter host and port (default: 443)
4. Log in with pfSense admin credentials

Security Considerations

• Always use HTTPS for the web configurator
• Change the default admin password immediately
• Enable CSRF protection (enabled by default)
• Restrict web configurator access to specific IPs/subnets
• Enable SSH with key authentication only if remote CLI needed

Grafana

Grafana is an open-source analytics and visualization platform for metrics from Prometheus, InfluxDB, Elasticsearch, and more.

Requirements

• Grafana server running
• Port 3000 accessible
• Data source configured (Prometheus, InfluxDB, etc.)

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select Grafana type
3. Enter host and port (default: 3000)
4. Default login: admin / admin — change on first login

Security Considerations

• Change default admin password on first login
• Configure root_url in grafana.ini to match Portal proxy URL
• Set [security].cookie_secure = true
• Disable anonymous access unless intentional
• Use org-level permissions for multi-tenant setups

Prometheus

Prometheus is a time-series database and monitoring system with a powerful query language (PromQL) and alerting.

Requirements

• Prometheus server running
• Port 9090 accessible
• Scrape targets configured in prometheus.yml

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select Prometheus type
3. Enter host and port (default: 9090)
4. Access the Prometheus web UI for querying and alerts

Security Considerations

• Prometheus has no built-in authentication
• Restrict access via firewall — use Portal as the sole access point
• Consider using --web.config.file for basic auth (Prometheus 2.24+)
• Metrics may expose sensitive infrastructure information

Jupyter Notebook

Jupyter Notebook is an interactive computing environment for creating documents with live code, equations, and visualizations.

Requirements

• Jupyter Notebook/Lab running
• Port 8888 accessible
• Token or password authentication configured

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select Jupyter Notebook type
3. Enter host and port (default: 8888)
4. Enter the Jupyter token or password to access

Security Considerations

• Always set a password or token (jupyter notebook password)
• Configure NotebookApp.allow_origin for Portal's domain
• Jupyter can execute arbitrary code — restrict access carefully
• Consider JupyterHub for multi-user setups with proper auth

Gitea

Gitea is a lightweight, self-hosted Git service with a GitHub-like web interface, issue tracking, and CI/CD.

Requirements

• Gitea running (single binary or Docker)
• Port 3000 (HTTP) accessible
• SSH port 22 or 2222 for Git SSH operations

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select Gitea type
3. Enter host and port (default: 3000)
4. Complete initial configuration on first access

Security Considerations

• Set ROOT_URL in app.ini to match Portal's proxy URL
• Disable self-registration if not needed: DISABLE_REGISTRATION = true
• Enable 2FA for all user accounts
• Configure SSH keys for Git push/pull operations

GitLab

GitLab is a complete DevOps platform with Git hosting, CI/CD pipelines, container registry, and project management.

Requirements

• GitLab installed (Omnibus package or Docker)
• Port 80/443 accessible
• Minimum 4GB RAM (8GB recommended)

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select GitLab type
3. Enter host and port (default: 80 or 443)
4. Get the initial root password from /etc/gitlab/initial_root_password

Security Considerations

• Change the root password immediately after first login
• Configure external_url in gitlab.rb to match Portal's URL
• Disable sign-up if not needed: gitlab_rails['gitlab_signup_enabled'] = false
• Enable 2FA enforcement for all users
• Keep GitLab updated — it gets frequent security patches

code-server

code-server runs VS Code in the browser, providing a full IDE experience remotely with extensions, terminal, and Git integration.

Requirements

• code-server installed and running
• Port 8080 accessible
• Password configured

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select code-server type
3. Enter host and port (default: 8080)
4. Enter the password set in ~/.config/code-server/config.yaml

Security Considerations

• Always set a strong password in the config
• Configure proxy-domain if using Portal as reverse proxy
• code-server provides full terminal access — treat it like SSH
• Consider hashed passwords for the config file

GitHub

GitHub integration connects Portal to your GitHub repositories, enabling code browsing, issue tracking, and repository management directly from the Portal dashboard.

Requirements

• GitHub account or GitHub Enterprise instance
• Personal access token with appropriate scopes
• Internet access from Portal server (for github.com)

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select GitHub type
3. For GitHub.com, use host github.com and port 443
4. For GitHub Enterprise, enter your instance host and port
5. Configure your personal access token in the connection settings

Security Considerations

• Use fine-grained personal access tokens with minimal scopes
• Rotate tokens regularly
• Never share tokens — Portal encrypts them at rest
• For Enterprise, ensure TLS is configured on your instance

HTTP Service

Generic HTTP connection for any unencrypted web service. This connection type opens in Portal's embedded browser with navigation controls, address bar, and full TLS encryption through the portal. Portal acts as a reverse proxy, adding TLS on the browser-facing side.

Requirements

• Target HTTP service running
• Port accessible from Portal server

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select HTTP Service type
3. Enter the target host and port (default: 80)
4. Access the service through Portal's proxy URL

Security Considerations

• Traffic between Portal and the target is unencrypted — only use on trusted networks
• Portal adds TLS encryption on the browser-to-Portal leg
• Prefer the HTTPS type when the target supports TLS

HTTPS Service

Generic HTTPS connection for any TLS-encrypted web service. This connection type opens in Portal's embedded browser with navigation controls, address bar, and full TLS encryption through the portal. Portal proxies requests while maintaining end-to-end encryption to the target.

Requirements

• Target HTTPS service running with a valid or self-signed certificate
• Port accessible from Portal server

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select HTTPS Service type
3. Enter the target host and port (default: 443)
4. Access the service through Portal's proxy URL

Security Considerations

• Ensures end-to-end encryption from browser through Portal to the target
• Verify the target's TLS certificate is valid
• Use this type for any service that supports HTTPS

MySQL

MySQL is the world's most popular open-source relational database.

Requirements

• MySQL/MariaDB server running
• Port 3306 accessible from Portal
• User account with appropriate grants

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select Database type with MySQL config
3. Enter host and port (default: 3306)
4. Configure the database user with remote access grants

Security Considerations

• Never use the root account for remote access
• Create dedicated users with minimal privileges: GRANT SELECT ON db.* TO 'user'@'portal_ip'
• Bind MySQL to specific interfaces (not 0.0.0.0) if possible
• Use TLS connections: configure require_secure_transport=ON
• Traffic is encrypted between browser and Portal via TLS

PostgreSQL

PostgreSQL is an advanced open-source relational database known for reliability and standards compliance.

Requirements

• PostgreSQL server running
• Port 5432 accessible
• User role configured in pg_hba.conf for remote access

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select PostgreSQL type
3. Enter host and port (default: 5432)
4. Configure pg_hba.conf to allow connections from Portal's IP

Security Considerations

• Edit pg_hba.conf to restrict access: host all user portal_ip/32 scram-sha-256
• Use scram-sha-256 authentication (not md5 or trust)
• Create role-specific users with minimal privileges
• Enable SSL: set ssl = on in postgresql.conf

MariaDB

MariaDB is a community-developed fork of MySQL with enhanced performance and additional storage engines.

Requirements

• MariaDB server running
• Port 3306 accessible
• User with remote access grants

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select MariaDB type
3. Enter host and port (default: 3306)
4. Same configuration as MySQL

Security Considerations

• Same security practices as MySQL apply
• Use ed25519 authentication plugin for stronger password hashing
• Configure bind-address to limit listening interfaces

Redis

Redis is an in-memory data store used as a database, cache, and message broker.

Requirements

• Redis server running
• Port 6379 accessible
• Authentication configured (recommended)

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select Redis type
3. Enter host and port (default: 6379)

Security Considerations

• Set a password: requirepass in redis.conf
• Bind to specific interfaces: bind 127.0.0.1 portal_ip
• Disable dangerous commands: rename-command FLUSHALL ""
• Enable TLS if your Redis version supports it (6.0+)
• Redis has no user-level permissions in OSS — use ACLs in Redis 6+

MongoDB

MongoDB is a document-oriented NoSQL database designed for scalability and flexibility.

Requirements

• MongoDB server running
• Port 27017 accessible
• Authentication enabled

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select MongoDB type
3. Enter host and port (default: 27017)

Security Considerations

• Enable authentication: security.authorization: enabled in mongod.conf
• Create users with specific database roles
• Bind to specific IPs: net.bindIp: 127.0.0.1,portal_ip
• Enable TLS/SSL for connections
• Disable the MongoDB HTTP interface if enabled

Elasticsearch

Elasticsearch is a distributed search and analytics engine used for log analysis, full-text search, and metrics. This connection type opens in Portal's embedded browser with navigation controls, address bar, and full TLS encryption through the portal.

Requirements

• Elasticsearch running
• Port 9200 (HTTP API) accessible
• Minimum 2GB heap memory

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select Elasticsearch type
3. Enter host and port (default: 9200)

Security Considerations

• Enable X-Pack security (built-in since 6.8/7.1)
• Set xpack.security.enabled: true
• Configure TLS for transport and HTTP layers
• Use role-based access control (RBAC)
• Elasticsearch exposes cluster data — restrict access carefully

InfluxDB

InfluxDB is a time-series database optimized for metrics, events, and real-time analytics. This connection type opens in Portal's embedded browser with navigation controls, address bar, and full TLS encryption through the portal.

Requirements

• InfluxDB running (v2 recommended)
• Port 8086 accessible
• Organization and bucket configured

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select InfluxDB type
3. Enter host and port (default: 8086)
4. InfluxDB 2.x uses token-based auth — generate a token in the UI

Security Considerations

• Use API tokens with minimal permissions (read-only where possible)
• Enable HTTPS: tls-cert and tls-key in config
• Set token expiration policies
• InfluxDB 1.x: enable authentication with auth-enabled = true

Custom / Generic

Custom connections allow you to proxy any TCP service through Portal. Use this for services not covered by other types.

Requirements

• Target service running and accessible on a TCP port
• Port accessible from the Portal server

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select Custom type
3. Enter the host, port, and a descriptive name
4. Portal will create a TCP tunnel to the target

Security Considerations

• Ensure the target service has its own authentication
• Portal encrypts the browser-to-server leg via TLS
• The Portal-to-target leg uses your internal network — secure accordingly

HTTP Proxy

Generic HTTP reverse proxy for any web-based service. This connection type opens in Portal's embedded browser with tabbed browsing, multi-site navigation, address bar, and full TLS encryption through the portal. Portal forwards HTTP requests to the target, handling TLS termination. A default "Web Browser" connection with DuckDuckGo as homepage is created automatically for all users.

Requirements

• Target HTTP service running
• Port accessible from Portal

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select HTTP Proxy type
3. Enter host and port of the target service
4. Click Connect to open the embedded browser

Browser Mode

Connections with browser_mode enabled (like the default Web Browser) support multi-site navigation — navigate to any website by typing a URL in the address bar or following links. Features include:

• Tabbed browsing — Ctrl+T (new tab), Ctrl+W (close), Ctrl+Tab (switch)
• Address bar — type full URLs, bare hostnames, or relative paths
• Navigation — back/forward (Alt+arrows), refresh (Ctrl+R), focus URL bar (Ctrl+L)
• Link handling — Ctrl+click or middle-click opens in a new tab

Security Considerations

• Portal handles TLS termination — browser-to-Portal is always encrypted
• Portal session cookies and auth headers are stripped from upstream requests
• Browser-mode targets cannot access localhost or private IPs
• Connection IDs use opaque tokens — no sequential enumeration possible
• Configure the target service to trust Portal's IP as a proxy

TCP Tunnel

Generic TCP tunnel for any non-HTTP service. Portal forwards raw TCP traffic over a WebSocket connection.

Requirements

• Target TCP service running
• Port accessible from Portal

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select TCP Tunnel type
3. Enter host and port of the target service

Security Considerations

• The WebSocket layer is encrypted via TLS
• Ensure the target service has its own authentication layer
• TCP tunnels pass raw bytes — Portal does not inspect the traffic

Secure Tunnel

Encrypted tunnel with additional security layers for sensitive connections.

Requirements

• Target service running
• Port accessible from Portal

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select Secure Tunnel type
3. Enter host and port
4. Portal adds encryption on top of the standard TCP tunnel

Security Considerations

• Double encryption: WebSocket TLS + tunnel encryption
• Use for highly sensitive services
• All traffic is encrypted end-to-end

VPN Bridge

VPN bridge for connecting to services behind a VPN gateway.

Requirements

• VPN gateway or bridge configured
• Appropriate VPN credentials

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select VPN Bridge type
3. Enter the VPN gateway host and port
4. Configure VPN-specific settings as needed

Security Considerations

• VPN traffic is encrypted by the VPN protocol
• Ensure VPN credentials are stored securely
• Use certificate-based VPN authentication when available

MediaMTX Stream

MediaMTX (formerly rtsp-simple-server) is a media server that supports RTSP, RTMP, HLS, and WebRTC for live streaming.

Requirements

• MediaMTX running
• RTSP port 8554 or API port 9997 accessible

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select MediaMTX Stream type
3. Enter host and port (default: 8554 for RTSP, 9997 for API)

Security Considerations

• Configure authentication in MediaMTX config
• Use RTSPS (encrypted RTSP) for secure streams
• Restrict publish permissions to authorized users

Media Stream

Generic media stream connection for IP cameras, RTSP sources, and other streaming endpoints.

Requirements

• Streaming source accessible (IP camera, RTSP server, etc.)
• Stream URL known

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select Media Stream type
3. Enter the stream source host and port
4. Configure the stream protocol (RTSP, HTTP, etc.)

Security Considerations

• Change default camera passwords (many ship with admin/admin)
• Use RTSP over TCP instead of UDP where possible
• Isolate cameras on a separate VLAN

Stream Relay

Multi-platform stream relay allows you to simultaneously broadcast to external platforms (Twitch, YouTube, Kick, other Portal instances, or any custom RTMP destination) while streaming to your Portal.

Requirements

• An active stream configured in Portal (My Streams tab)
• Account and stream key on each target platform
• Target platform's RTMP ingest URL

Setup in Portal

1. Go to Dashboard → My Streams and open your stream details
2. Scroll to the Relay Destinations section
3. Click Add Relay
4. Select a platform (Twitch, YouTube, Kick, Portal, or Custom)
5. Enter a display name for this destination
6. The RTMP URL is pre-filled for known platforms — adjust if needed
7. Enter the stream key from the target platform
8. Save the destination

When you go live, all enabled relay destinations start automatically. Relays use ffmpeg -c copy (no re-encoding) so there is minimal CPU overhead. You can enable or disable individual destinations without deleting them.

Limits

• Maximum 10 relay destinations per stream
• RTMP URL must start with rtmp:// or rtmps://

Security Considerations

• Relay credentials (RTMP URL and stream key) are encrypted at rest on the server
• Stream keys are never returned by the API — only a has_stream_key flag is shown
• Only the stream owner can view, add, edit, or delete relay destinations
• Keep your target platform stream keys confidential — treat them like passwords

Minecraft RCON

RCON (Remote Console) provides command-line access to a Minecraft server for administration.

Requirements

• Minecraft server with RCON enabled
• RCON port 25575 accessible
• RCON password configured in server.properties

Setup in Portal

1. Go to Dashboard → My Connections → Add Connection
2. Select Minecraft RCON type
3. Enter host and port (default: 25575)
4. Enter the RCON password when connecting

Security Considerations

• Set a strong rcon.password in server.properties
• Bind RCON to specific IPs: rcon.ip=portal_ip
• RCON transmits passwords in plaintext — Portal's TLS protects the browser leg
• Consider using RCON only on trusted networks