Web Assets
The Web Asset feature helps you protect internal websites in a safer way. Compared with exposing websites directly to the public internet, it provides two major benefits:
- Stronger authentication: users must sign in to Next Terminal before they can access the target website.
- Fine-grained authorization: website access can be granted to specific users only.
Common Scenarios
Scenario 1: Restrict access to public-IP websites
- Problem: Your website has a public IP, but you do not want unrestricted access. Traditional IP allowlists are hard to use when users have dynamic IP addresses.
- Solution: Restrict target website access to only the Next Terminal server IP. Then publish the site through Next Terminal and grant permissions to specific users. You can combine this with LDAP/OIDC for unified identity management.
Scenario 2: Unified access to internal systems across multiple clouds
- Problem: Internal websites are distributed across multiple clouds or data centers, and exposing them publicly increases risk.
- Solution: Deploy Security Gateway agents in private networks and register them to Next Terminal. Proxy websites through Next Terminal and assign the appropriate gateway per website.
Scenario 3: Access isolated internal services
- Problem: In restricted environments (for example certain government cloud networks), internal servers may not have internet access. Traditional bastion workflows are inconvenient and hard to audit.
- Solution: Deploy a Security Gateway on a jump host that can reach the internal network, then use Next Terminal as the unified entry point for SSH/Web access with full auditing.
Prerequisites
- Next Terminal is deployed successfully.
- You own a domain and can configure DNS records.
- The internal websites you want to proxy are already running.
Configuration Guide
Video Tutorial
The process has two major steps:
- Enable and configure Next Terminal reverse proxy service.
- Add website assets you want to protect.
Step 1: Enable Reverse Proxy
This step is completed on the Next Terminal server.
1. Update config.yaml
Open config.yaml and add ReverseProxy under App.
App:
# ... (other settings omitted)
ReverseProxy:
Enabled: true # enable reverse proxy
HttpEnabled: true # listen on HTTP (port 80)
HttpAddr: ":80"
HttpRedirectToHttps: false
HttpsEnabled: true # listen on HTTPS (port 443)
HttpsAddr: ":443"
SelfProxyEnabled: true
SelfDomain: "nt.yourdomain.com"
Root: ""
IpExtractor: "direct"
IpTrustList:
- "0.0.0.0/0"Key Configuration Notes
SelfProxyEnabled, SelfDomain, and Root are core settings. They determine how the browser is redirected to the Next Terminal login page when a user requests a protected website.
Recommended (
SelfProxyEnabled: true)- Setting: set
SelfProxyEnabledtotrue, and setSelfDomainto your Next Terminal domain (for examplent.yourdomain.com). - Effect: users access the Next Terminal UI through this domain.
- Advantage: simpler setup and cleaner auth flow. If a user is not logged in, they are redirected to
https://nt.yourdomain.comautomatically.
- Setting: set
Alternative (
SelfProxyEnabled: false)- Setting: set
SelfProxyEnabledtofalse, and setRootto your Next Terminal address (for examplehttps://1.2.3.4:8088). - Effect: users continue to access Next Terminal via IP:port.
- Use case: use this when you do not want to assign a domain to Next Terminal itself.
Rootensures correct login redirect URLs.
- Setting: set
Authorization Flow
No matter which mode you choose, the goal is the same: when a user accesses a protected website, the reverse proxy checks login and authorization status first. If validation fails, the user is redirected to the correct login page (step 4).
2. Expose ports in Docker Compose
If you deploy with Docker Compose, edit docker-compose.yml and map ports 80 and 443.
# ... (in docker-compose.yml)
services:
# ...
next-terminal:
# ... (other settings)
ports:
- "8088:8088" # Web admin UI
- "2022:2022" # SSH Server (optional)
- "80:80"
- "443:443"
# ... (other settings)3. Restart service
After saving, restart Next Terminal.
For Docker Compose:
docker compose down
docker compose up -dStep 2: Add and Access Web Assets
After reverse proxy is enabled, add websites to protect.
1. Configure DNS
Point your website domain to the public IP of your Next Terminal server.
For example, if internal GitLab runs on 192.168.1.10, point gitlab.yourdomain.com to the Next Terminal server.
Tip
If you have many websites, configure a wildcard DNS record (for example *.yourdomain.com) to avoid updating DNS for each new site.
2. Add asset in Next Terminal
In Next Terminal, create a new Web Asset.
Field descriptions:
- Name: display name of the asset (for example
Internal GitLab). - Domain: the domain users type in browser (for example
gitlab.yourdomain.com).Important
This domain must be unique. It cannot conflict with Next Terminal
SelfDomainor other Web Assets. Domain is used by reverse proxy for routing. - Entry Path: default website path, usually
/or empty. - Protocol: internal website protocol,
HTTPorHTTPS. - Asset IP: internal IP or internal domain (for example
192.168.1.10). - Asset Port: internal website port (for example
80). - Security Gateway: select a gateway when the target website is not directly reachable from the Next Terminal server.
3. Authorize and access
- Grant access permission for this Web Asset to users or groups.
- Authorized users can directly open the configured domain (for example
gitlab.yourdomain.com). Next Terminal will handle login and permission checks automatically.
Advanced Features
Some websites return fixed URLs. You can use Modify Response to rewrite response content.
For websites that still need partial public access, you can narrow exposure with IP, geo-location, or passphrase controls.
For clients without fixed public IPs, temporary allowlist is supported. Users can add current IP with one click. The entry expires automatically and active usage can extend validity.
