Background: I’m working on a plugin to bring CourseGraph to Tutor. A “CourseGraph” is just a Neo4j instance that has been populated with a DAG representation of all the courses in an Open edX instance, allowing site operators to make queries like “how many blocks of each type are in my course?” or “what are the IDs of all Sequence blocks which have HTML blocks are direct children?” The queries can be executed from a Web interface that Neo4j exposes.
Problem: Neo4j Community Edition leaves a lot to be desired in terms of authentication and authorization:
- SSO is not available, so Neo4j auth cannot be connected with LMS or any other auth provider.
- All Neo4j users are admins, and thus can read and write the entire course graph, as well as create new Neo4j admin users.
- 2FA is not available, so basic username/password auth would be all that is protecting an instance’s potentially-private course content from the outside world.
When I worked at edX, we solved this by just putting the Neo4j instance behind an employees-only VPN and disabling Neo4j’s builtin authentication system, giving us the level of data security we needed.
I am considering recommending that users of my CourseGraph plugin do the same.
Question: Given that Tutor exposes all its services through Caddy, is it possible to put a single Tutor-deployed service behind a VPN? Does that even make sense? (Please excuse my lack of ops knowledge here 
)