So I was wondering if it was possible to password protect the main site, so before someone can see the token input field, they would need to input a password?
What would the purpose of this be? The token is intended to fill the role of a password.
It was just an idea I had, to make it a bit more secure by adding a second factor. By the way, can I somehow make it so that the main site (example.com) takes me to a static website, and say tunnels.example.com takes me to the tunnel management site?
I’ve found just the token to be secure enough for my purposes. But I’m not a security expert. If you can point to some materials that indicate we need more security, I’m open to changing the way it works.
As for the admin domain, you should be able to use any domain, including tunnels.example.com. All other domains, including the root/apex, will be assumed to be tunnels. You just need to create a tunnel for example.com and point it at a static file server. If it’s not working this way that’s a bug.
Thank you, it worked! Now the admin panel is on a subdomain and I am not concerned anymore.