Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
    mikhail
    @mikhail:mehome.dev
    [m]
    wtweeku
    @wtweeku:matrix.org
    [m]
    nice thank you
    Calan0n#4708
    @_discord_795033081592414208:t2bot.io
    [m]
      default_policy: deny
      rules:
        - domain: "*"
          policy: bypass
          networks:
            - 192.168.1.0/24
        - domain:
            - "*.domain.com"
            - "domain.com"
          policy: two_factor
        - domain:
            - 'radarr.domain.com'
          resources:
            - 'api([?\/].*)?$'
          policy: bypass
        - domain:
            - 'sabnzbd.domain.com'
          resources:
            - 'api([?\/].*)?$'
          policy: bypass
    Thats my config
    James
    @james:authelia.com
    [m]
    The pattern I provided matches perfectly with that URL
    You have to adjust the domain portion, but otherwise it's fine
    Calan0n#4708
    @_discord_795033081592414208:t2bot.io
    [m]
    I pasted it in regex 101 and it stated that there was not a match
    1 reply
    mikhail
    @mikhail:mehome.dev
    [m]
    make sure you select golang, and leave the domain out
    only paste the path
    Calan0n#4708
    @_discord_795033081592414208:t2bot.io
    [m]
    but doesnt it need the whole string with the domain or does authelia only match the path?
    James
    @james:authelia.com
    [m]
    "The resources section doesn't match the entire URL, it only matches the path"
    I literally said this right before you said "I pasted it in regex 101 and it stated that there was not a match"
    Calan0n#4708
    @_discord_795033081592414208:t2bot.io
    [m]
    im sorry
    I misread
    James
    @james:authelia.com
    [m]
    It's fine lol
    mikhail
    @mikhail:mehome.dev
    [m]
    Calan0n: i see you have port 443 in your URI, can you try without the port?
    Astral#0524
    @_discord_247176974164819968:t2bot.io
    [m]
    reaches for spritz bottle
    mikhail
    @mikhail:mehome.dev
    [m]
    so just https://sabnzbd.domain.com/api?mode=get_config&apikey=d5f8132adf2c5baed2e97a3&output=json
    Calan0n#4708
    @_discord_795033081592414208:t2bot.io
    [m]
    sure I try that
    Astral#0524
    @_discord_247176974164819968:t2bot.io
    [m]
    if using CF at all you might actually be getting blocked by that
    mikhail
    @mikhail:mehome.dev
    [m]
    And the config you send, doesnt match the regex that james posted
    James
    @james:authelia.com
    [m]
    I would suggest using the trace log level when debugging why a rule is not working
    mikhail
    @mikhail:mehome.dev
    [m]
    'api([?\/].*)?$' =/= '^/api([?/].*)?$'
    and its VERY IMPORTANT to have that ^ there
    James
    @james:authelia.com
    [m]
    Correct, api([?\/].*)?$ matches /api?mode=get_config&apikey=d5f8132adf2c5baed2e97a3&output=json and it matches /randompath/thisisapi?mode=get_config&apikey=d5f8132adf2c5baed2e97a3&output=json
    mikhail
    @mikhail:mehome.dev
    [m]
    ^
    James
    @james:authelia.com
    [m]
    I'm relatively careful when I give people regex to match a URL, specifically because I can't guarantee an app doesn't have some other path that may match a badly formed regex pattern
    mikhail
    @mikhail:mehome.dev
    [m]
    James: The order of the rules matters right?
    Calan0n#4708
    @_discord_795033081592414208:t2bot.io
    [m]
      default_policy: deny
      rules:
        - domain: "*"
          policy: bypass
          networks:
            - 192.168.1.0/24
        - domain:
            - "*.domain.com"
            - "domain.com"
          policy: two_factor
        - domain:
            - 'radarr.domain.com'
          resources:
            - '^/api([?/].*)?$'
          policy: bypass
        - domain:
            - 'sabnzbd.domain.com'
          resources:
            - '^/api([?/].*)?$'
          policy: bypass
    now I have this
    mikhail
    @mikhail:mehome.dev
    [m]
    so in his config he first has policy: two_factor for ALL domains, that means the bypasses under it wont work right?
    Calan0n#4708
    @_discord_795033081592414208:t2bot.io
    [m]
    oh really?
    mikhail
    @mikhail:mehome.dev
    [m]
    access_control:
      default_policy: deny
      rules:
        - domain: "*"
          policy: bypass
          networks:
            - 192.168.1.0/24
        - domain:
            - 'radarr.domain.com'
          resources:
            - '^/api([?/].*)?$'
          policy: bypass
        - domain:
            - 'sabnzbd.domain.com'
          resources:
            - '^/api([?/].*)?$'
          policy: bypass
        - domain:
            - "*.domain.com"
            - "domain.com"
          policy: two_factor
    try that
    James
    @james:authelia.com
    [m]
    It does, but if all your rules to override default behavior are before rules that indicate your default it should be fine. Let me check the actual rules one sec.
        - domain: "*.domain.com"
          policy: bypass
          networks:
            - 192.168.1.0/24
    I'd do that one instead
    The rule order looks fine to me
    Calan0n#4708
    @_discord_795033081592414208:t2bot.io
    [m]
    ok thanks
    James
    @james:authelia.com
    [m]
    oh wait
    mikhail
    @mikhail:mehome.dev
    [m]
        - domain:
            - "*.domain.com"
            - "domain.com"
          policy: two_factor
    that on line 8 doesnt matter?
    1 reply
    James
    @james:authelia.com
    [m]
    Mikhail is right
    mikhail
    @mikhail:mehome.dev
    [m]
    :D
    James
    @james:authelia.com
    [m]
    I was reading theirs by accident lol
    mikhail
    @mikhail:mehome.dev
    [m]
    Ok so i understood it right, it walks from top to bottom, first rules it matches => the one it takes
    if it finds nothing => default_policy
    James
    @james:authelia.com
    [m]
        - domain:
            - "*.domain.com"
            - "domain.com"
          policy: two_factor
    That rule makes all subsequent rules implicitly ignored
    Yep, first rule that matches a request is applied.
    Just like firewalls
    mikhail
    @mikhail:mehome.dev
    [m]
    Calan0n: for your config: just set the default_policy to two_factor