Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
    mikhail
    @mikhail:mehome.dev
    [m]
    Calan0n: i see you have port 443 in your URI, can you try without the port?
    Astral#0524
    @_discord_247176974164819968:t2bot.io
    [m]
    reaches for spritz bottle
    mikhail
    @mikhail:mehome.dev
    [m]
    so just https://sabnzbd.domain.com/api?mode=get_config&apikey=d5f8132adf2c5baed2e97a3&output=json
    Calan0n#4708
    @_discord_795033081592414208:t2bot.io
    [m]
    sure I try that
    Astral#0524
    @_discord_247176974164819968:t2bot.io
    [m]
    if using CF at all you might actually be getting blocked by that
    mikhail
    @mikhail:mehome.dev
    [m]
    And the config you send, doesnt match the regex that james posted
    James
    @james:authelia.com
    [m]
    I would suggest using the trace log level when debugging why a rule is not working
    mikhail
    @mikhail:mehome.dev
    [m]
    'api([?\/].*)?$' =/= '^/api([?/].*)?$'
    and its VERY IMPORTANT to have that ^ there
    James
    @james:authelia.com
    [m]
    Correct, api([?\/].*)?$ matches /api?mode=get_config&apikey=d5f8132adf2c5baed2e97a3&output=json and it matches /randompath/thisisapi?mode=get_config&apikey=d5f8132adf2c5baed2e97a3&output=json
    mikhail
    @mikhail:mehome.dev
    [m]
    ^
    James
    @james:authelia.com
    [m]
    I'm relatively careful when I give people regex to match a URL, specifically because I can't guarantee an app doesn't have some other path that may match a badly formed regex pattern
    mikhail
    @mikhail:mehome.dev
    [m]
    James: The order of the rules matters right?
    Calan0n#4708
    @_discord_795033081592414208:t2bot.io
    [m] 
      default_policy: deny
  rules:
    - domain: "*"
      policy: bypass
      networks:
        - 192.168.1.0/24
    - domain:
        - "*.domain.com"
        - "domain.com"
      policy: two_factor
    - domain:
        - 'radarr.domain.com'
      resources:
        - '^/api([?/].*)?$'
      policy: bypass
    - domain:
        - 'sabnzbd.domain.com'
      resources:
        - '^/api([?/].*)?$'
      policy: bypass
    now I have this
    mikhail
    @mikhail:mehome.dev
    [m]
    so in his config he first has policy: two_factor for ALL domains, that means the bypasses under it wont work right?
    Calan0n#4708
    @_discord_795033081592414208:t2bot.io
    [m]
    oh really?
    mikhail
    @mikhail:mehome.dev
    [m] 
    access_control:
  default_policy: deny
  rules:
    - domain: "*"
      policy: bypass
      networks:
        - 192.168.1.0/24
    - domain:
        - 'radarr.domain.com'
      resources:
        - '^/api([?/].*)?$'
      policy: bypass
    - domain:
        - 'sabnzbd.domain.com'
      resources:
        - '^/api([?/].*)?$'
      policy: bypass
    - domain:
        - "*.domain.com"
        - "domain.com"
      policy: two_factor
    try that
    James
    @james:authelia.com
    [m]
    It does, but if all your rules to override default behavior are before rules that indicate your default it should be fine. Let me check the actual rules one sec. 
        - domain: "*.domain.com"
      policy: bypass
      networks:
        - 192.168.1.0/24
    I'd do that one instead
    The rule order looks fine to me
    Calan0n#4708
    @_discord_795033081592414208:t2bot.io
    [m]
    ok thanks
    James
    @james:authelia.com
    [m]
    oh wait
    mikhail
    @mikhail:mehome.dev
    [m] 
        - domain:
        - "*.domain.com"
        - "domain.com"
      policy: two_factor
    that on line 8 doesnt matter?
    1 reply
    James
    @james:authelia.com
    [m]
    Mikhail is right
    mikhail
    @mikhail:mehome.dev
    [m]
    :D
    James
    @james:authelia.com
    [m]
    I was reading theirs by accident lol
    mikhail
    @mikhail:mehome.dev
    [m]
    Ok so i understood it right, it walks from top to bottom, first rules it matches => the one it takes
    if it finds nothing => default_policy
    James
    @james:authelia.com
    [m] 
        - domain:
        - "*.domain.com"
        - "domain.com"
      policy: two_factor
    That rule makes all subsequent rules implicitly ignored
    Yep, first rule that matches a request is applied.
    Just like firewalls
    mikhail
    @mikhail:mehome.dev
    [m]
    Calan0n: for your config: just set the default_policy to two_factor 
    access_control:
  default_policy: two_factor
  rules:
    - domain: "*"
      policy: bypass
      networks:
        - 192.168.1.0/24
    - domain: radarr.domain.com
      resources:
        - '^/api([?/].*)?$'
      policy: bypass
    - domain: sabnzbd.domain.com
      resources:
        - '^/api([?/].*)?$'
      policy: bypass
    Calan0n:
    Calan0n#4708
    @_discord_795033081592414208:t2bot.io
    [m]
    @Mikhail James it works perfect
    wtweeku
    @wtweeku:matrix.org
    [m]
    https://www.authelia.com/docs/features/2fa/push-notifications.html
    how do i make an account in duo.com
    mikhail
    @mikhail:mehome.dev
    [m]
    https://signup.duo.com/
    wtweeku
    @wtweeku:matrix.org
    [m]
    image.png
    1 reply
    why does it need all of this info?
    wtweeku
    @wtweeku:matrix.org
    [m]
    sick
    jaen
    @jaen:matrix.org
    [m]
    Hi, how hard would it be to get authelia/authelia#2845 (or similar) in? I'm especially interested in the invite-only mode (kind of makes me want to try Authentik, but then I remember it doesn't have as good configurability via config files as Authelia has). My knowledge of go is mostly limited to "it's just C with a garbage collector and CPS, what's the big deal", I've done a fix or two to traefik.
    tweek
    @wtweeku:matrix.org
    [m]
    i managed to get it to work with authelia
    it's awesome
    i wish there something foss like it tho
    1 reply
    Astral#0524
    @_discord_247176974164819968:t2bot.io
    [m]
    Just know duo is optional
    Southpaw1496#1397
    @_discord_349852668812066817:t2bot.io
    [m]

    Hi

    I'm wondering if Authelia would be appropriate for my use-case, or if I should look for something else:

    Basically, I have a few servers on my home network containing things that I might want to access over the internet, but since exposing things on your home network to the internet is a terrible idea, I'm going to use Cloudflare Tunnels to secure them. Tunnels is part of Cloudflare's Zero Trust offering, which also seems to be able to lock webpages behind a login gate for extra security, however, because it's designed for enterprise, it only supports SSO systems. After giving up on Keycloak, I found Authelia and noticed it has OpenID support, however, looking at the documentation it seems that my use-case might not be an intended one. But would it work?

    I have realised that I could forgo Cloudflare's authentication altogether and just use Authelia to secure everything, but would Authelia work with Cloudflare's system as well?

    2 replies