aki/docker-compose-nas
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix(authelia): Update access control rules and remove non-existing trusted proxies configuration

Browse Source
This commit is contained in:
Jose Daniel G. Percy 2025-04-26 15:19:33 +08:00
parent 2ae84f4481
commit 026d24a3ae
3 changed files with 77 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -1,4 +1,5 @@
*.env *.env
*.bak
.idea .idea
docker-compose.override.yml docker-compose.override.yml
/authelia/*.yml /authelia/*.yml

21
README.md
View File

@ -388,18 +388,15 @@ The `update-setup.sh` script provides various commands to manage your configurat
* `./update-setup.sh update-services`: Updates configurations for running *arr/qBittorrent/Bazarr containers (sets URL base, extracts API keys to `.env`). Restarts affected containers. * `./update-setup.sh update-services`: Updates configurations for running *arr/qBittorrent/Bazarr containers (sets URL base, extracts API keys to `.env`). Restarts affected containers.
* `./update-setup.sh all`: Runs `update-env`, `update-authelia`, and `update-services` sequentially. Recommended for initial setup and major updates. * `./update-setup.sh all`: Runs `update-env`, `update-authelia`, and `update-services` sequentially. Recommended for initial setup and major updates.
**Authentication Management:** **Authelia Policy Management:**
* `./update-setup.sh list-auth`: Lists all detected services in `docker-compose.yml` and shows whether Authelia authentication is enabled or disabled for them. * `./update-setup.sh manage-policies`: Starts an interactive menu to list or set Authelia access policies (`one_factor`, `two_factor`, `bypass`, `deny`) for specific services defined in `authelia/configuration.yml`.
* `./update-setup.sh enable-auth <service>`: Enables Authelia authentication for the specified `<service>` by adding the `authelia-auth@docker` middleware label in `docker-compose.yml`. * `./update-setup.sh list-policies`: Lists services defined in `authelia/configuration.yml` and their current access policy.
* `./update-setup.sh disable-auth <service>`: Disables Authelia authentication for the specified `<service>` by removing the `authelia-auth@docker` middleware label. * `./update-setup.sh set-policy <service> <policy>`: Directly sets the Authelia access policy for the specified `<service>` to the given `<policy>` (e.g., `one_factor`, `two_factor`, `bypass`, `deny`).
* `./update-setup.sh enable-all-auth`: Attempts to enable authentication for all applicable services.
* `./update-setup.sh disable-all-auth`: Attempts to disable authentication for all applicable services.
> **Important:** After using `enable-auth`, `disable-auth`, `enable-all-auth`, or `disable-all-auth`, you **must** restart your stack for the changes to take effect: > **Important:** After changing Authelia policies using `manage-policies` or `set-policy`, you **must** restart Authelia for the changes to take effect:
> ```bash > ```bash
> docker compose down > docker compose restart authelia
> docker compose up -d
> ``` > ```
**User & File Management:** **User & File Management:**
@ -411,9 +408,11 @@ The `update-setup.sh` script provides various commands to manage your configurat
* `./update-setup.sh help`: Displays the full list of commands and usage instructions. * `./update-setup.sh help`: Displays the full list of commands and usage instructions.
### Managing Service Authentication ### Managing Service Authentication (Authelia Policies)
Use the `update-setup.sh` script to easily control which services require Authelia login. See the `Authentication Management` commands in the [Setup Script Commands](#setup-script-commands-update-setupsh) section above for details. Use the `update-setup.sh` script to easily control which services require Authelia login and what level of authentication is needed. This is done by managing *access control rules* within Authelia's configuration (`authelia/configuration.yml`).
See the `Authelia Policy Management` commands in the [Setup Script Commands](#setup-script-commands-update-setupsh) section above for details on how to list and set policies like `one_factor`, `two_factor`, `bypass`, or `deny` for each service.
## Optional Services ## Optional Services

72
authelia/configuration.example.yml
View File

@ -4,8 +4,6 @@
# Server settings # Server settings
server: server:
address: 'tcp://0.0.0.0:9091' address: 'tcp://0.0.0.0:9091'
trusted_proxies:
- '172.16.0.0/12' # Docker networks
# Logging configuration # Logging configuration
log: log:
@ -56,14 +54,76 @@ authentication_backend:
# Access control rules # Access control rules
access_control: access_control:
default_policy: deny default_policy: deny # Deny access by default
rules: rules:
# This will match any subdomain of your specific Tailscale domain # Rules are processed in order. First match wins.
# It's recommended to put more specific rules first.
# 1. Bypass rules (No authentication required)
# Allow access to Authelia's own endpoints
- domain: '*.your-tailnet.ts.net' - domain: '*.your-tailnet.ts.net'
path_regex: '^/auth.*' # Match /auth and anything after it
policy: bypass
# Allow access to the root path (will be redirected by Traefik later)
- domain: '*.your-tailnet.ts.net'
path: '/'
policy: bypass
# Allow access to API endpoints (as requested, review security implications)
- domain: '*.your-tailnet.ts.net'
path_regex: '^/api.*' # Match /api and anything after it
policy: bypass
# 2. One-Factor Authentication Rules (Requires login)
# Add rules for each service you want to protect.
# The domain should match your Tailscale domain.
# The path should match the Traefik PathPrefix for the service.
- domain: '*.your-tailnet.ts.net'
path_regex: '^/sonarr.*'
policy: one_factor policy: one_factor
# Also match the main domain without subdomain - domain: '*.your-tailnet.ts.net'
- domain: 'your-tailnet.ts.net' path_regex: '^/radarr.*'
policy: one_factor policy: one_factor
- domain: '*.your-tailnet.ts.net'
path_regex: '^/lidarr.*'
policy: one_factor
- domain: '*.your-tailnet.ts.net'
path_regex: '^/bazarr.*'
policy: one_factor
- domain: '*.your-tailnet.ts.net'
path_regex: '^/qbittorrent.*'
policy: one_factor
- domain: '*.your-tailnet.ts.net'
path_regex: '^/sabnzbd.*'
policy: one_factor
- domain: '*.your-tailnet.ts.net'
path_regex: '^/calibre.*'
policy: one_factor
- domain: '*.your-tailnet.ts.net'
path_regex: '^/home.*' # Protect the homepage
policy: one_factor
- domain: '*.your-tailnet.ts.net'
path_regex: '^/jellyseerr.*'
policy: one_factor
- domain: '*.your-tailnet.ts.net'
path_regex: '^/prowlarr.*'
policy: one_factor
- domain: '*.your-tailnet.ts.net'
path_regex: '^/flaresolverr.*'
policy: one_factor
# Add other services here following the pattern:
# - domain: '*.your-tailnet.ts.net'
# path_regex: '^/<service_path>.*'
# policy: one_factor
# 3. Default rule for the domain (optional, if you want a catch-all)
# This rule will apply if no path-specific rule above matches.
# You might want to deny or require one_factor for unmatched paths.
# Example: Deny any other path on the domain
# - domain: '*.your-tailnet.ts.net'
# policy: deny
# Example: Require login for any other path
# - domain: '*.your-tailnet.ts.net'
# policy: one_factor
# Notifier configuration # Notifier configuration
notifier: notifier: