fix(authelia): Update access control rules and remove non-existing trusted proxies configuration

2025-04-26 15:19:33 +08:00 · 2025-04-26 15:19:33 +08:00 · 026d24a3ae
commit 026d24a3ae
parent 2ae84f4481
3 changed files with 77 additions and 17 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,4 +1,5 @@
 *.env
+*.bak
 .idea
 docker-compose.override.yml
 /authelia/*.yml
--- a/README.md
+++ b/README.md
@ -388,18 +388,15 @@ The `update-setup.sh` script provides various commands to manage your configurat
 *   `./update-setup.sh update-services`: Updates configurations for running *arr/qBittorrent/Bazarr containers (sets URL base, extracts API keys to `.env`). Restarts affected containers.
 *   `./update-setup.sh all`: Runs `update-env`, `update-authelia`, and `update-services` sequentially. Recommended for initial setup and major updates.

-**Authentication Management:**
+**Authelia Policy Management:**

-*   `./update-setup.sh list-auth`: Lists all detected services in `docker-compose.yml` and shows whether Authelia authentication is enabled or disabled for them.
-*   `./update-setup.sh enable-auth <service>`: Enables Authelia authentication for the specified `<service>` by adding the `authelia-auth@docker` middleware label in `docker-compose.yml`.
-*   `./update-setup.sh disable-auth <service>`: Disables Authelia authentication for the specified `<service>` by removing the `authelia-auth@docker` middleware label.
-*   `./update-setup.sh enable-all-auth`: Attempts to enable authentication for all applicable services.
-*   `./update-setup.sh disable-all-auth`: Attempts to disable authentication for all applicable services.
+*   `./update-setup.sh manage-policies`: Starts an interactive menu to list or set Authelia access policies (`one_factor`, `two_factor`, `bypass`, `deny`) for specific services defined in `authelia/configuration.yml`.
+*   `./update-setup.sh list-policies`: Lists services defined in `authelia/configuration.yml` and their current access policy.
+*   `./update-setup.sh set-policy <service> <policy>`: Directly sets the Authelia access policy for the specified `<service>` to the given `<policy>` (e.g., `one_factor`, `two_factor`, `bypass`, `deny`).

-> **Important:** After using `enable-auth`, `disable-auth`, `enable-all-auth`, or `disable-all-auth`, you **must** restart your stack for the changes to take effect:
+> **Important:** After changing Authelia policies using `manage-policies` or `set-policy`, you **must** restart Authelia for the changes to take effect:
 > ```bash
-> docker compose down
-> docker compose up -d
+> docker compose restart authelia
 > ```

 **User & File Management:**
@ -411,9 +408,11 @@ The `update-setup.sh` script provides various commands to manage your configurat

 *   `./update-setup.sh help`: Displays the full list of commands and usage instructions.

-### Managing Service Authentication
+### Managing Service Authentication (Authelia Policies)

-Use the `update-setup.sh` script to easily control which services require Authelia login. See the `Authentication Management` commands in the [Setup Script Commands](#setup-script-commands-update-setupsh) section above for details.
+Use the `update-setup.sh` script to easily control which services require Authelia login and what level of authentication is needed. This is done by managing *access control rules* within Authelia's configuration (`authelia/configuration.yml`).
+
+See the `Authelia Policy Management` commands in the [Setup Script Commands](#setup-script-commands-update-setupsh) section above for details on how to list and set policies like `one_factor`, `two_factor`, `bypass`, or `deny` for each service.

 ## Optional Services

--- a/authelia/configuration.example.yml
+++ b/authelia/configuration.example.yml
@ -4,8 +4,6 @@
 # Server settings
 server:
  address: 'tcp://0.0.0.0:9091'
-  trusted_proxies:
-    - '172.16.0.0/12'  # Docker networks

 # Logging configuration
 log:
@ -56,14 +54,76 @@ authentication_backend:

 # Access control rules
 access_control:
-  default_policy: deny
+  default_policy: deny # Deny access by default
  rules:
-    # This will match any subdomain of your specific Tailscale domain
+    # Rules are processed in order. First match wins.
+    # It's recommended to put more specific rules first.
+
+    # 1. Bypass rules (No authentication required)
+    # Allow access to Authelia's own endpoints
    - domain: '*.your-tailnet.ts.net'
+      path_regex: '^/auth.*' # Match /auth and anything after it
+      policy: bypass
+    # Allow access to the root path (will be redirected by Traefik later)
+    - domain: '*.your-tailnet.ts.net'
+      path: '/'
+      policy: bypass
+    # Allow access to API endpoints (as requested, review security implications)
+    - domain: '*.your-tailnet.ts.net'
+      path_regex: '^/api.*' # Match /api and anything after it
+      policy: bypass
+
+    # 2. One-Factor Authentication Rules (Requires login)
+    # Add rules for each service you want to protect.
+    # The domain should match your Tailscale domain.
+    # The path should match the Traefik PathPrefix for the service.
+    - domain: '*.your-tailnet.ts.net'
+      path_regex: '^/sonarr.*'
      policy: one_factor
-    # Also match the main domain without subdomain
-    - domain: 'your-tailnet.ts.net'
+    - domain: '*.your-tailnet.ts.net'
+      path_regex: '^/radarr.*'
      policy: one_factor
+    - domain: '*.your-tailnet.ts.net'
+      path_regex: '^/lidarr.*'
+      policy: one_factor
+    - domain: '*.your-tailnet.ts.net'
+      path_regex: '^/bazarr.*'
+      policy: one_factor
+    - domain: '*.your-tailnet.ts.net'
+      path_regex: '^/qbittorrent.*'
+      policy: one_factor
+    - domain: '*.your-tailnet.ts.net'
+      path_regex: '^/sabnzbd.*'
+      policy: one_factor
+    - domain: '*.your-tailnet.ts.net'
+      path_regex: '^/calibre.*'
+      policy: one_factor
+    - domain: '*.your-tailnet.ts.net'
+      path_regex: '^/home.*' # Protect the homepage
+      policy: one_factor
+    - domain: '*.your-tailnet.ts.net'
+      path_regex: '^/jellyseerr.*'
+      policy: one_factor
+    - domain: '*.your-tailnet.ts.net'
+      path_regex: '^/prowlarr.*'
+      policy: one_factor
+    - domain: '*.your-tailnet.ts.net'
+      path_regex: '^/flaresolverr.*'
+      policy: one_factor
+    # Add other services here following the pattern:
+    # - domain: '*.your-tailnet.ts.net'
+    #   path_regex: '^/<service_path>.*'
+    #   policy: one_factor
+
+    # 3. Default rule for the domain (optional, if you want a catch-all)
+    # This rule will apply if no path-specific rule above matches.
+    # You might want to deny or require one_factor for unmatched paths.
+    # Example: Deny any other path on the domain
+    # - domain: '*.your-tailnet.ts.net'
+    #   policy: deny
+    # Example: Require login for any other path
+    # - domain: '*.your-tailnet.ts.net'
+    #   policy: one_factor

 # Notifier configuration
 notifier: