fix(authelia): Update access control rules and remove non-existing trusted proxies configuration

authelia/configuration.example.yml

@@ -4,8 +4,6 @@
 # Server settings
 server:
   address: 'tcp://0.0.0.0:9091'
-  trusted_proxies:
-    - '172.16.0.0/12'  # Docker networks
 
 # Logging configuration
 log:
@@ -56,14 +54,76 @@ authentication_backend:
 
 # Access control rules
 access_control:
-  default_policy: deny
+  default_policy: deny # Deny access by default
   rules:
-    # This will match any subdomain of your specific Tailscale domain
+    # Rules are processed in order. First match wins.
+    # It's recommended to put more specific rules first.
+
+    # 1. Bypass rules (No authentication required)
+    # Allow access to Authelia's own endpoints
     - domain: '*.your-tailnet.ts.net'
+      path_regex: '^/auth.*' # Match /auth and anything after it
+      policy: bypass
+    # Allow access to the root path (will be redirected by Traefik later)
+    - domain: '*.your-tailnet.ts.net'
+      path: '/'
+      policy: bypass
+    # Allow access to API endpoints (as requested, review security implications)
+    - domain: '*.your-tailnet.ts.net'
+      path_regex: '^/api.*' # Match /api and anything after it
+      policy: bypass
+
+    # 2. One-Factor Authentication Rules (Requires login)
+    # Add rules for each service you want to protect.
+    # The domain should match your Tailscale domain.
+    # The path should match the Traefik PathPrefix for the service.
+    - domain: '*.your-tailnet.ts.net'
+      path_regex: '^/sonarr.*'
       policy: one_factor
-    # Also match the main domain without subdomain
-    - domain: 'your-tailnet.ts.net'
+    - domain: '*.your-tailnet.ts.net'
+      path_regex: '^/radarr.*'
       policy: one_factor
+    - domain: '*.your-tailnet.ts.net'
+      path_regex: '^/lidarr.*'
+      policy: one_factor
+    - domain: '*.your-tailnet.ts.net'
+      path_regex: '^/bazarr.*'
+      policy: one_factor
+    - domain: '*.your-tailnet.ts.net'
+      path_regex: '^/qbittorrent.*'
+      policy: one_factor
+    - domain: '*.your-tailnet.ts.net'
+      path_regex: '^/sabnzbd.*'
+      policy: one_factor
+    - domain: '*.your-tailnet.ts.net'
+      path_regex: '^/calibre.*'
+      policy: one_factor
+    - domain: '*.your-tailnet.ts.net'
+      path_regex: '^/home.*' # Protect the homepage
+      policy: one_factor
+    - domain: '*.your-tailnet.ts.net'
+      path_regex: '^/jellyseerr.*'
+      policy: one_factor
+    - domain: '*.your-tailnet.ts.net'
+      path_regex: '^/prowlarr.*'
+      policy: one_factor
+    - domain: '*.your-tailnet.ts.net'
+      path_regex: '^/flaresolverr.*'
+      policy: one_factor
+    # Add other services here following the pattern:
+    # - domain: '*.your-tailnet.ts.net'
+    #   path_regex: '^/<service_path>.*'
+    #   policy: one_factor
+
+    # 3. Default rule for the domain (optional, if you want a catch-all)
+    # This rule will apply if no path-specific rule above matches.
+    # You might want to deny or require one_factor for unmatched paths.
+    # Example: Deny any other path on the domain
+    # - domain: '*.your-tailnet.ts.net'
+    #   policy: deny
+    # Example: Require login for any other path
+    # - domain: '*.your-tailnet.ts.net'
+    #   policy: one_factor
 
 # Notifier configuration
 notifier: