Authelia bypass 2FA for internal networks

General
#1

Hello,

I need a little help for Authelia, how to use 2FA only for connections arriving from internet, to bypass authentication if connecting from internal network.

I am using official container image authelia/authelia and letsencrypt/nginx from LSIO.

If I understood correctly here https://github.com/authelia/authelia/blob/master/config.template.yml, this setting, under access_control should use one_factor auth for network 192.168.1.0/24:

- domain: secure.example.com
policy: one_factor
# Network based rule, if not provided any network matches.
networks:
- 192.168.1.0/24

What i want to do is opposite, allow access to web site without authentication, go directly to web site if accessing it from internal network, and use 2FA if accessing same web site from internet.

For now configuration I have is working from internal network as well as from internet, authenticating using 2FA all web sites without any problem. I just want to bypass 2FA from internal network. This is what I tried but it’s not working:

access_control:
  default_policy: deny
  rules:
    - domain: "*.example.com"
      policy: two_factor
      networks:
      - 0.0.0.0/5
      - 8.0.0.0/7
      - 11.0.0.0/8
      - 12.0.0.0/6
      - 16.0.0.0/4
      - 32.0.0.0/3
      - 64.0.0.0/2
      - 128.0.0.0/3
      - 160.0.0.0/5
      - 168.0.0.0/6
      - 172.0.0.0/12
      - 172.32.0.0/11
      - 172.64.0.0/10
      - 172.128.0.0/9
      - 173.0.0.0/8
      - 174.0.0.0/7
      - 176.0.0.0/4
      - 192.0.0.0/9
      - 192.128.0.0/11
      - 192.160.0.0/13
      - 192.169.0.0/16
      - 192.170.0.0/15
      - 192.172.0.0/14
      - 192.176.0.0/12
      - 192.192.0.0/10
      - 193.0.0.0/8
      - 194.0.0.0/7
      - 196.0.0.0/6
      - 200.0.0.0/5
      - 208.0.0.0/4

I just get authenticated from internal network and from internet. Like the setting is not there.
And yes, I did restart Authelia container.

If someone already tried something or has some idea…

Thanks

#2

Could you not limit or control access within the nginx.conf file rather than the authelia config file?

#3

Hello,

Thanks for your reply. I didn’t had time to try anything until today.
I “solved” my problem. The source of the problem was not reading Authelia documentation properly. This how I solved this:

access_control:
  default_policy: deny
  rules:
    - domain: "*.example.com"
      policy: two_factor
    - domain: "*.example.com"
      policy: bypass
      networks:
      - 192.168.1.0/24

The problem was that I needed to add “bypass” for same domain in rule.
Now, when accessing web sites from LAN there is no authentication with Authelia, accessing web sites from Internet is done by Authelia using 2FA.

#4

Hi,

I’ve exactly the same need: bypass authelia authentiaction when accessing my unraid docker containers from my local network.

I access my services using plain subdomain addresses (for example: lidarr.mydomain.ovh) from both external or from internal networks.
But authelia authentication is needed even in local network.

note: I do not have any custom DNS server, or /etc/host configuration… so I wonder how authelia can know on which network I’m trying to access services

#5

Hello,

If you need 2FA from internal and external networks you need only this:
access_control:
default_policy: deny
rules:
- domain: “*.example.com”
policy: two_factor

When you access your services, your device has some IP address which can be seen in the request sent to Authelia.
In my example above, I have second rule for same domain, to bypass 2FA if clients are on network 192.168.1.0/24. Without this rule 2FA is never bypassed.

#6

I have the following configuration, but bypass is not working on local network.

default_policy: deny
rules:
  - domain: "*.mydomain.ovh"
    policy: one_factor
  - domain: "*.mydomain.ovh"
    policy: bypass
    networks:
      - 192.168.1.0/24
#7

Your first rule’s policy is one_factor, as far as I know this is just for using username and password, no 2FA at all. So, the second rule for bypass, I don’t know what it will actually do, but I guess it should just let you go directly to your service without asking for username and password.

And maybe stupid question, is your local network 192.168.1.0/24? The clients are getting IPs from DHCP server (from router maybe) that starts with 192.168.1?

#8

yes.
My unraid box is 192.168.1.10, and my clients are 192.168.1.XXX (pi-hole DHCP server)

#9

Looks like it should work properly, my config is almost same, except I am using two_factor policy, not one_factor, and I am not asked for any kind of authentication while on local LAN. Works as expected.

Sorry I couldn’t provide more help, maybe some one will have something smarter to say. If anything else comes to mind, I will let you know.

#10

thanks

#11

I was looking into this as well and wondering why it wasn’t working for me. Turns out the order matters so try changing your configuration to

default_policy: deny
rules:
  - domain: "*.mydomain.ovh"
    policy: bypass
    networks:
      - 192.168.1.0/24
  - domain: "*.mydomain.ovh"
    policy: one_factor
#12

This is interesting. In my case, the order is reversed and it’s working.

#13

Yes, the rules are like firewall rules. The system starts at the top or first entry – as soon as it meets a condition – it executes the policy and stops.

You have two rules. When you had the original order there wasn’t a network switch, so by default it just considered “all networks” and executed the rule. I’m not sure if authelia has a not or ! switch whereby you could say all networks except the selected something like:

  - domain: "*.mydomain.ovh"
    policy: one_factor
    networks:
      - !192.168.1.0/24

Thats however was the issue for sure.