Authelia bypass 2FA for internal networks

Hello,

I need a little help for Authelia, how to use 2FA only for connections arriving from internet, to bypass authentication if connecting from internal network.

I am using official container image authelia/authelia and letsencrypt/nginx from LSIO.

If I understood correctly here https://github.com/authelia/authelia/blob/master/config.template.yml, this setting, under access_control should use one_factor auth for network 192.168.1.0/24:

- domain: secure.example.com
policy: one_factor
# Network based rule, if not provided any network matches.
networks:
- 192.168.1.0/24

What i want to do is opposite, allow access to web site without authentication, go directly to web site if accessing it from internal network, and use 2FA if accessing same web site from internet.

For now configuration I have is working from internal network as well as from internet, authenticating using 2FA all web sites without any problem. I just want to bypass 2FA from internal network. This is what I tried but it’s not working:

access_control:
  default_policy: deny
  rules:
    - domain: "*.example.com"
      policy: two_factor
      networks:
      - 0.0.0.0/5
      - 8.0.0.0/7
      - 11.0.0.0/8
      - 12.0.0.0/6
      - 16.0.0.0/4
      - 32.0.0.0/3
      - 64.0.0.0/2
      - 128.0.0.0/3
      - 160.0.0.0/5
      - 168.0.0.0/6
      - 172.0.0.0/12
      - 172.32.0.0/11
      - 172.64.0.0/10
      - 172.128.0.0/9
      - 173.0.0.0/8
      - 174.0.0.0/7
      - 176.0.0.0/4
      - 192.0.0.0/9
      - 192.128.0.0/11
      - 192.160.0.0/13
      - 192.169.0.0/16
      - 192.170.0.0/15
      - 192.172.0.0/14
      - 192.176.0.0/12
      - 192.192.0.0/10
      - 193.0.0.0/8
      - 194.0.0.0/7
      - 196.0.0.0/6
      - 200.0.0.0/5
      - 208.0.0.0/4

I just get authenticated from internal network and from internet. Like the setting is not there.
And yes, I did restart Authelia container.

If someone already tried something or has some idea…

Thanks

Could you not limit or control access within the nginx.conf file rather than the authelia config file?

Hello,

Thanks for your reply. I didn’t had time to try anything until today.
I “solved” my problem. The source of the problem was not reading Authelia documentation properly. This how I solved this:

access_control:
  default_policy: deny
  rules:
    - domain: "*.example.com"
      policy: two_factor
    - domain: "*.example.com"
      policy: bypass
      networks:
      - 192.168.1.0/24

The problem was that I needed to add “bypass” for same domain in rule.
Now, when accessing web sites from LAN there is no authentication with Authelia, accessing web sites from Internet is done by Authelia using 2FA.