Bypass authentic for local IP?

jaytonic · December 4, 2025, 12:36pm

Hi,

I do have a traefik +authentik instance.

On another server, I’ve an home-assistant server, which needs to connect to one of the docker image using authentik. It’s a specific service(EVCC) and a specific home-assistant integration, that doesn’t support auth.

Here is the relevant configuration:

http:
  routers:
    evcc:
      rule: Host(`evcc.xxx.yyy`)
      entrypoints: websecure
      service: evcc
      middlewares:
      - force-secure
      - middlewares-authentik
  services:
    evcc:
      loadbalancer:
        servers:
          - url: http://192.168.0.30:7070
  middlewares:
    force-secure:
      redirectscheme:
        scheme: https
        permanent: true
    middlewares-authentik:
      forwardAuth:
        address: "http://192.168.0.30:7080/outpost.goauthentik.io/auth/traefik"
        trustForwardHeader: true
        authResponseHeaders:
          - X-authentik-username
          - X-authentik-groups
          - X-authentik-email
          - X-authentik-name
          - X-authentik-uid
          - X-authentik-jwt
          - X-authentik-meta-jwks
          - X-authentik-meta-outpost
          - X-authentik-meta-provider
          - X-authentik-meta-app
          - X-authentik-meta-version

My wish is that every connection that comes from my local network(and not my router which is on 192.168.0.1) should bypass the authentik middleware.

The thing is that I still need to access through evcc.xxx.yyy, so I’m not sure it’s really possible?

bluepuma77 · December 4, 2025, 12:38pm

Create another router with rule Host() && ClientIP() without auth middleware.

jaytonic · December 22, 2025, 3:07pm

hi @bluepuma77

I tried the following:

    evcc:
      rule: Host(`evcc.redacted.xyz`)
      entrypoints: websecure
      service: evcc
      middlewares:
      - force-secure
      - middlewares-authentik
    evcc-local:
      rule: Host(`evcc.redacted.xyz`) && ClientIP(`192.168.0.0/24`)
      entrypoints: websecure
      service: evcc
      middlewares:
      - force-secure

Is that what you meant?

Because now if I’m on my local network, I still get the authentik login.

The thing is that I’m still reaching evcc through my evcc.redacted.xyz, so basically from a network perspective, I guess I still go to my ISP, then back to my router, then to my docker host, so I’m not sure it would know that I’m originally from the same network?

bluepuma77 · December 22, 2025, 3:31pm

I see two options:

Overwrite domain IP with hosts file, local router, Pi-Hole.
Use separate domain, pointing to your local IP.

jaytonic · December 22, 2025, 3:39pm

So the behavior I’m getting seems logical to you?

Ok, the issue with the first option is that my ISP doesn’t allow to overwrite the DNS Server in my router, so that’s something I would have to do on every device, and that’s painful, especially on phones.

The issue with the second option is that I’ve several PWA configured, and then I would need to duplicate each app on my phones and the GF phone and use different apps depending on if I’m connected or not.

I’ve tried to set a local DNS rule on my router, but it doesn’t seems to work, even if I cached my DNS, not sure the router use it the right way.

Topic		Replies	Views
Bypass Authentik Forward Auth for Local Addresses Traefik v3 (latest) file , middleware	3	1435	October 21, 2024
Traefik whitelist local network Traefik v3 (latest) docker , middleware	5	2050	June 26, 2024
Allow access from one IP, require basic auth from all other sources Traefik v2 docker , middleware	4	4108	February 21, 2022
Traefik v2 simple trick to bypass basic Auth Traefik v2 docker , middleware	6	12490	May 8, 2025
Disable basicauth for local clients Traefik v3 (latest) docker	3	127	February 28, 2025

Bypass authentic for local IP?

Related topics