Hi forum
I really need your help on this issue
Its driving me CRAZYYY
My goal is - that i want to bypass authentik when i use 192.168.1.0/24 so locally
And when its not in that range (external) it should redirect me to authentik login page, so i can
authenticate then return to home assistant
I have read and tried a lot of thing now, so here i am , asking for help..
So i have a docker-compose file where i have installed traefik, authentik and home assistant:
version: '3.8'
services:
# ------------------------------------------------------------------------------------------------------------------ traefik .192
traefik:
image: traefik:latest
container_name: traefik
restart: unless-stopped
networks:
DockerNet:
ipv4_address: 192.168.1.192
ports:
- 80:80
- 8080:8080
- 443:443
- 8090:8090
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- /srv/dev-disk-by-uuid-2d63569d-15a7-41a3-8009-e9b487095e11/dockercompose/config/traefik/traefik.yml:/traefik.yml:ro
- /srv/dev-disk-by-uuid-2d63569d-15a7-41a3-8009-e9b487095e11/dockercompose/config/traefik/acme.json:/acme.json
- /srv/dev-disk-by-uuid-2d63569d-15a7-41a3-8009-e9b487095e11/dockercompose/config/traefik/config.yml:/config.yml:ro
- /srv/dev-disk-by-uuid-2d63569d-15a7-41a3-8009-e9b487095e11/dockercompose/config/traefik/logs/:/logs
# - /etc/cockpit/:/cockpit
labels:
traefik.enable: true
traefik.http.routers.traefik-secure.entrypoints: websecure # Access from https://
traefik.http.routers.traefik-secure.rule: Host(`traefik.REDUCTED.XX`) # Site name
traefik.http.routers.traefik-secure.tls: true # TLS true
traefik.http.routers.traefik-secure.tls.certresolver: http
traefik.http.routers.traefik-secure.service: api@internal
traefik.http.routers.traefik-secure.middlewares: auth@file # Authentik enabler
traefik.docker.network: DockerNet # Network name
traefik.http.services.traefik.loadbalancer.server.port: 8080 # Network port
com.centurylinklabs.watchtower.enable: true # Watchtower vil opdatere denne container True/False
homeassistant:
image: homeassistant/home-assistant
container_name: homeassistant
restart: unless-stopped
networks:
DockerNet:
ipv4_address: 192.168.1.203
cap_add:
- NET_ADMIN
ports:
- 8124:8123
volumes:
- /srv/dev-disk-by-uuid-2d63569d-15a7-41a3-8009-e9b487095e11/dockercompose/config/homea/:/config
- /srv/dev-disk-by-uuid-2d63569d-15a7-41a3-8009-e9b487095e11/dockercompose/config/nodered/custom/:/custom
environment:
- TZ=Europe/Copenhagen
- PUID=0
- PGID=100
labels:
traefik.enable: true
# WAN part - authentik conf.
traefik.http.routers.homeassistant.entrypoints: websecure # Access from https://
traefik.http.routers.homeassistant.rule: Host(`homeassistant.REDUCTED.XX`) # Site name
traefik.http.routers.homeassistant.tls: true # TLS true
traefik.http.routers.homeassistant.tls.certresolver: http
traefik.http.services.homeassistant.loadbalancer.server.port: 8123 # Network port
# ETC
traefik.docker.network: DockerNet # Network name
com.centurylinklabs.watchtower.enable: true # Watchtower vil opdatere denne container True/False
Then there is my config.yml file for traefik:
http:
######################################### routers
routers:
homeassistant:
entryPoints:
- "websecure"
# rule: "Host(`homeassistant.REDUCTED.XX`)"
rule: "Host(`homeassistant.REDUCTED.XX`) && ( (PathPrefix(`/auth/`)) && !(PathPrefix(`/auth/token`)) )"
middlewares:
- internal-whitelist
- auth
priority: 105
tls:
certResolver: http
service: homeassistant
######################################### services
services:
homeassistant:
loadBalancer:
servers:
- url: "http://192.168.1.203:8123"
passHostHeader: true
######################################### middlewares
middlewares:
auth:
forwardauth:
address: http://192.168.1.198:9000/outpost.goauthentik.io/auth/traefik
#http://authentikserver:9000/outpost.goauthentik.io/auth/traefik
trustForwardHeader: true
authResponseHeaders:
- X-authentik-username
- X-authentik-groups
- X-authentik-email
- X-authentik-name
- X-authentik-uid
- X-authentik-jwt
- X-authentik-meta-jwks
- X-authentik-meta-outpost
- X-authentik-meta-provider
- X-authentik-meta-app
- X-authentik-meta-version
- X-Transmission-Session-Id
# - authorization # for http user and password authentik (Send http-basic authentintic)
internal-whitelist:
ipWhiteList:
sourceRange:
- "192.168.1.0/24" # Your internal network range
and at least here is my labels from authentik docker-compose:
labels:
traefik.enable: true
traefik.http.routers.authentikserver-secure.entrypoints: websecure # Access from https://
traefik.http.routers.authentikserver-secure.rule: Host(`authentikserver.REDUCTED.XX`) # Site name
traefik.http.routers.authentikserver-secure.tls: true # TLS true
traefik.http.routers.authentikserver-secure.tls.certresolver: http
traefik.docker.network: DockerNet # Network name
traefik.http.services.authentikserver.loadbalancer.server.port: 9000 # Network port
com.centurylinklabs.watchtower.enable: true # Watchtower vil opdatere denne container True/False
traefik.http.routers.authentikserver.rule: Host(`authentikserver.REDUCTED.XX`) || HostRegexp(`{subdomain:[A-Za-z0-9](?:[A-Za-z0-9\-]{0,61}[A-Za-z0-9])?}.REDUCTED.XX`) && PathPrefix(`/outpost.goauthentik.io/`)
any ideas is preciated and thanks in advance