Traefik whitelist local network

Hi forum

I really need your help on this issue
Its driving me CRAZYYY

My goal is - that i want to bypass authentik when i use 192.168.1.0/24 so locally
And when its not in that range (external) it should redirect me to authentik login page, so i can
authenticate then return to home assistant

I have read and tried a lot of thing now, so here i am , asking for help..

So i have a docker-compose file where i have installed traefik, authentik and home assistant:

version: '3.8'
services:
# ------------------------------------------------------------------------------------------------------------------ traefik .192
  traefik:
    image: traefik:latest
    container_name: traefik
    restart: unless-stopped
    networks:
     DockerNet:
       ipv4_address: 192.168.1.192
    ports:
      - 80:80
      - 8080:8080
      - 443:443
      - 8090:8090
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /srv/dev-disk-by-uuid-2d63569d-15a7-41a3-8009-e9b487095e11/dockercompose/config/traefik/traefik.yml:/traefik.yml:ro
      - /srv/dev-disk-by-uuid-2d63569d-15a7-41a3-8009-e9b487095e11/dockercompose/config/traefik/acme.json:/acme.json
      - /srv/dev-disk-by-uuid-2d63569d-15a7-41a3-8009-e9b487095e11/dockercompose/config/traefik/config.yml:/config.yml:ro
      - /srv/dev-disk-by-uuid-2d63569d-15a7-41a3-8009-e9b487095e11/dockercompose/config/traefik/logs/:/logs
 #     - /etc/cockpit/:/cockpit
    labels:
      traefik.enable: true
      traefik.http.routers.traefik-secure.entrypoints: websecure # Access from https://
      traefik.http.routers.traefik-secure.rule: Host(`traefik.REDUCTED.XX`) # Site name
      traefik.http.routers.traefik-secure.tls: true # TLS true
      traefik.http.routers.traefik-secure.tls.certresolver: http 
      traefik.http.routers.traefik-secure.service: api@internal
      traefik.http.routers.traefik-secure.middlewares: auth@file # Authentik enabler
      traefik.docker.network: DockerNet # Network name
      traefik.http.services.traefik.loadbalancer.server.port: 8080 # Network port
      com.centurylinklabs.watchtower.enable: true  # Watchtower vil opdatere denne container True/False
	  
  homeassistant:
    image: homeassistant/home-assistant
    container_name: homeassistant
    restart: unless-stopped
    networks:
        DockerNet:
            ipv4_address: 192.168.1.203
    cap_add:
        - NET_ADMIN
    ports:
      - 8124:8123
    volumes:
      - /srv/dev-disk-by-uuid-2d63569d-15a7-41a3-8009-e9b487095e11/dockercompose/config/homea/:/config
      - /srv/dev-disk-by-uuid-2d63569d-15a7-41a3-8009-e9b487095e11/dockercompose/config/nodered/custom/:/custom
    environment:
      - TZ=Europe/Copenhagen
      - PUID=0
      - PGID=100
    labels:
      traefik.enable: true
      # WAN part - authentik conf.
      traefik.http.routers.homeassistant.entrypoints: websecure # Access from https://
      traefik.http.routers.homeassistant.rule: Host(`homeassistant.REDUCTED.XX`) # Site name
      traefik.http.routers.homeassistant.tls: true # TLS true
      traefik.http.routers.homeassistant.tls.certresolver: http
      traefik.http.services.homeassistant.loadbalancer.server.port: 8123 # Network port
      # ETC
      traefik.docker.network: DockerNet # Network name
      com.centurylinklabs.watchtower.enable: true  # Watchtower vil opdatere denne container True/False   

Then there is my config.yml file for traefik:

http:
######################################### routers
  routers:
    homeassistant:
      entryPoints:
        - "websecure"
#      rule: "Host(`homeassistant.REDUCTED.XX`)"
      rule: "Host(`homeassistant.REDUCTED.XX`) && ( (PathPrefix(`/auth/`)) && !(PathPrefix(`/auth/token`)) )"
      middlewares:
        - internal-whitelist
        - auth
      priority: 105
      tls:
        certResolver: http
      service: homeassistant
######################################### services
  services:          
    homeassistant:
      loadBalancer:
        servers:
         - url: "http://192.168.1.203:8123"
        passHostHeader: true
######################################### middlewares
  middlewares:
    auth:
      forwardauth:
        address: http://192.168.1.198:9000/outpost.goauthentik.io/auth/traefik
        #http://authentikserver:9000/outpost.goauthentik.io/auth/traefik
        trustForwardHeader: true
        authResponseHeaders:
          - X-authentik-username
          - X-authentik-groups
          - X-authentik-email
          - X-authentik-name
          - X-authentik-uid
          - X-authentik-jwt
          - X-authentik-meta-jwks
          - X-authentik-meta-outpost
          - X-authentik-meta-provider
          - X-authentik-meta-app
          - X-authentik-meta-version
          - X-Transmission-Session-Id
#          - authorization # for http user and password  authentik  (Send http-basic authentintic)
    internal-whitelist:
      ipWhiteList:
        sourceRange:
          - "192.168.1.0/24"  # Your internal network range

and at least here is my labels from authentik docker-compose:

    labels:
      traefik.enable: true
      traefik.http.routers.authentikserver-secure.entrypoints: websecure # Access from https://
      traefik.http.routers.authentikserver-secure.rule: Host(`authentikserver.REDUCTED.XX`) # Site name
      traefik.http.routers.authentikserver-secure.tls: true # TLS true
      traefik.http.routers.authentikserver-secure.tls.certresolver: http
      traefik.docker.network: DockerNet # Network name
      traefik.http.services.authentikserver.loadbalancer.server.port: 9000 # Network port
      com.centurylinklabs.watchtower.enable: true  # Watchtower vil opdatere denne container True/False
      traefik.http.routers.authentikserver.rule: Host(`authentikserver.REDUCTED.XX`) || HostRegexp(`{subdomain:[A-Za-z0-9](?:[A-Za-z0-9\-]{0,61}[A-Za-z0-9])?}.REDUCTED.XX`) && PathPrefix(`/outpost.goauthentik.io/`)

any ideas is preciated and thanks in advance

Just discussed something similar this week, see other post, check example.

Well not exacly the same ..
What i can see or read , that this user wants to bypass the authentication totally:
Desired Outcome:
I want to allow public access to images located under /images/ while keeping the rest of the site behind basic authentication

That i can already do in authentik
So what i want is :
I want homeassistant.REDUCTED.com to be accessible (bypass authentik server) when im in my local network

But when im outside (wan) then i want to authenticate..

Still the same: you need two routers, one with auth middlewares and one without.

rule=Host()
# use auth middlewares 

rule=Host() && ClientIP()
# longer rule, therefore higher priority, matched first
# no middlewares

Soooo
i have done some testing my current label is:

    labels:
      traefik.enable: true
      traefik.http.routers.homeassistant.entrypoints: websecure # Access from https://
      traefik.http.routers.homeassistant.rule: Host(`homeassistant.REDUCTED.com`) # Site name
      traefik.http.routers.homeassistant.middlewares: ipwhitelist@file
      traefik.http.routers.homeassistant.tls: true # TLS true
      traefik.http.routers.homeassistant.tls.certresolver: http
      traefik.http.routers.homeassistant.priority: 100
      traefik.http.services.homeassistant.loadbalancer.server.port: 8123 # Network port
      
      traefik.http.routers.homeassistant-secure.entrypoints: websecure # Access from https://
      traefik.http.routers.homeassistant-secure.rule: Host(`homeassistant.REDUCTED.com`) # Site name
      traefik.http.routers.homeassistant-secure.tls: true # TLS true
      traefik.http.routers.homeassistant-secure.tls.certresolver: http
      traefik.http.routers.homeassistant-secure.middlewares: auth@file

and what i can see in traefik.log is that the middleware ipwhitelist is being called but never my auth@file middleware

So that means it is working locally but external is giving an error Forbidden / rejected in log file.

You need to use different rules, as in my example. If you use the same rule content, only one will always be called.