Disable Authentication?

[threehappypenguins]

If I comment out the line in docker-compose.yml - TIMETAGGER_CREDENTIALS=test:$$2a$$08$$0CD1NFiIbancwWsu3se1v.RNR/b7YeZd71yg3cZ/3whGlyU6Iny5i # test:test

I can successfully spin up the docker container, navigate to the app page, and I don't need to log in. However, if I set up Nginx Proxy Manager so that I access TimeTagger via https, the app page suddenly wants me to sign in... and I can't (obviously) because I haven't set a username and password.

It's a remote server, so I want to use Authelia with 2FA enabled for authentication.

How do I fully disable authentication?

[almarklein]

You have, in the sense that the server has no valid credentials. The front-end still presents you with a form though.

If you specify the proxy_xx variables in the config (proxy), then the login page should automatically log you in directly.

[threehappypenguins]

You have, in the sense that the server has no valid credentials. The front-end still presents you with a form though.

If you specify the proxy_xx variables in the config (proxy), then the login page should automatically log you in directly.

I still can't get this figured out. Here is what I tried in docker-compose.yml:

version: "3"
services:
  timetagger:
    image: ghcr.io/almarklein/timetagger
    ports:
      - "80:80"
    volumes:
      - ./_timetagger:/root/_timetagger
    environment:
      - TIMETAGGER_BIND=0.0.0.0:80
      - TIMETAGGER_DATADIR=/root/_timetagger
      - TIMETAGGER_LOG_LEVEL=info
      - TIMETAGGER_CREDENTIALS=test:$$2a$$08$$0CD1NFiIbancwWsu3se1v.RNR/b7YeZd71yg3cZ/3whGlyU6Iny5i
      - PROXY_AUTH_ENABLED=True
      - PROXY_AUTH_TRUSTED="0.0.0.0/0"
      - PROXY_AUTH_HEADER="test"

I am still required to log in with TimeTagger.

[almarklein]

I don't think that PROXY_AUTH_TRUSTED will work. I'm not an expert on the proxy auth; it was user-contributed and I've never used it, but I think that IP must be a real address.

[threehappypenguins]

I tried changing 0.0.0.0/0 to 123.456.789/32 (my fake public ip address where I'm trying to access from, since this is a remote server), and it didn't make any difference. Is that what you meant by "a real IP address"?

[almarklein]

@mtn-mathi or @Rynoxx may shed some light? Perhaps we can also document this better.

[Rynoxx]

I wouldn't expect 0.0.0.0/0 to work as PROXY_AUTH_TRUSTED. PROXY_AUTH_TRUSTED should be set to the IP (or subnet) of the reverse-proxy that is sending the requests to your timetagger instance. I.e. if Nginx is making the connection to the timetagger server and has a static IP 192.168.1.2, that should be what you put in the PROXY_AUTH_TRUSTED setting. If it doesn't have a static IP, which could be the case in some container solution or if you're running your server on DHCP you should set PROXY_AUTH_TRUSTED to the IP range it can have, e.g. 192.168.1.0/24
You can also specify multiple IPs or IP ranges by separating them by comma or semi-colon

I have a bit of a hard time to wrap my head around what your landscape looks like @threehappypenguins .

Is Authelia or Nginx the one making the connection to the timetagger server?
Are they on the same LAN as the timetagger container?
Are they in the same docker network?

[Rynoxx]

Also PROXY_AUTH_HEADER will have to be set to whatever HTTP Header Authelia (or Nginx) is using for the username of the authenticated user.