search

anandslab / docker-traefik

Docker media and home server stack with Docker Compose, Traefik, Swarm Mode, Google OAuth2/Authelia, and LetsEncrypt
https://www.smarthomebeginner.com/
MIT License
2.9k stars 630 forks source link

Tautulli App Bypass Authelia #52

Closed sudo-kraken closed 4 years ago

sudo-kraken commented 4 years ago

Is there any way to get a bypass for the tautulli app I tried the same method as for sonarr radarr and sab but it doesnt like it.

Also is there any reason I should swap to mariadb and try again rather than sticking to the local db file for authelia?

Thanks in advance

inquam commented 4 years ago

If that doesn't work you might not have a rule that catches the request in question? You have placed it above the first HTTP router of Tautulli so it has a chance to catch and bypass? If you want authelia to ignore the entire app you could just remove it as a middleware for that container. You could also add rules in authelia's config file.

For instance you could add something like this under _accesscontroll in Authelia config to not have to authenticate while on your local network. Do not that in order to still use your url's to access your services you would have to have a local DNS server guiding you to your server while on your local network for this to work. I for instance run pfsense and have entries for all my services to avoid doing the roundtrip through Cloudflare proxy etc when my server is actually next door. Without the networks portion something like this could be used to bypass a given service from everywhere in Authelia.

    - domain: "heimdall.foo.com"
      policy: bypass
      networks:
        - 192.168.1.0/24

Post what you have and it might be a bit clearer exactly what you are trying to accomplish.

sudo-kraken commented 4 years ago

Thanks for the response, so I have tried adding in this into the access control

then added this into my traefik labels

- "traefik.http.routers.tautulli-rtr-bypass.entrypoints=https"

- "traefik.http.routers.tautulli-rtr-bypass.rule=Headers(X-Api-Key, $TAUTULLI_API_KEY) || Query(apikey, $TAUTULLI_API_KEY)"

- "traefik.http.routers.tautulli-rtr-bypass.priority=100"

but to no avail it just crashes the app

inquam commented 4 years ago

Not that you do not need both. Either you have the container get redirected to Authelia in your docker config and then in Authelia handle the bypass or you handle the bypass without involving Authelia by bypassing the middleware for a given request.

Regarding your Authelia config. If you have a subject in your access control rule of admins then it would need to know you are an admin. Only way for it to know that is for you to have signed in with an admin user. So you would probably not want to have that part there if what you are trying to achieve is to not have to authenticate. Not that any rule to bypass would have to come before any rule that would do anything else because the first rule to match seems to be used.

Regarding doing this in docker you would have to have the bypass catch before the one that redirect you to the Authelia middleware. Something like this perhaps (not testet)

labels:
      - "traefik.enable=true"
      ## HTTP Routers Auth Bypass
      - "traefik.http.routers.tautulli-rtr-bypass.entrypoints=https"
      - "traefik.http.routers.tautulli-rtr-bypass.rule=Query(`apikey`, `$TAUTULLI_API_KEY`)
      - "traefik.http.routers.tautulli-rtr-bypass.priority=100"
      ## HTTP Routers Auth
      - "traefik.http.routers.tautulli-rtr.entrypoints=https"
      - "traefik.http.routers.tautulli-rtr.rule=Host(`tautulli.$DOMAINNAME`)"
      - "traefik.http.routers.tautulli-rtr.priority=99"
      ## Middlewares
      - "traefik.http.routers.tautulli-rtr-bypass.middlewares=chain-no-auth@file"
      - "traefik.http.routers.tautulli-rtr.middlewares=chain-authelia@file"
      ## HTTP Services
      - "traefik.http.routers.tautulli-rtr.service=tautulli-svc"
      - "traefik.http.routers.tautulli-rtr-bypass.service=tautulli-svc"
      - "traefik.http.services.tautulli-svc.loadbalancer.server.port=8181"

Note that the tautulli-rtr-bypass passes through the chain-no-auth@file middleware. No matter the route I would probably go the way of including the api key in the rule since that will make anyone hitting the rule but not supplying the correct key not bypass authentication. So even if you do something like 

labels:
      - "traefik.enable=true"
      ## HTTP Routers Auth
      - "traefik.http.routers.tautulli-rtr.entrypoints=https"
      - "traefik.http.routers.tautulli-rtr.rule=Host(`tautulli.$DOMAINNAME`)"
      - "traefik.http.routers.tautulli-rtr.priority=100"
      ## Middlewares
      - "traefik.http.routers.tautulli-rtr.middlewares=chain-authelia@file"
      ## HTTP Services
      - "traefik.http.routers.tautulli-rtr.service=tautulli-svc"
      - "traefik.http.services.tautulli-svc.loadbalancer.server.port=8181"

to have it always go through Authelia I would in the Authelia config to bypass the authentication include the api key.

domain: "tautulli.mydomain.co.uk"
policy: bypass
resources:
  "^/api/v2\?apikey=ENTER_API_KEY_HERE.*$"

and then have a rule that forces authentication on any other query to tautulli that does not contain the correct api key.

Not quite sure about which regex style Authelia uses but I'm guessing ? should be escaped :)

sudo-kraken commented 4 years ago

Thanks for the feedback I am trying to get it done in the authelia conf file but it doesnt like escaping the ? symbol

sudo-kraken commented 4 years ago

I checked the api token I think that the issue is the conf file not reading the api key used correctly

I have checked here and cant seem to get it to work

https://github.com/Tautulli/Tautulli/blob/master/API.md

I am using the same format you posted above for the v2 endpoint

  - "^/api/v2?apikey=APIKEYHERE.*$"
anandslab commented 4 years ago

Use this to enable bypassing for Tautulli App (Credit: @CVJoint)

- "traefik.http.routers.tautulliAPI-rtr.rule=HeadersRegexp(User-Agent,Tautulli)"

Please report back to close the issue.

EDIT: Sorry, I know you were looking for an Authelia bypass.

sudo-kraken commented 4 years ago

Use this to enable bypassing for Tautulli App (Credit: @CVJoint)

- "traefik.http.routers.tautulliAPI-rtr.rule=HeadersRegexp(User-Agent,Tautulli)"

Please report back to close the issue.

Thanks for the label, is this to be used inconjunction with the above

sudo-kraken commented 4 years ago

Got a working tautulli api authelia bypass you need you update the query to use the device token id not the global api that is given by tautulli, you get this from the add a new device screen then use the following.

  - "traefik.enable=true"
  ## HTTP Routers Auth Bypass
  - "traefik.http.routers.tautulli-rtr-bypass.entrypoints=https"
  - "traefik.http.routers.tautulli-rtr-bypass.rule=Headers(`X-Api-Key`, `$TAUTULLI_DEVICE_KEY`) || Query(`apikey`, `$TAUTULLI_DEVICE_KEY`)"
  - "traefik.http.routers.tautulli-rtr-bypass.priority=100"
  ## HTTP Routers
  - "traefik.http.routers.tautulli-rtr.entrypoints=https"
  - "traefik.http.routers.tautulli-rtr.rule=Host(`tautulli.$DOMAINNAME`)"
  - "traefik.http.routers.tautulli-rtr.priority=99"
  ## Middlewares
  - "traefik.http.routers.tautulli-rtr-bypass.middlewares=chain-no-auth@file"
  - "traefik.http.routers.tautulli-rtr.middlewares=chain-authelia@file"
  ## HTTP Services
  - "traefik.http.routers.tautulli-rtr.service=tautulli-svc"
  - "traefik.http.routers.tautulli-rtr-bypass.service=tautulli-svc"
  - "traefik.http.services.tautulli-svc.loadbalancer.server.port=8181"
sudo-kraken commented 4 years ago

Are you storing your API key or the device id that you get from the tautulli mobile app section in the settings ? ---- On Mon, 29 Jun 2020 16:02:06 +0100 notifications@github.com wrote ---- @Joeharrison94, I have used exactly what you posted above, but could use your assistance.

`

—You are receiving this because you were mentioned.Reply to this email directly, view it on GitHub, or unsubscribe.

bpersino commented 4 years ago

I was able to get it working, my indentation was incorrect for the labels.

From: Joe Harrison notifications@github.com Sent: Monday, June 29, 2020 11:18 AM To: htpcBeginner/docker-traefik docker-traefik@noreply.github.com Cc: bpersino bpersino@gmail.com; Comment comment@noreply.github.com Subject: Re: [htpcBeginner/docker-traefik] Tautulli App Bypass Authelia (#52)

Are you storing your API key or the device id that you get from the tautulli mobile app section in the settings ? ---- On Mon, 29 Jun 2020 16:02:06 +0100 notifications@github.com mailto:notifications@github.com wrote ---- @Joeharrison94, I have used exactly what you posted above, but could use your assistance.

`

—You are receiving this because you were mentioned.Reply to this email directly, view it on GitHub, or unsubscribe.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/htpcBeginner/docker-traefik/issues/52#issuecomment-651222223 , or unsubscribe https://github.com/notifications/unsubscribe-auth/AC4CZQSLXSUJRFSCCVR6TS3RZC5ETANCNFSM4OA34IMQ . https://github.com/notifications/beacon/AC4CZQW6ZU4YWUE3MZW6ZS3RZC5ETA5CNFSM4OA34IM2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOE3INZTY.gif

sudo-kraken commented 4 years ago

Good I'm glad, out of interest do you use it for any other apps I'm keen to find some new services that have companion apps I use nzb360 but they doesn't seem to work half the time (not the API key but the app in general) ---- On Mon, 29 Jun 2020 23:00:49 +0100 notifications@github.com wrote ----

I was able to get it working, my indentation was incorrect for the labels.

From: Joe Harrison notifications@github.com

Sent: Monday, June 29, 2020 11:18 AM

To: htpcBeginner/docker-traefik docker-traefik@noreply.github.com

Cc: bpersino bpersino@gmail.com; Comment comment@noreply.github.com

Subject: Re: [htpcBeginner/docker-traefik] Tautulli App Bypass Authelia (#52)

Are you storing your API key or the device id that you get from the tautulli mobile app section in the settings ? ---- On Mon, 29 Jun 2020 16:02:06 +0100 notifications@github.com mailto:notifications@github.com wrote ----

@Joeharrison94,

I have used exactly what you posted above, but could use your assistance.

For some reason, the Tautulli app bypass is not working. Its still hitting authelia for some reason, please see screenshot below. I have successfully bypassed other apps, so I know authelia bypass works.

`

—You are receiving this because you were mentioned.Reply to this email directly, view it on GitHub, or unsubscribe.

You are receiving this because you commented.

Reply to this email directly, view it on GitHub https://github.com/htpcBeginner/docker-traefik/issues/52#issuecomment-651222223 , or unsubscribe https://github.com/notifications/unsubscribe-auth/AC4CZQSLXSUJRFSCCVR6TS3RZC5ETANCNFSM4OA34IMQ . https://github.com/notifications/beacon/AC4CZQW6ZU4YWUE3MZW6ZS3RZC5ETA5CNFSM4OA34IM2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOE3INZTY.gif

—You are receiving this because you were mentioned.Reply to this email directly, view it on GitHub, or unsubscribe.

bpersino commented 4 years ago

The only other app I use is also nzb360, but I don’t have any issues with that app working, although I don’t really use it much. I guess I just like getting notifications from the app when something new downloads.

From: Joe Harrison notifications@github.com Sent: Tuesday, June 30, 2020 1:39 AM To: htpcBeginner/docker-traefik docker-traefik@noreply.github.com Cc: bpersino bpersino@gmail.com; Comment comment@noreply.github.com Subject: Re: [htpcBeginner/docker-traefik] Tautulli App Bypass Authelia (#52)

Good I'm glad, out of interest do you use it for any other apps I'm keen to find some new services that have companion apps I use nzb360 but they doesn't seem to work half the time (not the API key but the app in general) ---- On Mon, 29 Jun 2020 23:00:49 +0100 notifications@github.com mailto:notifications@github.com wrote ----

I was able to get it working, my indentation was incorrect for the labels.

From: Joe Harrison <notifications@github.com mailto:notifications@github.com >

Sent: Monday, June 29, 2020 11:18 AM

To: htpcBeginner/docker-traefik <docker-traefik@noreply.github.com mailto:docker-traefik@noreply.github.com >

Cc: bpersino <bpersino@gmail.com mailto:bpersino@gmail.com >; Comment <comment@noreply.github.com mailto:comment@noreply.github.com >

Subject: Re: [htpcBeginner/docker-traefik] Tautulli App Bypass Authelia (#52)

Are you storing your API key or the device id that you get from the tautulli mobile app section in the settings ? ---- On Mon, 29 Jun 2020 16:02:06 +0100 notifications@github.com mailto:notifications@github.com mailto:notifications@github.com wrote ----

@Joeharrison94,

I have used exactly what you posted above, but could use your assistance.

For some reason, the Tautulli app bypass is not working. Its still hitting authelia for some reason, please see screenshot below. I have successfully bypassed other apps, so I know authelia bypass works.

`

—You are receiving this because you were mentioned.Reply to this email directly, view it on GitHub, or unsubscribe.

You are receiving this because you commented.

Reply to this email directly, view it on GitHub https://github.com/htpcBeginner/docker-traefik/issues/52#issuecomment-651222223 , or unsubscribe https://github.com/notifications/unsubscribe-auth/AC4CZQSLXSUJRFSCCVR6TS3RZC5ETANCNFSM4OA34IMQ . https://github.com/notifications/beacon/AC4CZQW6ZU4YWUE3MZW6ZS3RZC5ETA5CNFSM4OA34IM2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOE3INZTY.gif

—You are receiving this because you were mentioned.Reply to this email directly, view it on GitHub, or unsubscribe.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/htpcBeginner/docker-traefik/issues/52#issuecomment-651577251 , or unsubscribe https://github.com/notifications/unsubscribe-auth/AC4CZQVJLMYYD4OR5MMCLD3RZGCADANCNFSM4OA34IMQ . https://github.com/notifications/beacon/AC4CZQTH6THWSCVOVV5J4BTRZGCADA5CNFSM4OA34IM2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOE3LEPIY.gif

BEisem commented 4 years ago

Has anyone been able to get the bypass to work with LunaSea for Radarr and/or Sonarr? I believe I have everything the way it has been recommended, but it still doesn't bypass the auth (I'm using OAuth instead of Authelia, but the theory should still be the same).

Here's what I'm using:

      - "traefik.http.routers.sonarr-rtr-bypass.entrypoints=https"
      - "traefik.http.routers.sonarr-rtr-bypass.rule=Headers(`X-Api-Key`, `$SONARR_API_KEY`) || Query(`apikey`, `$SONARR_API_KEY`)"
      - "traefik.http.routers.sonarr-rtr-bypass.priority=100"
      ## HTTP Routers Auth
      - "traefik.http.routers.sonarr-rtr.entrypoints=https"
      - "traefik.http.routers.sonarr-rtr.rule=HostHeader(`sonarr.$DOMAINNAME`)"
      - "traefik.http.routers.sonarr-rtr.tls=true"
      - "traefik.http.routers.sonarr-rtr.priority=99"
      ## Middlewares
      - "traefik.http.routers.sonarr-rtr-bypass.middlewares=chain-no-auth@file"
      - "traefik.http.routers.sonarr-rtr.middlewares=chain-oauth@file" # Google OAuth 2.0
      ## HTTP Services
      - "traefik.http.routers.sonarr-rtr.service=sonarr-svc"
      - "traefik.http.routers.sonarr-rtr-bypass.service=sonarr-svc"
      - "traefik.http.services.sonarr-svc.loadbalancer.server.port=8989"

I changed log level to trace on my oauth container and tried to access via the app, and I saw the following in the logs:

today at 4:57 PM time="2020-08-21T20:57:21Z" level=debug msg="Set CSRF cookie and redirected to provider login url" csrf_cookie="_forward_auth_csrf=**REDACTED**; Path=/; Domain=**REDACTED**.com; Expires=Sun, 20 Sep 2020 20:57:21 GMT; HttpOnly; Secure" handler=Auth host=sonarr.**REDACTED**.com login_url="https://accounts.google.com/o/oauth2/auth?client_id=**REDACTED**.apps.googleusercontent.com&prompt=select_account&redirect_uri=https%3A%2F%2Foauth.**REDACTED**.com%2F_oauth&response_type=code&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email&state=**REDACTED**%3Agoogle%3Ahttps%3A%2F%2Fsonarr.**REDACTED**.com%2Fapi%2Fprofile%3Fapikey%**REDACTED**" method=GET proto=https rule=default source_ip="**REDACTED**, **REDACTED**" uri="/api/profile?apikey=**REDACTED**"

Sorry for all the redacted info, there were a lot of identifying URLs and APIs... but in any event, if anyone has gotten this working with LunaSea, can you help me out? Thanks!

CVJoint commented 4 years ago

I have LunaSea working, but using authelia instead of google oauth. You're right though, the bypass is performed in Traefik, so that shouldn't matter. I don't see the X-Api-Key header in your log, but the "Query(apikey,... is referring to the last line of your log

...uri="/api/profile?apikey=**REDACTED**"

? is the query, apikey is the subject and the redacted part is your $SONARR_API_KEY. You can also get this value from Sonarr at Settings/General/API Key. Your labels look very similar to mine, so I'd double check that you're using the right API key and that your variables have been updated (use echo $SONARR_API_KEY to confirm).