Allow_bypass_login for all connections (and/or trusted_network 0.0.0.0)?

hcooper · November 8, 2021, 9:23pm

Is there way to configure trusted_network to consider everything trusted? (i.e. 0.0.0.0)

or

Is there a way to configure allow_bypass_login without defining trusted_network?

I attempted a variety of both, but I’ve not found a way to achieve either yet.

Context:

I’ve an authentication proxy in front of HA (authelia).
I have x-forwarded-for enabled so that HA logs the real client IPs.
I want allow_bypass_login enabled so that once authenticated with the proxy there is no further logging in required.

For #3, I need trusted_networks enabled. However with #2 enabled I need to “trust the world”.

Thanks!

hcooper · November 10, 2021, 8:32pm

Not sure how I missed this during testing, but the answer is as simple as 0.0.0.0/0.

from ipaddress import IPv4Address, IPv4Network
IPv4Address("192.168.3.1") in IPv4Network('0.0.0.0/0')

endquote · October 4, 2022, 12:39am

@hcooper I wonder if you could share the relevant bit of your config here. I’m trying to do the exact thing with a proxy and Authelia, however can’t seem to get trusted networks to work. I have this config, but still get prompted to log in:

http:
  use_x_forwarded_for: true
  trusted_proxies:
  - 172.22.0.0/24
  ip_ban_enabled: true
  login_attempts_threshold: 5

# assuming you have only one non-system user
homeassistant:
  auth_providers:
    - type: trusted_networks
      trusted_networks:
        - 0.0.0.0/0
        - 127.0.0.1
        - ::1
      allow_bypass_login: true
    - type: homeassistant

hcooper · October 4, 2022, 1:10am

I’ve some minor differences, but don’t see anything obviously wrong with your config.

Just to check:

the trusted_proxy IP address should be that of the proxy server (not authelia, if that’s running elsewhere).
the proxy does my https, so HA is only listening on 80.
Try adding ::/0 in case the services are talking over their local v6 addresses.
I have the ip_ban disabled because I deffer all that logic to authelia/proxy.

http:
  server_port: 80
  ip_ban_enabled: false
  # login_attempts_threshold: 4
  use_x_forwarded_for: true
  trusted_proxies:
    - 10.254.254.251 # traefik

homeassistant:
  auth_providers:
    - type: trusted_networks
      trusted_networks:
        # open so allow_bypass_login can be enabled.
        # authelia adds x-forwarded for, so the real
        # ip of the client is checked by HA.
        - 0.0.0.0/0
        - ::/0
      allow_bypass_login: true
    - type: homeassistant

Just checked from a fresh incognito session, and once authed with authelia I don’t get any HA login prompt. Any clues in your logs?