Sounds good, and also works with the HA apps on Android/iOS?
Yep, you just get the Authelia authentication prior to making it to HA. You just need to put in the info for your site in then press done, that makes the Authelia authentication screen come up.
Hm, it gives me unknown errors (btw it seemed the code I already used was pretty similar to yours, except I used the X-Forwarded-For header instead of the CF IP, though the result should be the same. I have also added some security headers, which you don’t need since they already come with the CF proxy).
Could you maybe tell me how you have setup your authentication providers in HA?
E.g. I have the following lines:
# Home Assistant
homeassistant:
customize: !include customize.yaml
packages: !include_dir_named packages/
external_url: !secret base_url
internal_url: !secret internal_url
media_dirs:
media: media/
auth_providers:
- type: trusted_networks
trusted_networks:
- 127.0.0.1
- 10.0.0.0/24
- type: homeassistant
But HA has to get the user info from authelia somehow no?
At the moment I still have normal user authentication on for HA. However, I am considering turning it off in some way once I am satisfied it is working. So it is a little annoying when you set up the device as you need to login twice… once in Authelia & once in HA
Ah that is what I thought, hence why I have setup a bypass in Authelia since logging in twice (both 2FA) is a no go.
Thanks for the explanation.
For those updating to 2021.7… there is a breaking change that stopped my config from working. I had to make sure I had these lines in my configuration.yaml:
http:
use_x_forwarded_for: true
trusted_proxies:
- 192.168.1.0/24
I have managed to connect the app by changing the authlia config for homeassistant to bypass. But how do I configure authelia to use two_factor for normal log in and bypass the /api and /auth ?
I tried:
- domain: "homeassistant.mydomain.org"
subject:
- "group:admins"
policy: two_factor
- domain: "homeassistant.mydomain.org"
resources:
- "^/api.*$"
- "^/auth/token/.*$"
policy: bypass
But if I look in the authlia log it still blocks requests to /api/verify and /auth/token
2 Likes
I haven’t setup HA through authelia yet, but I do know your bypass rule must come BEFORE your two_factor rule. Swap the order and test it out to see if it works. I’d be interested if it does because i’d like to require two-factor from a browser but allow the app on my phone.
Hi,
Don’t know if this is the best way, but I managed to be able to use the app while protecting the web interface with Authelia.
In Authelia’s config I have this (I stripped other domains) :
- domain: "ha.MYDOMAIN.COM" policy: bypass resources: - "^/api.*" - "^/auth/token.*" - "^/.external_auth=." - "^/service_worker.js" - "^/static/.*" - domain: # Proxies needing 2 factor below - "ha.MYDOMAIN.COM" policy: two_factor
It is indeed very important to put your “bypass” block before the two_factor one (as @MRobi said), otherwise it will be ignored.
I modified the given rules and added some others from what I saw in Authelia’s logs.
It seems to be working just fine right now.
And just a final note to say I don’t have Authelia only, but also a password with Double Authentication set at HA’s level.
[EDIT] Removed a “/” in one of the rules because the path is “/auth/token” and not “/auth/token/”
2 Likes
Could you use allow_bypass_login as described here? Authentication Providers - Home Assistant
I am thinking about doing the same and just have everything authenticated through Authelia but would love everyones thoughts.
That only works for a single user instance of HA. Which in my case is a no no.
Makes sense.
I recently came across this also which I just installed today. So far, its working fine but have not yet tested with multi users.
According to this issue here you need to open up a lot of resources for Authelia. Seems like a large attack area, is this ok to have Authelia bypass?
- domain: "ha.domain.com"
policy: bypass
resources:
- "^/api.*"
- "^/auth/token.*"
- "^/.external_auth=."
- "^/service_worker.js"
- "^/static.*"
- "^/local.*"
- "^/hacsfiles.*"
- "^/frontend_latest.*"
1 Like
Recently lost a drive and Authelia was a victim. Now everything is trying to reauthenticate and I am not even sure what is trying!
I’ve had a read of this thread and might be time to consider other options…
I’m cannot find a homeassistant authelia addon to augment nginx proxy manager. Is anyone working on an add on for this? I found there is a docker container available for authelia but havent pulled it yet. I will begin working on an addon in the upcoming weeks but don’t want to reinvent the wheel if someone is already working on it. i’d like to colab if this is in progress
If you are interested in Authelia working natively with Home Assistant, as the current solution requires bypasses as listed above and does not always work well with the mobile apps, please upvote Open letter for improving Home Assistant's Authentication system and leave your use-case there as well.
If enough people are interested in using SSO with HA, this would be a great spot to let the developers know. Thank you!
2 Likes
My intent is to run Authelia as an addon to work with the nginx Proxy Manager. The holidays have slowed me down a little but this is on the top of my list for the new year.
I just discovered this ticket which i found interesting as after I have Authelia working with Nginx Proxy Manager I was going to look into fail2ban with Nginx Proxy Manager as well.
I wrote a Command Line Authentication script to handle authentication with Authelia. Code is here: Home Assistant Command Line Authentication for Authelia · GitHub
You can also find all instructions on my blog.
Main limitations are:
- no 2FA support
- requests will originate from HA itself, so be careful to not fail2ban it. Make sure you limit failed logins on the HA side instead.
I just started setting up Authelia. @kevinoconnor7 is this still working well for you? I’m going to go down this path following your blog instructions.
I was able to follow your instructions and the web UI login works mostly great. HomeAssistant doesn’t know who I’m logged in as, but that’s not a big deal.
My next problem was the iOS Companion app. I had to delete the server, and then re-add it. After that, I was fine. Thanks!