diff --git a/charts/enterprise/authelia/docs/Setup-Guide.md b/charts/enterprise/authelia/docs/Setup-Guide.md index 721d59e7c6b..c231ae16e1d 100644 --- a/charts/enterprise/authelia/docs/Setup-Guide.md +++ b/charts/enterprise/authelia/docs/Setup-Guide.md @@ -26,6 +26,8 @@ LLDAP is a `Stable` train chart and therefore isn't supported at the same level - Once in `LLDAP`, create a user inside the `lldap_password_manager` group and change your default `admin` password. That `lldap_password_manager` user will be used to bind to `Authelia`. I've created a user called `Steven` +- Create an `admin` group and add `Steven` to it. We will allow users of this group to access the site with Authelia later in the guide. + ## Setup Authelia - The setup for Authelia is very specific, and the logs won't tell you where you've messed up, but there's precise steps used to integrate `LLDAP` into `Authelia`. The info comes from the [LLDAP Authelia Docs](https://truecharts.org/charts/stable/lldap/authelia) and the upstream repo. @@ -65,15 +67,17 @@ Check your mail provider for this, generally Gmail gives you an app specific pas ### Access Control Configuration -- This section is to set rules to connect to `Authelia` and which users can go where. This is a basic general rule below where the main user (Steven) can access all the site using a wildcard +- This section is to set rules to connect to `Authelia` and which users can go where. This is a basic general rule where users of the `admin` group (Steven) can access all the site using a wildcard. -Leave the default `one_factor` unless you've setup TOTP above. Then click `Add` next to `Rules` to get the screen below +Set the default `deny`. Then click `Add` next to `Rules` to get the screen below. ![AutheliaAccessControl](./img/AutheliaAccessControl.png) - Add your `Domain` and a `Wildcard` for your subdomains. -- Leave policy `one_factor` -- Click `Add Subject` and add a subject of `group:lldap_password_manager` since `Steven` is part of that group +- Set policy to `one_factor` or `two_factor`, up to you. +- Click `Add Subject` and add a subject of `group:admin` since `Steven` is part of that group. + +Please see [Authelia Rules](./authelia-rules) for more advanced rules. #### Setup Authelia Ingress diff --git a/charts/enterprise/authelia/docs/authelia-rules.md b/charts/enterprise/authelia/docs/authelia-rules.md index e96888822ad..b527bdbf6c8 100644 --- a/charts/enterprise/authelia/docs/authelia-rules.md +++ b/charts/enterprise/authelia/docs/authelia-rules.md @@ -10,7 +10,17 @@ It is important that rules are created in the correct order in Authelia. Rules a ::: -All rules requiring Authelia authentication were configured with `two_factor` (2FA). If you do not want 2FA on some or all rules replace the Policy with `one_factor` +:::note[DEFAULT POLICY] + +For theses rules to work as intended, your default access control policy must be set to `deny`. + +::: + +All rules requiring Authelia authentication were configured with `two_factor` (2FA). If you do not want 2FA on some or all rules replace the Policy with `one_factor`. + +In this guide we assume you have a group `admin` and a group `user` in ldap. +Members of the `admin` group will have access to everything. +Members of the `user` group will only have access to a select set of apps you choose. ## API Rule @@ -44,11 +54,13 @@ These rules will protect the Vaultwarden admin page with Authelia but bypass whe ### Rule 1 +This rule will allow users of the `admin` group to access the vaulwarden admin page. + Domain: `vaultwarden.domain.tld` Policy: `two_factor` -Subject: `Not Used (Do Not Add)` +Subject: `group:admin` Networks: `Not Used (Do Not Add)` @@ -58,6 +70,25 @@ Resources: `^*/admin.*$` ### Rule 2 +This rule will prevent users not in the `admin` group to access the vaulwarden admin page. +This is necessary even if the your default policy is set to `deny` because of the `bypass` rule below. + +Domain: `vaultwarden.domain.tld` + +Policy: `deny` + +Subject: `Not Used (Do Not Add)` + +Networks: `Not Used (Do Not Add)` + +Resources: `^*/admin.*$` + +![authelia-vw1](./img/authelia-vw2.png) + +### Rule 3 + +This rule will bypass Authelia when accessing the webportal as auth is already provided by vaultwarden. + Domain: `vaultwarden.domain.tld` Policy: `bypass` @@ -68,20 +99,21 @@ Networks: `Not Used (Do Not Add)` Resources: `Not Used (Do Not Add)` -![authelia-vw2](./img/authelia-vw2.png) +![authelia-vw2](./img/authelia-vw3.png) ## User Rule -This rule will allow users in the `lldap_user` group access to only the specified applications. +This rule will allow users in the `user` group access to only the specified applications. Domain: -- `radarr.domain.tld` -- `sonarr.domain.tld` +- `jellyfin.domain.tld` +- `nextcloud.domain.tld` +- `whateveryouwant.domain.tld` Policy: `two_factor` -Subject: `group:lldap_user` +Subject: `group:user` Networks: `Not Used (Do Not Add)` @@ -91,7 +123,7 @@ Resources: `Not Used (Do Not Add)` ## Catch All Rule -This rule will catch any access requests not covered by other rules. +This rule will give access to everything to users of the `admin` group. Domain: @@ -100,7 +132,7 @@ Domain: Policy: `two_factor` -Subject: `group:lldap_admin` +Subject: `group:admin` Networks: `Not Used (Do Not Add)` diff --git a/charts/enterprise/authelia/docs/img/AutheliaAccessControl.png b/charts/enterprise/authelia/docs/img/AutheliaAccessControl.png index 88f1ba09180..6e78bbc436e 100644 Binary files a/charts/enterprise/authelia/docs/img/AutheliaAccessControl.png and b/charts/enterprise/authelia/docs/img/AutheliaAccessControl.png differ diff --git a/charts/enterprise/authelia/docs/img/authelia-catch.png b/charts/enterprise/authelia/docs/img/authelia-catch.png index c84f9e315e2..f717c800886 100644 Binary files a/charts/enterprise/authelia/docs/img/authelia-catch.png and b/charts/enterprise/authelia/docs/img/authelia-catch.png differ diff --git a/charts/enterprise/authelia/docs/img/authelia-user.png b/charts/enterprise/authelia/docs/img/authelia-user.png index ea43abc855e..949e87c6723 100644 Binary files a/charts/enterprise/authelia/docs/img/authelia-user.png and b/charts/enterprise/authelia/docs/img/authelia-user.png differ diff --git a/charts/enterprise/authelia/docs/img/authelia-vw1.png b/charts/enterprise/authelia/docs/img/authelia-vw1.png index ba35026229e..6018086c8c6 100644 Binary files a/charts/enterprise/authelia/docs/img/authelia-vw1.png and b/charts/enterprise/authelia/docs/img/authelia-vw1.png differ diff --git a/charts/enterprise/authelia/docs/img/authelia-vw2.png b/charts/enterprise/authelia/docs/img/authelia-vw2.png index 0f99b305237..6da720a42ad 100644 Binary files a/charts/enterprise/authelia/docs/img/authelia-vw2.png and b/charts/enterprise/authelia/docs/img/authelia-vw2.png differ diff --git a/charts/enterprise/authelia/docs/img/authelia-vw3.png b/charts/enterprise/authelia/docs/img/authelia-vw3.png new file mode 100644 index 00000000000..0c16b743fbb Binary files /dev/null and b/charts/enterprise/authelia/docs/img/authelia-vw3.png differ