forked from Nixius/authelia
163 lines
3.8 KiB
YAML
163 lines
3.8 KiB
YAML
access_control:
|
|
default_policy: deny
|
|
rules:
|
|
|
|
# Allow free access from local network
|
|
# - domain: "*.{{ env "TRAEFIK_DOMAIN" }}"
|
|
# policy: bypass
|
|
# networks:
|
|
# - 192.168.0.0/16
|
|
# - 172.16.0.0/12
|
|
# - 10.0.0.0/8
|
|
|
|
# # Put WAN Access rules here
|
|
- domain: "*.{{ env "TRAEFIK_DOMAIN" }}"
|
|
policy: bypass
|
|
|
|
# - domain: {{ env "TRAEFIK_DOMAIN" }}
|
|
# resources:
|
|
# - "^/.well-known([/?].*)?$"
|
|
# policy: bypass
|
|
|
|
# - domain: {{ env "TRAEFIK_DOMAIN" }}
|
|
# subject: "group:admin"
|
|
# policy: two_factor
|
|
|
|
# - domain: headscale.{{ env "TRAEFIK_DOMAIN" }}
|
|
# policy: bypass
|
|
|
|
# Customer stacks: authenticated subscribers with one_factor
|
|
- domain_regex: '^[a-z0-9-]+\.{{ env "TRAEFIK_DOMAIN" }}$'
|
|
subject:
|
|
- "group:customers"
|
|
policy: one_factor
|
|
|
|
# Customer demo subdomains (e.g. clientname.app.a250.ca)
|
|
- domain_regex: '^[a-z0-9-]+\.app\.a250\.ca$'
|
|
subject:
|
|
- "group:customers"
|
|
policy: one_factor
|
|
|
|
# ss-atlas app public routes (landing, webhook)
|
|
- domain: 'app.{{ env "TRAEFIK_DOMAIN" }}'
|
|
policy: bypass
|
|
resources:
|
|
- '^/$'
|
|
- '^/subscribe$'
|
|
- '^/success(\?.*)?$'
|
|
- '^/webhook/stripe$'
|
|
- '^/health$'
|
|
|
|
# ss-atlas activate requires any authenticated user (not yet in customers group)
|
|
- domain: 'app.{{ env "TRAEFIK_DOMAIN" }}'
|
|
resources:
|
|
- '^/activate$'
|
|
policy: one_factor
|
|
|
|
# ss-atlas dashboard requires auth
|
|
- domain: 'app.{{ env "TRAEFIK_DOMAIN" }}'
|
|
subject:
|
|
- "group:customers"
|
|
policy: one_factor
|
|
|
|
# Admin services require two-factor authentication
|
|
- domain:
|
|
- "portainer.a250.ca"
|
|
- "login.a250.ca"
|
|
- "git.nixc.us"
|
|
subject:
|
|
- "group:admins"
|
|
policy: two_factor
|
|
|
|
# General admin access (less sensitive services)
|
|
- domain: "*.a250.ca"
|
|
subject:
|
|
- "group:admins"
|
|
# - "group:dev"
|
|
policy: one_factor
|
|
# traefik monitor
|
|
- domain:
|
|
- "monitor-ertest.a250.ca"
|
|
subject:
|
|
- "group:monitor-ertest"
|
|
policy: one_factor
|
|
# guacamole
|
|
- domain:
|
|
- "guac.a250.ca"
|
|
subject:
|
|
- "group:guac"
|
|
policy: one_factor
|
|
# uptime-kuma
|
|
- domain:
|
|
- "uptime.a250.ca"
|
|
subject:
|
|
- "group:uptime-kuma"
|
|
policy: one_factor
|
|
# Filebrowser and Bypass
|
|
- domain:
|
|
- "fb.a250.ca"
|
|
- "fbi.a250.ca"
|
|
subject:
|
|
- "group:admins"
|
|
policy: one_factor
|
|
- domain:
|
|
- "fb.a250.ca"
|
|
- "fbi.a250.ca"
|
|
policy: bypass
|
|
resources:
|
|
- '^/api/(.*)?$'
|
|
- '^/share/(.*)?$'
|
|
- '^/static/(.*)?$'
|
|
## Transfer.sh
|
|
- domain:
|
|
- "tx.a250.ca"
|
|
subject:
|
|
- "group:transfer"
|
|
policy: one_factor
|
|
## Firefox
|
|
- domain:
|
|
- "ff.a250.ca"
|
|
subject:
|
|
- "group:firefox"
|
|
policy: one_factor
|
|
- domain:
|
|
- "oracle.a250.ca"
|
|
subject:
|
|
- "group:oracle"
|
|
policy: one_factor
|
|
## Stash
|
|
- domain:
|
|
- "fb.a250.ca"
|
|
subject:
|
|
- "group:fansdb"
|
|
policy: one_factor
|
|
# Filebrowser and Bypass
|
|
- domain:
|
|
- "fb-stash.a250.ca"
|
|
subject:
|
|
- "group:stash_admin"
|
|
policy: one_factor
|
|
# Graylog access (sensitive logs require two-factor)
|
|
- domain:
|
|
- "log.a250.ca"
|
|
subject:
|
|
- "group:graylog"
|
|
policy: two_factor
|
|
# whisper access
|
|
- domain:
|
|
- "whisper.a250.ca"
|
|
subject:
|
|
- "group:kwlug"
|
|
policy: one_factor
|
|
# whisper access
|
|
- domain:
|
|
- "marketing-browser.a250.ca"
|
|
subject:
|
|
- "group:mrc"
|
|
policy: one_factor
|
|
# scanner access
|
|
- domain:
|
|
- "scanner.oid.a250.ca"
|
|
subject:
|
|
- "group:mrc"
|
|
policy: one_factor |