Authelia and Gotify

[waz1500]

Have you read the documentation?

• Yes, but it does not include related information regarding my question.
• Yes, but the steps described in the documentation do not work on my machine.
• Yes, but I am having difficulty understanding it and want clarification.

You are setting up gotify in

• Docker
• Linux native platform
• Windows native platform

Describe your problem
I am using Gotify with Authelia and Traefik, and I'd like to be able to receive messages via the reverse proxy, but this is currently being blocked by Authelia. My Gotify and Authelia users are the same, so with gotify’s basic auth, I can log in without needing to reauthenticate on Gotify’s side.

In Authelia, I can usually add exceptions for certain requests, such as API calls, but I’m unsure of what exactly to configure for Gotify. Here’s an example rule I typically use:

    ## bypass api / triggers
    - domain: "*.domain.com"
      resources:
        - "^/api([/?].*)?$"

When I test using the following example:
curl "https://gotify.websitename.com/message?token=AxhtWcK0y5oIVUY" -F "title=my title" -F "message=my message" -F "priority=5"

I see the following error in the Authelia logs:

level=info msg="Access to https://gotify.websitename.com/message?token=AxhtWcK0y5oIVUY (method POST) is not authorized to user <anonymous>, responding with status code 303 with location redirect to https://authelia.websitename.com/?rd=https%3A%2F%2Fgotify.websitename.com%2Fmessage%3Ftoken%3DAxhtWcK0y5oIVUY&rm=POST" method=GET path=/api/verify remote_ip=172.68.205.46

The remote IP is a cloudflare IP, however I have setup my reverse proxy to trust cloudflare ips and pass my real IP across to my apps.

X-Forwarded-For: myipaddress, 172.68.205.46
X-Forwarded-Host: whoami.websitename.com
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Is-Trusted: yes
X-Real-Ip: myipaddress

Additionally, I cannot use the Gotify app because it tries to check /version, but those endpoints are blocked by Authelia. I'm also unsure how to pass credentials in the curl test command.

My question is: Can Gotify work behind Authelia, allowing Gotify requests to pass through while still protecting Gotify? I’m aware Gotify has a "trusted IPs" section in the config, but I’d prefer to handle everything through Authelia.

Please let me know if more details would help. I couldn’t find many related issues regarding Authelia and Gotify on the GitHub issues page.

[eternal-flame-AD]

I will have to look into authelia more carefully but can you just configure Authelia to allow unauthorized requests while still passing creds through?

[waz1500]

Hi! The only way I know how to achieve what you suggested in Authelia is by using the resources section. This custom regex allows specific API calls to bypass authentication, while everything else still requires authorization:

      resources:
        - "^/api([/?].*)?$"

I checked the Gotify API documentation, and it seems to use different endpoints than I initially expected. It looks like I’ll need to allow /message and possibly /version (so I can also set up the Android app).

Are there any other essential API calls I should account for if I want full functionality?

[eternal-flame-AD]

I think you can just allow all unauthorized requests to go through and let gotify do the final determination? if i recall the only endpoint that we call with userpass is /client, everything else is through tokens

[waz1500]

Thanks for the tips! My understanding of Authelia has improved and I managed to solve this via two different methods by referring to the Gotify api docs here. https://gotify.net/api-docs#/. The methods section via the access control page in the Authelia documention was also helpful. https://www.authelia.com/configuration/security/access-control/#methods

Authelia users rejoice!
Here’s the code block(s) I added to Authelia to receive messages via the site and allow registration via the phone app. I was able to successfully send a message using the test curl example.

I'm wondering if Method 1 is more secure as it's protecting the API endpoints or if it's better to leave it all open via Method 2. Is it possible to fake HTTP request methods?

Method 1: Add the api names, however this will need adjusting if the devs add more.
Authelia configuration.yml:

access_control:
  default_policy: deny
  rules:
    - domain:
      - gotify.websitename.com
      resources:
      - '^/message([/?].*)?$'
      - '^/version([/?].*)?$'
      - '^/stream([/?].*)?$'
      - '^/current([/?].*)?$'
      - '^/client([/?].*)?$'
      - '^/application([/?].*)?$'
      - '^/user([/?].*)?$'
      - '^/health([/?].*)?$'
      - '^/plugin([/?].*)?$'
      policy: bypass

Method 2: Allow all unauthorized requests to go through as per @eternal-flame-AD's suggestion.
Authelia configuration.yml:

access_control:
  default_policy: deny
  rules:
    - domain:
      - gotify.websitename.com
      methods:
      - GET
      - POST
      - PUT
      - DELETE
      policy: bypass

[waz1500]

The regex expressions in Method 1 will also work for those using Authentik although I prefer Authelia. You will need to place these under the "Unauthenticated Paths" section when using Authentik.
For example:

^/message([/?].*)?$
^/version([/?].*)?$
 etc...

This allows a protected reverse proxy whilst allowing named endpoints to go through unauthorized.
This solves my issue and can be closed. Hope this helps others!

[tomergam]

@waz1500 , Thanks for the solution
I used Method 1 with Authelia
did you getting the app icon in the android gotify application?

[waz1500]

@tomergam
I just checked, and the app icon is working fine for me on both phone and desktop. Gotify generates a default icon, and you can upload a custom icon for your specific application if needed. If images aren't working, it's may be a problem with your reverse proxy config.

Also, I forgot to mention earlier that any Authelia bypass rules should generally be placed near the top of the rules list.

[tomergam]

Thanks @waz1500

I Not getting Icon. custom or default.
attached screenshot.
in the desktop is working fine.

[waz1500]

If you create a new thread, we can take a look at your reverse proxy settings and work on getting this sorted for you. It’s not an issue with Authelia but rather with the reverse proxy.

Screenshot of my phone:

[davols]

The regex expressions in Method 1 will also work for those using Authentik although I prefer Authelia. You will need to place these under the "Unauthenticated Paths" section when using Authentik. For example:

^/message([/?].*)?$
^/version([/?].*)?$
 etc...

This allows a protected reverse proxy whilst allowing named endpoints to go through unauthorized. This solves my issue and can be closed. Hope this helps others!

Idgi. I have added all those but still get errors in gotify. Im using authentik and traefik.

^/message([/?].*)?$
^/version([/?].*)?$
^/stream([/?].*)?$
^/current([/?].*)?$
^/client([/?].*)?$
^/application([/?].*)?$
^/user([/?].*)?$
^/health([/?].*)?$
^/plugin([/?].*)?$

In the unauthenticated paths in authentik.

2024-12-06T22:14:02+01:00 | 401 |      79.363µs |   85.165.10.232 | POST     "/client"
Error #01: you need to provide a valid access token or user credentials to access this api

While trying to login
Edit:
The culprit was the authentik-middleware that had authorization. The solution was to create a new middleware for authentik without the authorization (which was needed for some other services for basic auth)