HA-Proxy Ingress: *.cluster.local is not under the protected domain

[hans-fischer]

Version

v4.37.5

Deployment Method

Kubernetes

Reverse Proxy

HAProxy

Reverse Proxy Version

2.4.25

Description

I added the following annotations to my Ingress-Ressource:
haproxy-ingress.github.io/auth-method: GET
haproxy-ingress.github.io/auth-signin: https://auth.example.de
haproxy-ingress.github.io/auth-url: http://authelia.authelia.svc.cluster.local/api/verify

In Authelia Logging I see this Log:
{"level":"error","method":"GET","msg":"Target URL https://authelia.authelia.svc.cluster.local/api/verify is not under the protected domain example.de","path":"/api/verify","remote_ip":"127.0.0.1","stack":[{"File":"github.com/authelia/authelia/v4/internal/handlers/handler_verify.go","Line":459,"Name":"VerifyGET.func1"},{"File":"github.com/authelia/authelia/v4/internal/middlewares/bridge.go","Line":54,"Name":"(*BridgeBuilder).Build.func1.1"},{"File":"github.com/authelia/authelia/v4/internal/middlewares/headers.go","Line":16,"Name":"SecurityHeaders.func1"},{"File":"github.com/authelia/authelia/v4/internal/middlewares/metrics.go","Line":40,"Name":"NewMetricsVerifyRequest.func1.1"},{"File":"github.com/fasthttp/router@v1.4.14/router.go","Line":427,"Name":"(*Router).Handler"},{"File":"github.com/valyala/fasthttp@v1.43.0/http.go","Line":154,"Name":"(*Response).StatusCode"},{"File":"github.com/authelia/authelia/v4/internal/middlewares/metrics.go","Line":22,"Name":"NewMetricsRequest.func1.1"},{"File":"github.com/valyala/fasthttp@v1.43.0/server.go","Line":2338,"Name":"(*Server).serveConn"},{"File":"github.com/valyala/fasthttp@v1.43.0/workerpool.go","Line":224,"Name":"(*workerPool).workerFunc"},{"File":"github.com/valyala/fasthttp@v1.43.0/workerpool.go","Line":196,"Name":"(*workerPool).getCh.func1"},{"File":"runtime/asm_amd64.s","Line":1594,"Name":"goexit"}],"time":"2024-04-17T07:00:50Z"}

I played a bit with the annotation and change the auth-url to the external reachable domain:
haproxy-ingress.github.io/auth-url: https://auth.example.de/api/verify

Works!

But I dont want the traffic to route over the internet... Is there a way to disable the check or maybe add the internal domain to a list of exceptions?

Reproduction

To reproduce you have to install the ha-proxy-ingress from https://haproxy-ingress.github.io/ and configure the proxy to enable external-auth.
This is kinda complicated because you have to build a haproxy image zourself with lua-json included.

Expectations

I would expect authelia to recognize the domain pattern and to not go into an error state.

Configuration (Authelia)

No response

Build Information

Last Tag: v4.37.5
State: tagged clean
Branch: v4.37.5
Commit: 566a0d7fc71b450123ad33d350cd3890d311da82
Build Number: 17068
Build OS: linux
Build Arch: amd64
Build Date: Wed, 21 Dec 2022 19:54:54 +1100
Extra:

Logs (Authelia)

time="2024-04-17T04:51:17Z" level=warning msg="Configuration: access control: no rules have been specified so the 'default_policy' of 'two_factor' is going to be applied to all requests"
time="2024-04-17T04:51:17Z" level=info msg="Authelia v4.37.5 is starting"
time="2024-04-17T04:51:17Z" level=info msg="Log severity set to debug"
{"level":"info","msg":"Storage schema is being checked for updates","time":"2024-04-17T04:51:17Z"}
{"level":"info","msg":"Storage schema is already up to date","time":"2024-04-17T04:51:17Z"}
{"level":"debug","msg":"LDAP Supported OIDs. Control Types: 1.3.6.1.4.1.4203.1.9.1.1, 2.16.840.1.113730.3.4.18, 2.16.840.1.113730.3.4.2, 1.3.6.1.4.1.4203.1.10.1, 1.3.6.1.1.22, 1.2.840.113556.1.4.319, 1.2.826.0.1.3344810.2.3, 1.3.6.1.1.13.2, 1.3.6.1.1.13.1, 1.3.6.1.1.12. Extensions: 1.3.6.1.4.1.1466.20037, 1.3.6.1.4.1.4203.1.11.1, 1.3.6.1.4.1.4203.1.11.3, 1.3.6.1.1.8, 1.3.6.1.1.21.3, 1.3.6.1.1.21.1","time":"2024-04-17T04:51:17Z"}
{"level":"debug","msg":"Notifier SMTP client attempting connection to mail.guided-traffic.com:465","time":"2024-04-17T04:51:17Z"}
{"level":"debug","msg":"Notifier SMTP client using submissions port 465. Make sure the mail server you are connecting to is configured for submissions and not SMTPS.","time":"2024-04-17T04:51:17Z"}
{"level":"debug","msg":"Notifier SMTP client connected successfully","time":"2024-04-17T04:51:18Z"}
{"level":"debug","msg":"Notifier SMTP connection is already encrypted, skipping STARTTLS","time":"2024-04-17T04:51:18Z"}
{"level":"debug","msg":"Notifier SMTP server supports authentication with the following mechanisms: PLAIN LOGIN","time":"2024-04-17T04:51:18Z"}
{"level":"debug","msg":"Notifier SMTP client attempting AUTH PLAIN with server","time":"2024-04-17T04:51:18Z"}
{"level":"debug","msg":"Notifier SMTP client authenticated successfully with the server","time":"2024-04-17T04:51:18Z"}
{"level":"warning","msg":"Could not read from the NTP server socket to validate the system time is properly synchronized: read udp 10.252.213.211:59729-\u003e162.159.200.1:123: i/o timeout","time":"2024-04-17T04:51:23Z"}
{"level":"info","msg":"Initializing server (metrics) for non-TLS connections on '[::]:9959' path '/metrics'","time":"2024-04-17T04:51:23Z"}
{"level":"info","msg":"Initializing server for non-TLS connections on '[::]:9091' path '/'","time":"2024-04-17T04:51:23Z"}
{"level":"error","method":"GET","msg":"Scheme of target URL http://authelia.authelia.svc.cluster.local/api/verify must be secure since cookies are only transported over a secure connection for security reasons","path":"/api/verify","remote_ip":"10.252.237.172","stack":[{"File":"github.com/authelia/authelia/v4/internal/handlers/handler_verify.go","Line":451,"Name":"VerifyGET.func1"},{"File":"github.com/authelia/authelia/v4/internal/middlewares/bridge.go","Line":54,"Name":"(*BridgeBuilder).Build.func1.1"},{"File":"github.com/authelia/authelia/v4/internal/middlewares/headers.go","Line":16,"Name":"SecurityHeaders.func1"},{"File":"github.com/authelia/authelia/v4/internal/middlewares/metrics.go","Line":40,"Name":"NewMetricsVerifyRequest.func1.1"},{"File":"github.com/fasthttp/router@v1.4.14/router.go","Line":427,"Name":"(*Router).Handler"},{"File":"github.com/valyala/fasthttp@v1.43.0/http.go","Line":154,"Name":"(*Response).StatusCode"},{"File":"github.com/authelia/authelia/v4/internal/middlewares/metrics.go","Line":22,"Name":"NewMetricsRequest.func1.1"},{"File":"github.com/valyala/fasthttp@v1.43.0/server.go","Line":2338,"Name":"(*Server).serveConn"},{"File":"github.com/valyala/fasthttp@v1.43.0/workerpool.go","Line":224,"Name":"(*workerPool).workerFunc"},{"File":"github.com/valyala/fasthttp@v1.43.0/workerpool.go","Line":196,"Name":"(*workerPool).getCh.func1"},{"File":"runtime/asm_amd64.s","Line":1594,"Name":"goexit"}],"time":"2024-04-17T06:23:02Z"}
{"level":"error","method":"GET","msg":"Target URL https://authelia.authelia.svc.cluster.local/api/verify is not under the protected domain EXAMPLE.de","path":"/api/verify","remote_ip":"127.0.0.1","stack":[{"File":"github.com/authelia/authelia/v4/internal/handlers/handler_verify.go","Line":459,"Name":"VerifyGET.func1"},{"File":"github.com/authelia/authelia/v4/internal/middlewares/bridge.go","Line":54,"Name":"(*BridgeBuilder).Build.func1.1"},{"File":"github.com/authelia/authelia/v4/internal/middlewares/headers.go","Line":16,"Name":"SecurityHeaders.func1"},{"File":"github.com/authelia/authelia/v4/internal/middlewares/metrics.go","Line":40,"Name":"NewMetricsVerifyRequest.func1.1"},{"File":"github.com/fasthttp/router@v1.4.14/router.go","Line":427,"Name":"(*Router).Handler"},{"File":"github.com/valyala/fasthttp@v1.43.0/http.go","Line":154,"Name":"(*Response).StatusCode"},{"File":"github.com/authelia/authelia/v4/internal/middlewares/metrics.go","Line":22,"Name":"NewMetricsRequest.func1.1"},{"File":"github.com/valyala/fasthttp@v1.43.0/server.go","Line":2338,"Name":"(*Server).serveConn"},{"File":"github.com/valyala/fasthttp@v1.43.0/workerpool.go","Line":224,"Name":"(*workerPool).workerFunc"},{"File":"github.com/valyala/fasthttp@v1.43.0/workerpool.go","Line":196,"Name":"(*workerPool).getCh.func1"},{"File":"runtime/asm_amd64.s","Line":1594,"Name":"goexit"}],"time":"2024-04-17T06:23:46Z"}
{"level":"debug","method":"GET","msg":"Checking the authentication backend for an updated profile for user hans.fischer","path":"/api/verify","remote_ip":"188.XX.XX.XX","time":"2024-04-17T06:30:35Z"}
{"level":"debug","msg":"Check authorization of subject username=hans.fischer groups= ip=188.XX.XX.XX and object https://auth.EXAMPLE.de/api/verify (method ).","time":"2024-04-17T06:30:35Z"}
{"level":"debug","msg":"No matching rule for subject username=hans.fischer groups= ip=188.XX.XX.XX and url https://auth.EXAMPLE.de/api/verify (method ) applying default policy","time":"2024-04-17T06:30:35Z"}
{"level":"debug","msg":"Check authorization of subject username=hans.fischer groups= ip=188.XX.XX.XX and object https://auth.EXAMPLE.de/api/verify (method ).","time":"2024-04-17T06:30:40Z"}
{"level":"debug","msg":"No matching rule for subject username=hans.fischer groups= ip=188.XX.XX.XX and url https://auth.EXAMPLE.de/api/verify (method ) applying default policy","time":"2024-04-17T06:30:40Z"}
{"level":"debug","msg":"Check authorization of subject username=hans.fischer groups= ip=188.XX.XX.XX and object https://auth.EXAMPLE.de/api/verify (method ).","time":"2024-04-17T06:31:11Z"}
{"level":"debug","msg":"No matching rule for subject username=hans.fischer groups= ip=188.XX.XX.XX and url https://auth.EXAMPLE.de/api/verify (method ) applying default policy","time":"2024-04-17T06:31:11Z"}
{"level":"error","method":"GET","msg":"Target URL https://authelia.authelia.svc.cluster.local/api/verify is not under the protected domain EXAMPLE.de","path":"/api/verify","remote_ip":"127.0.0.1","stack":[{"File":"github.com/authelia/authelia/v4/internal/handlers/handler_verify.go","Line":459,"Name":"VerifyGET.func1"},{"File":"github.com/authelia/authelia/v4/internal/middlewares/bridge.go","Line":54,"Name":"(*BridgeBuilder).Build.func1.1"},{"File":"github.com/authelia/authelia/v4/internal/middlewares/headers.go","Line":16,"Name":"SecurityHeaders.func1"},{"File":"github.com/authelia/authelia/v4/internal/middlewares/metrics.go","Line":40,"Name":"NewMetricsVerifyRequest.func1.1"},{"File":"github.com/fasthttp/router@v1.4.14/router.go","Line":427,"Name":"(*Router).Handler"},{"File":"github.com/valyala/fasthttp@v1.43.0/http.go","Line":154,"Name":"(*Response).StatusCode"},{"File":"github.com/authelia/authelia/v4/internal/middlewares/metrics.go","Line":22,"Name":"NewMetricsRequest.func1.1"},{"File":"github.com/valyala/fasthttp@v1.43.0/server.go","Line":2338,"Name":"(*Server).serveConn"},{"File":"github.com/valyala/fasthttp@v1.43.0/workerpool.go","Line":224,"Name":"(*workerPool).workerFunc"},{"File":"github.com/valyala/fasthttp@v1.43.0/workerpool.go","Line":196,"Name":"(*workerPool).getCh.func1"},{"File":"runtime/asm_amd64.s","Line":1594,"Name":"goexit"}],"time":"2024-04-17T06:32:15Z"}
{"level":"debug","method":"GET","msg":"Checking the authentication backend for an updated profile for user hans.fischer","path":"/api/verify","remote_ip":"188.XX.XX.XX","time":"2024-04-17T06:46:33Z"}
{"level":"debug","msg":"Check authorization of subject username=hans.fischer groups= ip=188.XX.XX.XX and object https://auth.EXAMPLE.de/api/verify (method ).","time":"2024-04-17T06:46:33Z"}
{"level":"debug","msg":"No matching rule for subject username=hans.fischer groups= ip=188.XX.XX.XX and url https://auth.EXAMPLE.de/api/verify (method ) applying default policy","time":"2024-04-17T06:46:33Z"}
{"level":"debug","msg":"Check authorization of subject username= groups= ip=49.13.144.89 and object https://auth.EXAMPLE.de/api/verify (method ).","time":"2024-04-17T06:47:25Z"}
{"level":"debug","msg":"No matching rule for subject username= groups= ip=49.13.144.89 and url https://auth.EXAMPLE.de/api/verify (method ) applying default policy","time":"2024-04-17T06:47:25Z"}
{"level":"info","method":"GET","msg":"Access to https://auth.EXAMPLE.de/api/verify (method unknown) is not authorized to user \u003canonymous\u003e, responding with status code 401","path":"/api/verify","remote_ip":"49.13.144.89","time":"2024-04-17T06:47:25Z"}
{"level":"error","method":"GET","msg":"Scheme of target URL http://authelia.authelia.svc.cluster.local/api/verify must be secure since cookies are only transported over a secure connection for security reasons","path":"/api/verify","remote_ip":"10.252.237.172","stack":[{"File":"github.com/authelia/authelia/v4/internal/handlers/handler_verify.go","Line":451,"Name":"VerifyGET.func1"},{"File":"github.com/authelia/authelia/v4/internal/middlewares/bridge.go","Line":54,"Name":"(*BridgeBuilder).Build.func1.1"},{"File":"github.com/authelia/authelia/v4/internal/middlewares/headers.go","Line":16,"Name":"SecurityHeaders.func1"},{"File":"github.com/authelia/authelia/v4/internal/middlewares/metrics.go","Line":40,"Name":"NewMetricsVerifyRequest.func1.1"},{"File":"github.com/fasthttp/router@v1.4.14/router.go","Line":427,"Name":"(*Router).Handler"},{"File":"github.com/valyala/fasthttp@v1.43.0/http.go","Line":154,"Name":"(*Response).StatusCode"},{"File":"github.com/authelia/authelia/v4/internal/middlewares/metrics.go","Line":22,"Name":"NewMetricsRequest.func1.1"},{"File":"github.com/valyala/fasthttp@v1.43.0/server.go","Line":2338,"Name":"(*Server).serveConn"},{"File":"github.com/valyala/fasthttp@v1.43.0/workerpool.go","Line":224,"Name":"(*workerPool).workerFunc"},{"File":"github.com/valyala/fasthttp@v1.43.0/workerpool.go","Line":196,"Name":"(*workerPool).getCh.func1"},{"File":"runtime/asm_amd64.s","Line":1594,"Name":"goexit"}],"time":"2024-04-17T06:48:00Z"}
{"level":"debug","method":"GET","msg":"Checking the authentication backend for an updated profile for user hans.fischer","path":"/api/verify","remote_ip":"188.XX.XX.XX","time":"2024-04-17T06:57:25Z"}
{"level":"debug","msg":"Check authorization of subject username=hans.fischer groups= ip=188.XX.XX.XX and object https://auth.EXAMPLE.de/api/verify (method ).","time":"2024-04-17T06:57:25Z"}
{"level":"debug","msg":"No matching rule for subject username=hans.fischer groups= ip=188.XX.XX.XX and url https://auth.EXAMPLE.de/api/verify (method ) applying default policy","time":"2024-04-17T06:57:25Z"}
{"level":"error","method":"GET","msg":"Target URL https://authelia.authelia.svc.cluster.local/api/verify is not under the protected domain EXAMPLE.de","path":"/api/verify","remote_ip":"127.0.0.1","stack":[{"File":"github.com/authelia/authelia/v4/internal/handlers/handler_verify.go","Line":459,"Name":"VerifyGET.func1"},{"File":"github.com/authelia/authelia/v4/internal/middlewares/bridge.go","Line":54,"Name":"(*BridgeBuilder).Build.func1.1"},{"File":"github.com/authelia/authelia/v4/internal/middlewares/headers.go","Line":16,"Name":"SecurityHeaders.func1"},{"File":"github.com/authelia/authelia/v4/internal/middlewares/metrics.go","Line":40,"Name":"NewMetricsVerifyRequest.func1.1"},{"File":"github.com/fasthttp/router@v1.4.14/router.go","Line":427,"Name":"(*Router).Handler"},{"File":"github.com/valyala/fasthttp@v1.43.0/http.go","Line":154,"Name":"(*Response).StatusCode"},{"File":"github.com/authelia/authelia/v4/internal/middlewares/metrics.go","Line":22,"Name":"NewMetricsRequest.func1.1"},{"File":"github.com/valyala/fasthttp@v1.43.0/server.go","Line":2338,"Name":"(*Server).serveConn"},{"File":"github.com/valyala/fasthttp@v1.43.0/workerpool.go","Line":224,"Name":"(*workerPool).workerFunc"},{"File":"github.com/valyala/fasthttp@v1.43.0/workerpool.go","Line":196,"Name":"(*workerPool).getCh.func1"},{"File":"runtime/asm_amd64.s","Line":1594,"Name":"goexit"}],"time":"2024-04-17T07:00:50Z"}
{"level":"debug","method":"GET","msg":"Checking the authentication backend for an updated profile for user hans.fischer","path":"/api/verify","remote_ip":"49.13.144.89","time":"2024-04-17T07:02:29Z"}
{"level":"debug","msg":"Check authorization of subject username=hans.fischer groups= ip=49.13.144.89 and object https://auth.EXAMPLE.de/api/verify (method ).","time":"2024-04-17T07:02:29Z"}
{"level":"debug","msg":"No matching rule for subject username=hans.fischer groups= ip=49.13.144.89 and url https://auth.EXAMPLE.de/api/verify (method ) applying default policy","time":"2024-04-17T07:02:29Z"}
{"level":"debug","msg":"Check authorization of subject username=hans.fischer groups= ip=49.13.144.89 and object https://auth.EXAMPLE.de/api/verify (method ).","time":"2024-04-17T07:02:34Z"}
{"level":"debug","msg":"No matching rule for subject username=hans.fischer groups= ip=49.13.144.89 and url https://auth.EXAMPLE.de/api/verify (method ) applying default policy","time":"2024-04-17T07:02:34Z"}
{"level":"debug","msg":"Check authorization of subject username=hans.fischer groups= ip=49.13.144.89 and object https://auth.EXAMPLE.de/api/verify (method ).","time":"2024-04-17T07:02:35Z"}
{"level":"debug","msg":"No matching rule for subject username=hans.fischer groups= ip=49.13.144.89 and url https://auth.EXAMPLE.de/api/verify (method ) applying default policy","time":"2024-04-17T07:02:35Z"}
{"level":"debug","msg":"Check authorization of subject username=hans.fischer groups= ip=49.13.144.89 and object https://auth.EXAMPLE.de/api/verify (method ).","time":"2024-04-17T07:03:03Z"}
{"level":"debug","msg":"No matching rule for subject username=hans.fischer groups= ip=49.13.144.89 and url https://auth.EXAMPLE.de/api/verify (method ) applying default policy","time":"2024-04-17T07:03:03Z"}
{"level":"debug","msg":"Check authorization of subject username=hans.fischer groups= ip=49.13.144.89 and object https://auth.EXAMPLE.de/api/verify (method ).","time":"2024-04-17T07:03:03Z"}
{"level":"debug","msg":"No matching rule for subject username=hans.fischer groups= ip=49.13.144.89 and url https://auth.EXAMPLE.de/api/verify (method ) applying default policy","time":"2024-04-17T07:03:03Z"}
{"level":"debug","msg":"Check authorization of subject username=hans.fischer groups= ip=49.13.144.89 and object https://auth.EXAMPLE.de/api/verify (method ).","time":"2024-04-17T07:03:03Z"}
{"level":"debug","msg":"No matching rule for subject username=hans.fischer groups= ip=49.13.144.89 and url https://auth.EXAMPLE.de/api/verify (method ) applying default policy","time":"2024-04-17T07:03:03Z"}
{"level":"debug","msg":"Check authorization of subject username=hans.fischer groups= ip=49.13.144.89 and object https://auth.EXAMPLE.de/api/verify (method ).","time":"2024-04-17T07:03:03Z"}
{"level":"debug","msg":"No matching rule for subject username=hans.fischer groups= ip=49.13.144.89 and url https://auth.EXAMPLE.de/api/verify (method ) applying default policy","time":"2024-04-17T07:03:03Z"}
{"level":"debug","msg":"Check authorization of subject username=hans.fischer groups= ip=49.13.144.89 and object https://auth.EXAMPLE.de/api/verify (method ).","time":"2024-04-17T07:03:03Z"}
{"level":"debug","msg":"No matching rule for subject username=hans.fischer groups= ip=49.13.144.89 and url https://auth.EXAMPLE.de/api/verify (method ) applying default policy","time":"2024-04-17T07:03:03Z"}
{"level":"debug","msg":"Check authorization of subject username=hans.fischer groups= ip=49.13.144.89 and object https://auth.EXAMPLE.de/api/verify (method ).","time":"2024-04-17T07:03:03Z"}
{"level":"debug","msg":"No matching rule for subject username=hans.fischer groups= ip=49.13.144.89 and url https://auth.EXAMPLE.de/api/verify (method ) applying default policy","time":"2024-04-17T07:03:03Z"}
{"level":"debug","msg":"Check authorization of subject username=hans.fischer groups= ip=49.13.144.89 and object https://auth.EXAMPLE.de/api/verify (method ).","time":"2024-04-17T07:03:03Z"}
{"level":"debug","msg":"No matching rule for subject username=hans.fischer groups= ip=49.13.144.89 and url https://auth.EXAMPLE.de/api/verify (method ) applying default policy","time":"2024-04-17T07:03:03Z"}
{"level":"debug","msg":"Check authorization of subject username=hans.fischer groups= ip=49.13.144.89 and object https://auth.EXAMPLE.de/api/verify (method ).","time":"2024-04-17T07:03:03Z"}
{"level":"debug","msg":"No matching rule for subject username=hans.fischer groups= ip=49.13.144.89 and url https://auth.EXAMPLE.de/api/verify (method ) applying default policy","time":"2024-04-17T07:03:03Z"}
{"level":"debug","msg":"Check authorization of subject username=hans.fischer groups= ip=49.13.144.89 and object https://auth.EXAMPLE.de/api/verify (method ).","time":"2024-04-17T07:03:08Z"}
{"level":"debug","msg":"No matching rule for subject username=hans.fischer groups= ip=49.13.144.89 and url https://auth.EXAMPLE.de/api/verify (method ) applying default policy","time":"2024-04-17T07:03:08Z"}
{"level":"debug","msg":"Check authorization of subject username=hans.fischer groups= ip=49.13.144.89 and object https://auth.EXAMPLE.de/api/verify (method ).","time":"2024-04-17T07:03:08Z"}
{"level":"debug","msg":"No matching rule for subject username=hans.fischer groups= ip=49.13.144.89 and url https://auth.EXAMPLE.de/api/verify (method ) applying default policy","time":"2024-04-17T07:03:08Z"}
{"level":"debug","msg":"Check authorization of subject username= groups= ip=49.13.144.89 and object https://auth.EXAMPLE.de/api/verify (method ).","time":"2024-04-17T07:03:18Z"}
{"level":"debug","msg":"No matching rule for subject username= groups= ip=49.13.144.89 and url https://auth.EXAMPLE.de/api/verify (method ) applying default policy","time":"2024-04-17T07:03:18Z"}
{"level":"info","method":"GET","msg":"Access to https://auth.EXAMPLE.de/api/verify (method unknown) is not authorized to user \u003canonymous\u003e, responding with status code 401","path":"/api/verify","remote_ip":"49.13.144.89","time":"2024-04-17T07:03:18Z"}
{"level":"debug","method":"POST","msg":"Mark 1FA authentication attempt made by user 'hans.fischer'","path":"/api/firstfactor","remote_ip":"188.XX.XX.XX","time":"2024-04-17T07:03:24Z"}
{"level":"debug","method":"POST","msg":"Successful 1FA authentication attempt made by user 'hans.fischer'","path":"/api/firstfactor","remote_ip":"188.XX.XX.XX","time":"2024-04-17T07:03:24Z"}
{"level":"debug","method":"POST","msg":"Mark Webauthn authentication attempt made by user 'hans.fischer'","path":"/api/secondfactor/webauthn/assertion","remote_ip":"188.XX.XX.XX","time":"2024-04-17T07:03:27Z"}
{"level":"debug","method":"POST","msg":"Successful Webauthn authentication attempt made by user 'hans.fischer'","path":"/api/secondfactor/webauthn/assertion","remote_ip":"188.XX.XX.XX","time":"2024-04-17T07:03:27Z"}
{"level":"debug","msg":"Check authorization of subject username=hans.fischer groups= ip=49.13.144.89 and object https://auth.EXAMPLE.de/api/verify (method ).","time":"2024-04-17T07:03:31Z"}
{"level":"debug","msg":"No matching rule for subject username=hans.fischer groups= ip=49.13.144.89 and url https://auth.EXAMPLE.de/api/verify (method ) applying default policy","time":"2024-04-17T07:03:31Z"}

Logs (Proxy / Application)

No response

Documentation

No response

Pre-Submission Checklist

• I agree to follow the Code of Conduct

• This is a bug report and not a support request

• I have read the security policy and this bug report is not a security issue or security related issue

• I have either included the complete configuration file or I am sure it's unrelated to the configuration

• I have either included the complete debug / trace logs or the output of the build-info command if the logs are not relevant

• I have provided all of the required information in full with the only alteration being reasonable sanitization in accordance with the Troubleshooting Sanitization reference guide

• I have checked for related proxy or application logs and included them if available

• I have checked for related issues and checked the documentation

[glime-ai[bot]]

Please note this response was created using generative AI leveraging previously available information from the repository. This information may be helpful however it is our strong recommendation that you carefully consider the information before blindly applying it.

---

Based on the error message you provided, it seems that Authelia is rejecting the request because the target URL https://authelia.authelia.svc.cluster.local/api/verify is not recognized as being under the protected domain example.de. This is a common issue when internal service URLs do not match the external domain names that Authelia is configured to protect.

To resolve this issue, you have a couple of options:

1. Use External Domain Name: As you discovered, using the external domain name (https://auth.example.de/api/verify) works because it matches the protected domain. However, you mentioned that you do not want the traffic to route over the internet. This approach ensures that the domain name matches but might not meet your network traffic requirements.

2. Modify Authelia's Configuration: You can adjust Authelia's configuration to recognize the internal service URL as a valid target. This involves adding the internal domain (authelia.authelia.svc.cluster.local) to the list of domains that Authelia considers to be protected. You would need to update the domain configuration in Authelia to include this internal domain.

3. Network Configuration: Another approach could be to adjust your network configuration so that requests to https://auth.example.de are internally routed to https://authelia.authelia.svc.cluster.local without leaving your internal network. This might involve internal DNS configurations or specific routing rules that keep the traffic within your internal network.

4. SSL/TLS Configuration: Ensure that SSL/TLS is properly configured for internal communications if not already done. This ensures that even internal communications are secure and might help in resolving some of the issues related to secure URLs.

Given your requirements and setup, modifying Authelia's configuration to recognize the internal service URL or adjusting the network configuration to route internal traffic properly without going over the internet might be the most suitable solutions.

This comment was generated by Glime.

[james-d-elliott]

See the headers required (which must be set from the original request) for this authorization mechanism: https://www.authelia.com/reference/guides/proxy-authorization/#legacy

This will need either a configuration fix or a fix from haproxy-ingress.

[james-d-elliott]

Looks like something they support configuring via the headers option at their end: jcmoraisjr/haproxy-ingress#926

I've also updated the previously posted example to reflect this for the 4.38 forward auth endpoint: #2411 (comment)

[james-d-elliott]

Converting to a discussion, this clearly isn't a bug on our end looking at the headers they set.