How to restrict Authentik admin access from internal networks only #
I’ve recently set up an Authentik instance in my homelab for SSO authentication. I really like it, and I’ve set it up for authentication with several services that I’m self-hosting, including some that are internet-facing. That required exposing Authentik too, as I need to be able to reach it from outside my network when authenticating to these services.
Exposing to the Internet a core service like an identity provider is not a light-hearted job and even if Authentik is suggesting some ways to harden a deployment, I wanted to make sure that admin access is strictly restricted to internal networks only.
Expose Authentik #
You may argue that the best way to access such a sensitive service like one that provides authentication and authorization would be by using a VPN tunnel, so that you don’t have to expose it to the outside world at all. However, VPN adds a layer of complexity, and when hosting services used also by non tech-savy relatives, limiting the degree of difficulty in accessing those surely helps to prevent sunday morning phone calls.
In exposing internal services to the Internet I’m currently using NGINX as a reverse proxy. That is the case as well for exposing my Authentik instance.
Using a reverse proxy I’m also able to manage the SSL context, and therefore certificates, in a single place: this makes possible enabling (and forcing) HTTPS encryption without having to configure public, trusted, SSL certificates on every service.
Restrict admin interface #
As a first layer of security, a simple yet effective action could be restricting access to the Authentik admin interface from internal network only.
Doing such a think is extremely easy using NGINX: in the server block I’ve defined a separate location for the /if/admin/ path, allowing connections from the local network CIDR and denying the rests.
location /if/admin/ {
...
allow 192.168.0.0/24;
deny all;
...
}
That two simple instructions will prevent access to any sub-path of /if/admin/ coming from IP addresses outside 192.168.0.0/24 subnet.
Limit admin access #
The above method could be further extended to additional paths, however that is just preventing access to the WEB admin interface, while leaving admin API still open.
Another approach that would further strengthen the security posture could be preventing the admin user(s) from logging in from external networks.
Prevent admin login from outside local networks #
In order to deny login to admin user(s) from external networks we must:
- Create a policy to deny the login:
- On Authentik admin interface go to
Customization -> Policies - Click on
Create - Select
Expression Policy - Under
Policy-specific settingspaste the following content in theExpressionbox:
user = context['pending_user'] groups = [group.name for group in user.ak_groups.all()] admin_group = "authentik Admins" if admin_group in groups and not ak_client_ip.is_private: return False return True - On Authentik admin interface go to
- Assign the policy to the authentication flow’s login stage:
- Go to
Flows and Stages -> Flows - Click on the authentication flow you’re using (i.e.
default-authentication-flow) - Go to
Stage Bindings - Expand the
User Login Stage - Click on
Bind existing Policy / Group / User - Select
Policyand choose the one created before - Ensure the failure result is set as
Don't pass - Click on
Create
- Go to
End #
Now, if you’ve managed to not lock you out of your own Authentik instance, admin interface and admin login should be allowed from internal network only.
Would that suffice for feeling safe? Not at all. But it should at least be a valid starting point!