Is there a way to force Authelia to ask for 2FA to access the admin login screen, but allow tracking of websites' visits?

[tvmp]

I have Umami running in Docker. The admin page is behind NginX proxy manager so I can access it remotely. At the moment, if someone types umami.domainname.com, they can get to Umami's login page.
I want to force such visits to go through Authelia's 2FA.
When I activate that in Authelia and NginX proxy manager everything works fine and the visitor is forced to go through Authelia's authentication before accessing Umami's log in page. The problem is that once this starts working, visits cannot get tracked.

I've read that I need to add something that mentions the API, but I have no idea how that would work. This is an extract (sample) from the configuration.yml I have:

access_control:
  default_policy: deny
  rules:
    - domain:
      - 'authelia.mydomain.com' #This should be your authentication URL
        policy: bypass
    - domain: 'mydomain.com'
       policy: one_factor
    - domain: 'nextcloud.mydomain.com'
      policy: two_factor
    - domain: 'umami.mydomain.com'
      policy: two_factor
      resources:
        - '^/api/statistics'

But it's not working (meaning visits don't get tracked).

Can someone help me with the last line of the above please? What does it need to say there?

[illispi]

Did you figure this out?

[jicho]

I encountered the same issue and found this discussion.

I think I've managed to solve it in combination with Authelia!
The trick is to allow the resources, as you've started. Here are the docs: https://www.authelia.com/configuration/security/access-control/

This is what I did:

1. I've added activated the Authelia login stuff to NPM (Nginx Proxy Manager)
2. I need to login for everything
3. I've added the API endpoint and the script to the resources
4. Be sure to place everything in the correct order in the Authelia configuration.

My umami script is /data.js and my API endpoint is named /data/autmatic.

The result of playing around it that everything except both resources are not under login.

My access_control config in Authelia looks like this:

  rules:
    ## umami statistics
    ## allow tracker script + feedback api
    - domain: 'stats.example.com'
      policy: 'bypass'
      resources:
      - '^/data/automatic'
      - '^/data.js'

    ## Rules applied to everyone
    - domain: '*.example.com'
      policy: 'bypass'
      networks:
      - internal
     
    - domain: 'hello.example.com'
      policy: 'bypass'

    ## require two factor for everything
    - domain: "*.example.com"
      policy: two_factor

The stuff above is saying that all internal IP's are allowed to access all subdomains. The IP's from outside my network should login when an subdomain is requested (and configured in NPM that they should login)

In my case only hello.example.com, stats.example.com/data.js and stats.example.com/data/automatic are allowed to be accessed by everyone.

Under advanced in NPM I'm using (as in including) the Authelia snippets to force access. I'm doing it like this:

include /snippets/authelia-location.conf;

location / {
    include /snippets/proxy-websocket.conf;
    include /snippets/authelia-authrequest.conf;
    proxy_pass $forward_scheme://$server:$port;
}

The snippets can be found in the Authelia docs.

Hope this helps a little to point you in the right direction.

In my case... thanks for the idea of using Authelia to block access to the umami login page. I did not thought about that route to add security to the login page 😞