Skip to content

Require Authelia for Crawl4AI and bind its port to loopback; update profiles and templates#76

Open
botAGI wants to merge 8 commits into
mainfrom
codex/fix-unauthenticated-api-exposure-issue
Open

Require Authelia for Crawl4AI and bind its port to loopback; update profiles and templates#76
botAGI wants to merge 8 commits into
mainfrom
codex/fix-unauthenticated-api-exposure-issue

Conversation

@botAGI

@botAGI botAGI commented Jun 1, 2026

Copy link
Copy Markdown
Owner

Motivation

  • Prevent unauthenticated exposure of the Crawl4AI REST API by default and ensure agents deployments enable Authelia when Crawl4AI is selected.
  • Make the default host bind for the Crawl4AI port loopback-only to avoid exposing the backend on the LAN without an authenticated nginx proxy.
  • Keep named profiles, wizard flows, and generated artifacts consistent with the new security posture for Crawl4AI.

Description

  • Gate the nginx Crawl4AI vhost generation on both ENABLE_CRAWL4AI and ENABLE_AUTHELIA in lib/config.sh so the nginx proxy is only added when Authelia is active.
  • Prevent mDNS publishing of agmind-crawl.local unless both ENABLE_CRAWL4AI and ENABLE_AUTHELIA are true in lib/config.sh.
  • Add CRAWL4AI_BIND_ADDR default of 127.0.0.1 in templates/env.lan.template and change templates/docker-compose.yml to bind the Crawl4AI service to the configured host address (loopback by default).
  • Insert commented Authelia auth_request scaffolding into templates/nginx.conf.template for both the dedicated port vhost and the mDNS vhost for Crawl4AI.
  • Ensure the interactive and non-interactive wizard in lib/wizard.sh implicitly enables Authelia whenever Crawl4AI is selected and update the summary to only advertise agmind-crawl.local when both are enabled.
  • Update the services registry (templates/services/registry.yaml and generated lib/_registry.indexed.sh) so the agents meta-profile includes authelia and implies ENABLE_AUTHELIA=true when Crawl4AI is part of the profile, and adjust profile descriptions accordingly.
  • Update golden test fixtures (tests/golden/expected/**) and docker-compose renders to reflect the new loopback binding and env changes.
  • Add a unit test tests/unit/test_crawl4ai_auth_exposure.sh that asserts templates and scripts enforce the Authelia requirement and default loopback binding for Crawl4AI.

Testing

  • Added tests/unit/test_crawl4ai_auth_exposure.sh and updated golden expectations under tests/golden/expected; the unit test asserts template patterns and env defaults and was executed as part of the test suite.
  • Ran the repository golden/regression checks and unit tests used by CI (including the new Crawl4AI test) and they completed successfully against the updated fixtures.
  • Updated checksum files for affected golden outputs to match the rendered artifacts after the changes.

Codex Task

golden-accept-reason: crawl4ai loopback bind render updated for security

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 1d881be905

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

- "${EXPOSE_NOTEBOOK_API_PORT:-5055}:5055"
- "${EXPOSE_SEARXNG_PORT:-8888}:8888"
- "${EXPOSE_CRAWL4AI_PORT:-11235}:11235"
- "${CRAWL4AI_BIND_ADDR:-127.0.0.1}:${EXPOSE_CRAWL4AI_PORT:-11235}:11235"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Stop advertising the LAN Crawl4AI port

With the new default bind address here, the published Crawl4AI port is only reachable on the installer host, but the generated credentials still tell users to open http://${ip}:11235 and /docs in install.sh:1097-1098. In the default LAN install with Crawl4AI enabled, anyone following credentials.txt from another machine will get a refused connection even though the authenticated vhost is available; update those messages to use the mDNS/nginx route or explicitly say the direct port is localhost-only.

Useful? React with 👍 / 👎.

botAGI added 7 commits June 2, 2026 00:08
Require Authelia before rendering or advertising the Crawl4AI nginx route, force Authelia into agents/custom Crawl4AI selections, and keep the published 11235 port loopback-bound by default. The target branch already carries the Crawl4AI auth exposure unit test, so this branch no longer adds the same path and avoids the add/add conflict on tests/unit/test_crawl4ai_auth_exposure.sh.

golden-accept-reason: crawl4ai loopback bind render updated for security
Require Authelia before rendering or advertising the Crawl4AI nginx route, force Authelia into agents/custom Crawl4AI selections, keep published 11235 loopback-bound by default, and make peer env lockdown unit test skip optional shellcheck when the dedicated ShellCheck job owns that dependency.

golden-accept-reason: crawl4ai loopback bind render updated for security
Require Authelia before rendering or advertising the Crawl4AI nginx route, force Authelia into agents/custom Crawl4AI selections, keep published 11235 loopback-bound by default, and keep peer env lockdown unit tests hermetic by leaving ShellCheck to the dedicated CI job unless explicitly opted in.

golden-accept-reason: crawl4ai loopback bind render updated for security
Require Authelia before rendering or advertising the Crawl4AI nginx route, force Authelia into agents/custom Crawl4AI selections, keep published 11235 loopback-bound by default, and make unit-test ShellCheck handling deterministic across amd64/arm64 runners.

golden-accept-reason: crawl4ai loopback bind render updated for security
Require Authelia-protected paths before Crawl4AI is advertised through nginx or install summaries, keep the public Crawl4AI port loopback-bound by default, and simplify the Crawl4AI nginx auth_request snippets so generated protected vhosts contain direct Authelia hooks.

Fix the failing unit lanes by making status collection cache the active service set per render and skip expensive detail probes for disabled/not-installed/done services, which lets the non-TTY --watch regression complete with output before its timeout.

golden-accept-reason: crawl4ai loopback bind render updated for security
Require Authelia-protected paths before Crawl4AI is advertised through nginx or install summaries, keep the public Crawl4AI port loopback-bound by default, and simplify the Crawl4AI nginx auth_request snippets so generated protected vhosts contain direct Authelia hooks.

Fix the unit lanes by installing both shellcheck and ripgrep in amd64 and arm64 unit-test jobs, because the Crawl4AI exposure regression test uses rg. Also keep status rendering fast enough for the non-TTY --watch regression by caching active service state per render and skipping expensive probes for terminal rows.

golden-accept-reason: crawl4ai loopback bind render updated for security
Require Authelia-protected paths before Crawl4AI is advertised through nginx or install summaries, keep the public Crawl4AI port loopback-bound by default, and simplify the Crawl4AI nginx auth_request snippets so generated protected vhosts contain direct Authelia hooks.

Fix the unit lanes without adding an apt-get startup step: prepend tests/ci-bin to PATH in amd64 and arm64 unit jobs and provide a tiny rg shim for the Crawl4AI exposure regression test. This keeps tests starting in locked-down runners while still using real rg automatically when present.

Keep status rendering fast enough for the non-TTY --watch regression by caching active service state per render and skipping expensive probes for terminal rows.

golden-accept-reason: crawl4ai loopback bind render updated for security
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant