Require Authelia for Crawl4AI and bind its port to loopback; update profiles and templates#76
Open
botAGI wants to merge 8 commits into
Open
Require Authelia for Crawl4AI and bind its port to loopback; update profiles and templates#76botAGI wants to merge 8 commits into
botAGI wants to merge 8 commits into
Conversation
golden-accept-reason: crawl4ai loopback bind render updated for security
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 1d881be905
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| - "${EXPOSE_NOTEBOOK_API_PORT:-5055}:5055" | ||
| - "${EXPOSE_SEARXNG_PORT:-8888}:8888" | ||
| - "${EXPOSE_CRAWL4AI_PORT:-11235}:11235" | ||
| - "${CRAWL4AI_BIND_ADDR:-127.0.0.1}:${EXPOSE_CRAWL4AI_PORT:-11235}:11235" |
There was a problem hiding this comment.
With the new default bind address here, the published Crawl4AI port is only reachable on the installer host, but the generated credentials still tell users to open http://${ip}:11235 and /docs in install.sh:1097-1098. In the default LAN install with Crawl4AI enabled, anyone following credentials.txt from another machine will get a refused connection even though the authenticated vhost is available; update those messages to use the mDNS/nginx route or explicitly say the direct port is localhost-only.
Useful? React with 👍 / 👎.
Require Authelia before rendering or advertising the Crawl4AI nginx route, force Authelia into agents/custom Crawl4AI selections, and keep the published 11235 port loopback-bound by default. The target branch already carries the Crawl4AI auth exposure unit test, so this branch no longer adds the same path and avoids the add/add conflict on tests/unit/test_crawl4ai_auth_exposure.sh. golden-accept-reason: crawl4ai loopback bind render updated for security
Require Authelia before rendering or advertising the Crawl4AI nginx route, force Authelia into agents/custom Crawl4AI selections, keep published 11235 loopback-bound by default, and make peer env lockdown unit test skip optional shellcheck when the dedicated ShellCheck job owns that dependency. golden-accept-reason: crawl4ai loopback bind render updated for security
Require Authelia before rendering or advertising the Crawl4AI nginx route, force Authelia into agents/custom Crawl4AI selections, keep published 11235 loopback-bound by default, and keep peer env lockdown unit tests hermetic by leaving ShellCheck to the dedicated CI job unless explicitly opted in. golden-accept-reason: crawl4ai loopback bind render updated for security
Require Authelia before rendering or advertising the Crawl4AI nginx route, force Authelia into agents/custom Crawl4AI selections, keep published 11235 loopback-bound by default, and make unit-test ShellCheck handling deterministic across amd64/arm64 runners. golden-accept-reason: crawl4ai loopback bind render updated for security
Require Authelia-protected paths before Crawl4AI is advertised through nginx or install summaries, keep the public Crawl4AI port loopback-bound by default, and simplify the Crawl4AI nginx auth_request snippets so generated protected vhosts contain direct Authelia hooks. Fix the failing unit lanes by making status collection cache the active service set per render and skip expensive detail probes for disabled/not-installed/done services, which lets the non-TTY --watch regression complete with output before its timeout. golden-accept-reason: crawl4ai loopback bind render updated for security
Require Authelia-protected paths before Crawl4AI is advertised through nginx or install summaries, keep the public Crawl4AI port loopback-bound by default, and simplify the Crawl4AI nginx auth_request snippets so generated protected vhosts contain direct Authelia hooks. Fix the unit lanes by installing both shellcheck and ripgrep in amd64 and arm64 unit-test jobs, because the Crawl4AI exposure regression test uses rg. Also keep status rendering fast enough for the non-TTY --watch regression by caching active service state per render and skipping expensive probes for terminal rows. golden-accept-reason: crawl4ai loopback bind render updated for security
Require Authelia-protected paths before Crawl4AI is advertised through nginx or install summaries, keep the public Crawl4AI port loopback-bound by default, and simplify the Crawl4AI nginx auth_request snippets so generated protected vhosts contain direct Authelia hooks. Fix the unit lanes without adding an apt-get startup step: prepend tests/ci-bin to PATH in amd64 and arm64 unit jobs and provide a tiny rg shim for the Crawl4AI exposure regression test. This keeps tests starting in locked-down runners while still using real rg automatically when present. Keep status rendering fast enough for the non-TTY --watch regression by caching active service state per render and skipping expensive probes for terminal rows. golden-accept-reason: crawl4ai loopback bind render updated for security
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
AutheliawhenCrawl4AIis selected.Description
ENABLE_CRAWL4AIandENABLE_AUTHELIAinlib/config.shso the nginx proxy is only added when Authelia is active.agmind-crawl.localunless bothENABLE_CRAWL4AIandENABLE_AUTHELIAare true inlib/config.sh.CRAWL4AI_BIND_ADDRdefault of127.0.0.1intemplates/env.lan.templateand changetemplates/docker-compose.ymlto bind the Crawl4AI service to the configured host address (loopback by default).Autheliaauth_requestscaffolding intotemplates/nginx.conf.templatefor both the dedicated port vhost and the mDNS vhost for Crawl4AI.lib/wizard.shimplicitly enablesAutheliawheneverCrawl4AIis selected and update the summary to only advertiseagmind-crawl.localwhen both are enabled.templates/services/registry.yamland generatedlib/_registry.indexed.sh) so theagentsmeta-profile includesautheliaand impliesENABLE_AUTHELIA=truewhenCrawl4AIis part of the profile, and adjust profile descriptions accordingly.tests/golden/expected/**) anddocker-composerenders to reflect the new loopback binding and env changes.tests/unit/test_crawl4ai_auth_exposure.shthat asserts templates and scripts enforce the Authelia requirement and default loopback binding for Crawl4AI.Testing
tests/unit/test_crawl4ai_auth_exposure.shand updated golden expectations undertests/golden/expected; the unit test asserts template patterns and env defaults and was executed as part of the test suite.Codex Task