From 0d92109b684368a5d1021b041b477c1879cc159a Mon Sep 17 00:00:00 2001
From: Eric Nemchik <eric@nemchik.com>
Date: Sun, 5 Feb 2023 16:45:56 -0600
Subject: [PATCH] Unify auth config approach

---
 .../nginx/authelia-location.conf.sample       | 21 ++------
 .../nginx/authelia-server.conf.sample         | 52 +++++++++++--------
 root/defaults/nginx/proxy.conf.sample         |  1 +
 3 files changed, 34 insertions(+), 40 deletions(-)

diff --git a/root/defaults/nginx/authelia-location.conf.sample b/root/defaults/nginx/authelia-location.conf.sample
index ddd7e0c..e7e07eb 100644
--- a/root/defaults/nginx/authelia-location.conf.sample
+++ b/root/defaults/nginx/authelia-location.conf.sample
@@ -1,12 +1,11 @@
-## Version 2023/02/01 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/authelia-location.conf.sample
+## Version 2023/02/05 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/authelia-location.conf.sample
 # Make sure that your authelia container is in the same user defined bridge network and is named authelia
 # Make sure that the authelia configuration.yml has 'path: "authelia"' defined
 
 ## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource.
 auth_request /authelia/api/verify;
-
-## Set the $target_url variable based on the original request.
-set_escape_uri $target_url $scheme://$http_host$request_uri;
+## If the subreqest returns 200 pass to the backend, if the subrequest returns 401 redirect to the portal.
+error_page 401 = @authelia_proxy_signin;
 
 ## Save the upstream authorization response headers from Authelia to variables.
 auth_request_set $authorization $upstream_http_authorization;
@@ -31,17 +30,3 @@ proxy_set_header Remote-Email $email;
 ## Include the Set-Cookie header if present.
 auth_request_set $set_cookie $upstream_http_set_cookie;
 add_header Set-Cookie $set_cookie;
-
-## Set $authelia_backend to route requests to the current domain by default
-set $authelia_backend $http_host;
-## In order for Webauthn to work with multiple domains Authelia must operate on a separate subdomain
-## To use Authelia on a separate subdomain:
-##  * comment the $authelia_backend line above
-##  * rename /config/nginx/site-conf/authelia.conf.sample to /config/nginx/site-conf/authelia.conf
-##  * make sure that your dns has a cname set for authelia
-##  * uncomment the $authelia_backend line below and change example.com to your domain
-##  * restart the swag container
-#set $authelia_backend authelia.example.com;
-
-## If the subreqest returns 200 pass to the backend, if the subrequest returns 401 redirect to the portal.
-error_page 401 =302 https://$authelia_backend/authelia/?rd=$target_url;
diff --git a/root/defaults/nginx/authelia-server.conf.sample b/root/defaults/nginx/authelia-server.conf.sample
index 2cb68e1..b744419 100644
--- a/root/defaults/nginx/authelia-server.conf.sample
+++ b/root/defaults/nginx/authelia-server.conf.sample
@@ -1,8 +1,8 @@
-## Version 2023/02/01 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/authelia-server.conf.sample
+## Version 2023/02/05 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/authelia-server.conf.sample
 # Make sure that your authelia container is in the same user defined bridge network and is named authelia
 # Make sure that the authelia configuration.yml has 'path: "authelia"' defined
 
-## Virtual endpoints created by nginx to forward auth requests.
+# location for authelia subfolder requests
 location ^~ /authelia {
     include /config/nginx/proxy.conf;
     include /config/nginx/resolver.conf;
@@ -10,39 +10,47 @@ location ^~ /authelia {
     proxy_pass http://$upstream_authelia:9091;
 }
 
+# location for authelia auth requests
 location = /authelia/api/verify {
-    ## Essential Proxy Configuration
     internal;
 
+    include /config/nginx/proxy.conf;
     include /config/nginx/resolver.conf;
     set $upstream_authelia authelia;
-    proxy_pass http://$upstream_authelia:9091;
+    proxy_pass http://$upstream_authelia:9091/authelia/api/verify;
 
     ## Headers
-    ## The headers starting with X-* are required.
-    proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
-    proxy_set_header X-Original-Method $request_method;
-    proxy_set_header X-Forwarded-Method $request_method;
-    proxy_set_header X-Forwarded-Proto $scheme;
-    proxy_set_header X-Forwarded-Host $http_host;
-    proxy_set_header X-Forwarded-Uri $request_uri;
-    proxy_set_header X-Forwarded-For $remote_addr;
     proxy_set_header Content-Length "";
-    proxy_set_header Connection "";
 
     ## Basic Proxy Configuration
     proxy_pass_request_body off;
-    proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # Timeout if the real server is dead
-    proxy_redirect http:// $scheme://;
-    proxy_http_version 1.1;
-    proxy_cache_bypass $cookie_session;
-    proxy_no_cache $cookie_session;
-    proxy_buffers 4 32k;
     client_body_buffer_size 128k;
 
     ## Advanced Proxy Configuration
     send_timeout 5m;
-    proxy_read_timeout 240;
-    proxy_send_timeout 240;
-    proxy_connect_timeout 240;
+}
+
+# Virtual location for authelia 401 redirects
+location @authelia_proxy_signin {
+    internal;
+
+    ## Set the $target_url variable based on the original request.
+    set_escape_uri $target_url $scheme://$http_host$request_uri;
+
+    ## Include the Set-Cookie header if present.
+    auth_request_set $set_cookie $upstream_http_set_cookie;
+    add_header Set-Cookie $set_cookie;
+
+    ## Set $authelia_backend to route requests to the current domain by default
+    set $authelia_backend $http_host;
+    ## In order for Webauthn to work with multiple domains authelia must operate on a separate subdomain
+    ## To use authelia on a separate subdomain:
+    ##  * comment the $authelia_backend line above
+    ##  * rename /config/nginx/proxy-confs/authelia.conf.sample to /config/nginx/proxy-confs/authelia.conf
+    ##  * make sure that your dns has a cname set for authelia
+    ##  * uncomment the $authelia_backend line below and change example.com to your domain
+    ##  * restart the swag container
+    #set $authelia_backend authelia.example.com;
+
+    return 302 https://$authelia_backend/authelia/?rd=$target_url;
 }
diff --git a/root/defaults/nginx/proxy.conf.sample b/root/defaults/nginx/proxy.conf.sample
index c5a7210..8d6d6e5 100644
--- a/root/defaults/nginx/proxy.conf.sample
+++ b/root/defaults/nginx/proxy.conf.sample
@@ -31,5 +31,6 @@ proxy_set_header X-Forwarded-Proto $scheme;
 proxy_set_header X-Forwarded-Server $host;
 proxy_set_header X-Forwarded-Ssl on;
 proxy_set_header X-Forwarded-Uri $request_uri;
+proxy_set_header X-Original-Method $request_method;
 proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
 proxy_set_header X-Real-IP $remote_addr;