Unify auth config approach

This commit is contained in:
Eric Nemchik 2023-02-05 16:45:56 -06:00
parent db4e661126
commit 0d92109b68
3 changed files with 34 additions and 40 deletions

View File

@ -1,12 +1,11 @@
## Version 2023/02/01 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/authelia-location.conf.sample ## Version 2023/02/05 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/authelia-location.conf.sample
# Make sure that your authelia container is in the same user defined bridge network and is named authelia # Make sure that your authelia container is in the same user defined bridge network and is named authelia
# Make sure that the authelia configuration.yml has 'path: "authelia"' defined # Make sure that the authelia configuration.yml has 'path: "authelia"' defined
## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource. ## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource.
auth_request /authelia/api/verify; auth_request /authelia/api/verify;
## If the subreqest returns 200 pass to the backend, if the subrequest returns 401 redirect to the portal.
## Set the $target_url variable based on the original request. error_page 401 = @authelia_proxy_signin;
set_escape_uri $target_url $scheme://$http_host$request_uri;
## Save the upstream authorization response headers from Authelia to variables. ## Save the upstream authorization response headers from Authelia to variables.
auth_request_set $authorization $upstream_http_authorization; auth_request_set $authorization $upstream_http_authorization;
@ -31,17 +30,3 @@ proxy_set_header Remote-Email $email;
## Include the Set-Cookie header if present. ## Include the Set-Cookie header if present.
auth_request_set $set_cookie $upstream_http_set_cookie; auth_request_set $set_cookie $upstream_http_set_cookie;
add_header Set-Cookie $set_cookie; add_header Set-Cookie $set_cookie;
## Set $authelia_backend to route requests to the current domain by default
set $authelia_backend $http_host;
## In order for Webauthn to work with multiple domains Authelia must operate on a separate subdomain
## To use Authelia on a separate subdomain:
## * comment the $authelia_backend line above
## * rename /config/nginx/site-conf/authelia.conf.sample to /config/nginx/site-conf/authelia.conf
## * make sure that your dns has a cname set for authelia
## * uncomment the $authelia_backend line below and change example.com to your domain
## * restart the swag container
#set $authelia_backend authelia.example.com;
## If the subreqest returns 200 pass to the backend, if the subrequest returns 401 redirect to the portal.
error_page 401 =302 https://$authelia_backend/authelia/?rd=$target_url;

View File

@ -1,8 +1,8 @@
## Version 2023/02/01 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/authelia-server.conf.sample ## Version 2023/02/05 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/authelia-server.conf.sample
# Make sure that your authelia container is in the same user defined bridge network and is named authelia # Make sure that your authelia container is in the same user defined bridge network and is named authelia
# Make sure that the authelia configuration.yml has 'path: "authelia"' defined # Make sure that the authelia configuration.yml has 'path: "authelia"' defined
## Virtual endpoints created by nginx to forward auth requests. # location for authelia subfolder requests
location ^~ /authelia { location ^~ /authelia {
include /config/nginx/proxy.conf; include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf; include /config/nginx/resolver.conf;
@ -10,39 +10,47 @@ location ^~ /authelia {
proxy_pass http://$upstream_authelia:9091; proxy_pass http://$upstream_authelia:9091;
} }
# location for authelia auth requests
location = /authelia/api/verify { location = /authelia/api/verify {
## Essential Proxy Configuration
internal; internal;
include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf; include /config/nginx/resolver.conf;
set $upstream_authelia authelia; set $upstream_authelia authelia;
proxy_pass http://$upstream_authelia:9091; proxy_pass http://$upstream_authelia:9091/authelia/api/verify;
## Headers ## Headers
## The headers starting with X-* are required.
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Original-Method $request_method;
proxy_set_header X-Forwarded-Method $request_method;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Content-Length ""; proxy_set_header Content-Length "";
proxy_set_header Connection "";
## Basic Proxy Configuration ## Basic Proxy Configuration
proxy_pass_request_body off; proxy_pass_request_body off;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # Timeout if the real server is dead
proxy_redirect http:// $scheme://;
proxy_http_version 1.1;
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 4 32k;
client_body_buffer_size 128k; client_body_buffer_size 128k;
## Advanced Proxy Configuration ## Advanced Proxy Configuration
send_timeout 5m; send_timeout 5m;
proxy_read_timeout 240; }
proxy_send_timeout 240;
proxy_connect_timeout 240; # Virtual location for authelia 401 redirects
location @authelia_proxy_signin {
internal;
## Set the $target_url variable based on the original request.
set_escape_uri $target_url $scheme://$http_host$request_uri;
## Include the Set-Cookie header if present.
auth_request_set $set_cookie $upstream_http_set_cookie;
add_header Set-Cookie $set_cookie;
## Set $authelia_backend to route requests to the current domain by default
set $authelia_backend $http_host;
## In order for Webauthn to work with multiple domains authelia must operate on a separate subdomain
## To use authelia on a separate subdomain:
## * comment the $authelia_backend line above
## * rename /config/nginx/proxy-confs/authelia.conf.sample to /config/nginx/proxy-confs/authelia.conf
## * make sure that your dns has a cname set for authelia
## * uncomment the $authelia_backend line below and change example.com to your domain
## * restart the swag container
#set $authelia_backend authelia.example.com;
return 302 https://$authelia_backend/authelia/?rd=$target_url;
} }

View File

@ -31,5 +31,6 @@ proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Ssl on; proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-Uri $request_uri; proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Original-Method $request_method;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri; proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;