From 5e47b024966192bc840b5e4a8a6b54e12082a676 Mon Sep 17 00:00:00 2001 From: Eric Nemchik Date: Wed, 1 Feb 2023 11:50:56 -0600 Subject: [PATCH 01/24] Update Authelia configs and include site-confs sample for Authelia --- README.md | 1 + readme-vars.yml | 1 + .../nginx/authelia-location.conf.sample | 26 ++++++++++++-- .../nginx/authelia-server.conf.sample | 36 +++++++++---------- .../nginx/site-confs/authelia.conf.sample | 32 +++++++++++++++++ .../s6-overlay/s6-rc.d/init-nginx-config/run | 3 ++ 6 files changed, 77 insertions(+), 22 deletions(-) create mode 100644 root/defaults/nginx/site-confs/authelia.conf.sample diff --git a/README.md b/README.md index 1c74f79..9b615eb 100755 --- a/README.md +++ b/README.md @@ -335,6 +335,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64 ## Versions +* **01.02.23:** - [Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) authelia-location.conf and authelia-server.conf - Update Authelia configs and include site-confs sample for Authelia. * **21.01.23:** - Unpin certbot version (allow certbot 2.x). !!BREAKING CHANGE!! We are temporarily removing the certbot porkbun plugin until a new version is released that is compatible with certbot 2.x. * **20.01.23:** - Rebase to alpine 3.17 with php8.1. * **16.01.23:** - Remove nchan module because it keeps causing crashes. diff --git a/readme-vars.yml b/readme-vars.yml index 040a324..9fad95c 100755 --- a/readme-vars.yml +++ b/readme-vars.yml @@ -154,6 +154,7 @@ app_setup_block: | # changelog changelogs: + - { date: "01.02.23:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) authelia-location.conf and authelia-server.conf - Update Authelia configs and include site-confs sample for Authelia." } - { date: "21.01.23:", desc: "Unpin certbot version (allow certbot 2.x). !!BREAKING CHANGE!! We are temporarily removing the certbot porkbun plugin until a new version is released that is compatible with certbot 2.x." } - { date: "20.01.23:", desc: "Rebase to alpine 3.17 with php8.1." } - { date: "16.01.23:", desc: "Remove nchan module because it keeps causing crashes." } diff --git a/root/defaults/nginx/authelia-location.conf.sample b/root/defaults/nginx/authelia-location.conf.sample index b7e37ae..5331a9c 100644 --- a/root/defaults/nginx/authelia-location.conf.sample +++ b/root/defaults/nginx/authelia-location.conf.sample @@ -1,15 +1,35 @@ -## Version 2022/08/20 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/authelia-location.conf.sample +## Version 2023/02/01 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/authelia-location.conf.sample # Make sure that your authelia container is in the same user defined bridge network and is named authelia # Make sure that the authelia configuration.yml has 'path: "authelia"' defined +## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource. auth_request /authelia/api/verify; -auth_request_set $target_url $scheme://$http_host$request_uri; + +## Set the $target_url variable based on the original request. +set_escape_uri $target_url $scheme://$http_host$request_uri; + +## Save the upstream response headers from Authelia to variables. auth_request_set $user $upstream_http_remote_user; auth_request_set $groups $upstream_http_remote_groups; auth_request_set $name $upstream_http_remote_name; auth_request_set $email $upstream_http_remote_email; + +## Inject the response headers from the variables into the request made to the backend. proxy_set_header Remote-User $user; proxy_set_header Remote-Groups $groups; proxy_set_header Remote-Name $name; proxy_set_header Remote-Email $email; -error_page 401 =302 https://$http_host/authelia/?rd=$target_url; + +## Set $authelia_backend to route requests to the current domain by default +set $authelia_backend $http_host; +## In order for Webauthn to work with multiple subdomains Authelia must operate on a separate subdomain +## To use Authelia on a separate subdomain: +## * comment the $authelia_backend line above +## * rename /config/nginx/site-conf/authelia.conf.sample to /config/nginx/site-conf/authelia.conf +## * make sure that your dns has a cname set for authelia +## * uncomment the $authelia_backend line below and change example.com to your domain +## * restart the swag container +#set $authelia_backend authelia.example.com; + +## If the subreqest returns 200 pass to the backend, if the subrequest returns 401 redirect to the portal. +error_page 401 =302 https://$authelia_backend/authelia/?rd=$target_url; diff --git a/root/defaults/nginx/authelia-server.conf.sample b/root/defaults/nginx/authelia-server.conf.sample index dfb34f3..2cb68e1 100644 --- a/root/defaults/nginx/authelia-server.conf.sample +++ b/root/defaults/nginx/authelia-server.conf.sample @@ -1,6 +1,8 @@ -## Version 2022/09/22 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/authelia-server.conf.sample +## Version 2023/02/01 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/authelia-server.conf.sample # Make sure that your authelia container is in the same user defined bridge network and is named authelia +# Make sure that the authelia configuration.yml has 'path: "authelia"' defined +## Virtual endpoints created by nginx to forward auth requests. location ^~ /authelia { include /config/nginx/proxy.conf; include /config/nginx/resolver.conf; @@ -9,40 +11,36 @@ location ^~ /authelia { } location = /authelia/api/verify { + ## Essential Proxy Configuration internal; include /config/nginx/resolver.conf; set $upstream_authelia authelia; - proxy_pass_request_body off; proxy_pass http://$upstream_authelia:9091; - proxy_set_header Content-Length ""; - # Timeout if the real server is dead - proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; - - # [REQUIRED] Needed by Authelia to check authorizations of the resource. - # Provide either X-Original-URL and X-Forwarded-Proto or - # X-Forwarded-Proto, X-Forwarded-Host and X-Forwarded-Uri or both. - # Those headers will be used by Authelia to deduce the target url of the user. - # Basic Proxy Config - client_body_buffer_size 128k; - proxy_set_header Host $host; + ## Headers + ## The headers starting with X-* are required. proxy_set_header X-Original-URL $scheme://$http_host$request_uri; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Original-Method $request_method; proxy_set_header X-Forwarded-Method $request_method; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $http_host; proxy_set_header X-Forwarded-Uri $request_uri; - proxy_set_header X-Forwarded-Ssl on; - proxy_redirect http:// $scheme://; - proxy_http_version 1.1; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header Content-Length ""; proxy_set_header Connection ""; + + ## Basic Proxy Configuration + proxy_pass_request_body off; + proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # Timeout if the real server is dead + proxy_redirect http:// $scheme://; + proxy_http_version 1.1; proxy_cache_bypass $cookie_session; proxy_no_cache $cookie_session; proxy_buffers 4 32k; + client_body_buffer_size 128k; - # Advanced Proxy Config + ## Advanced Proxy Configuration send_timeout 5m; proxy_read_timeout 240; proxy_send_timeout 240; diff --git a/root/defaults/nginx/site-confs/authelia.conf.sample b/root/defaults/nginx/site-confs/authelia.conf.sample new file mode 100644 index 0000000..6300b1c --- /dev/null +++ b/root/defaults/nginx/site-confs/authelia.conf.sample @@ -0,0 +1,32 @@ +## Version 2023/02/01 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/site-confs/authelia.conf.sample +# make sure that your dns has a cname set for authelia + +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name authelia.*; + + include /config/nginx/ssl.conf; + + client_max_body_size 0; + + location / { + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app authelia; + set $upstream_port 9091; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + + } + + location ~ (/authelia)?/api/verify { + include /config/nginx/resolver.conf; + set $upstream_app authelia; + set $upstream_port 9091; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + + } +} diff --git a/root/etc/s6-overlay/s6-rc.d/init-nginx-config/run b/root/etc/s6-overlay/s6-rc.d/init-nginx-config/run index e94c92a..c265930 100755 --- a/root/etc/s6-overlay/s6-rc.d/init-nginx-config/run +++ b/root/etc/s6-overlay/s6-rc.d/init-nginx-config/run @@ -13,6 +13,9 @@ fi if [[ ! -f /config/nginx/authelia-server.conf ]]; then cp /defaults/nginx/authelia-server.conf.sample /config/nginx/authelia-server.conf fi +if [[ ! -f /config/nginx/site-confs/authelia.conf ]]; then + cp /defaults/nginx/site-confs/authelia.conf.sample /config/nginx/site-confs/authelia.conf +fi # copy old ldap config file to new location if [[ -f /config/nginx/ldap.conf ]] && [[ ! -f /config/nginx/ldap-server.conf ]]; then From 38e1845e73e60f17ed2d101fd43e60b2011a3ccc Mon Sep 17 00:00:00 2001 From: driz <40674481+drizuid@users.noreply.github.com> Date: Wed, 1 Feb 2023 17:09:59 -0500 Subject: [PATCH 02/24] Add files via upload --- root/defaults/nginx/authentik-location.conf | 23 +++++++++++++++++++ root/defaults/nginx/authentik-server.conf | 25 +++++++++++++++++++++ 2 files changed, 48 insertions(+) create mode 100644 root/defaults/nginx/authentik-location.conf create mode 100644 root/defaults/nginx/authentik-server.conf diff --git a/root/defaults/nginx/authentik-location.conf b/root/defaults/nginx/authentik-location.conf new file mode 100644 index 0000000..a2c32f3 --- /dev/null +++ b/root/defaults/nginx/authentik-location.conf @@ -0,0 +1,23 @@ +## Version 2022/08/20 +# Make sure that your authentik container is in the same user defined bridge network and is named authentik + + ############################## + # authentik-specific config + ############################## + auth_request /outpost.goauthentik.io/auth/nginx; + error_page 401 = @goauthentik_proxy_signin; + auth_request_set $auth_cookie $upstream_http_set_cookie; + add_header Set-Cookie $auth_cookie; + + # translate headers from the outposts back to the actual upstream + auth_request_set $authentik_username $upstream_http_x_authentik_username; + auth_request_set $authentik_groups $upstream_http_x_authentik_groups; + auth_request_set $authentik_email $upstream_http_x_authentik_email; + auth_request_set $authentik_name $upstream_http_x_authentik_name; + auth_request_set $authentik_uid $upstream_http_x_authentik_uid; + + proxy_set_header X-authentik-username $authentik_username; + proxy_set_header X-authentik-groups $authentik_groups; + proxy_set_header X-authentik-email $authentik_email; + proxy_set_header X-authentik-name $authentik_name; + proxy_set_header X-authentik-uid $authentik_uid; \ No newline at end of file diff --git a/root/defaults/nginx/authentik-server.conf b/root/defaults/nginx/authentik-server.conf new file mode 100644 index 0000000..b3fb941 --- /dev/null +++ b/root/defaults/nginx/authentik-server.conf @@ -0,0 +1,25 @@ +## Version 2022/09/22 +# Make sure that your authentik container is in the same user defined bridge network and is named authentik + + # all requests to /outpost.goauthentik.io must be accessible without authentication + location /outpost.goauthentik.io { + proxy_pass http://authentik-server:9000/outpost.goauthentik.io; + # ensure the host of this vserver matches your external URL you've configured + # in authentik + proxy_set_header Host $host; + proxy_set_header X-Original-URL $scheme://$http_host$request_uri; + add_header Set-Cookie $auth_cookie; + auth_request_set $auth_cookie $upstream_http_set_cookie; + proxy_pass_request_body off; + proxy_set_header Content-Length ""; + } + + # Special location for when the /auth endpoint returns a 401, + # redirect to the /start URL which initiates SSO + location @goauthentik_proxy_signin { + internal; + add_header Set-Cookie $auth_cookie; + return 302 /outpost.goauthentik.io/start?rd=$request_uri; + # For domain level, use the below error_page to redirect to your authentik server with the full redirect path + # return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri; + } \ No newline at end of file From a184bb33ca92c030f01571550d5455f763fd0690 Mon Sep 17 00:00:00 2001 From: driz <40674481+drizuid@users.noreply.github.com> Date: Wed, 1 Feb 2023 17:12:36 -0500 Subject: [PATCH 03/24] Update readme-vars.yml --- readme-vars.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/readme-vars.yml b/readme-vars.yml index 040a324..bcc2f5d 100755 --- a/readme-vars.yml +++ b/readme-vars.yml @@ -154,6 +154,7 @@ app_setup_block: | # changelog changelogs: + - { date: "01.02.23:", desc: "Add includable confs for authentik" } - { date: "21.01.23:", desc: "Unpin certbot version (allow certbot 2.x). !!BREAKING CHANGE!! We are temporarily removing the certbot porkbun plugin until a new version is released that is compatible with certbot 2.x." } - { date: "20.01.23:", desc: "Rebase to alpine 3.17 with php8.1." } - { date: "16.01.23:", desc: "Remove nchan module because it keeps causing crashes." } From a91fe2b2690b1a041a5646898fb06be39ca6b4db Mon Sep 17 00:00:00 2001 From: driz <40674481+drizuid@users.noreply.github.com> Date: Wed, 1 Feb 2023 17:13:20 -0500 Subject: [PATCH 04/24] Update README.md --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 1c74f79..e296739 100755 --- a/README.md +++ b/README.md @@ -335,6 +335,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64 ## Versions +* **01.02.23:** - Add includable confs for authentik. * **21.01.23:** - Unpin certbot version (allow certbot 2.x). !!BREAKING CHANGE!! We are temporarily removing the certbot porkbun plugin until a new version is released that is compatible with certbot 2.x. * **20.01.23:** - Rebase to alpine 3.17 with php8.1. * **16.01.23:** - Remove nchan module because it keeps causing crashes. From c686dfee478e61109e893b7e2562f26f5c76ed7a Mon Sep 17 00:00:00 2001 From: driz <40674481+drizuid@users.noreply.github.com> Date: Wed, 1 Feb 2023 17:17:42 -0500 Subject: [PATCH 05/24] Update authentik-server.conf --- root/defaults/nginx/authentik-server.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/root/defaults/nginx/authentik-server.conf b/root/defaults/nginx/authentik-server.conf index b3fb941..8a57af8 100644 --- a/root/defaults/nginx/authentik-server.conf +++ b/root/defaults/nginx/authentik-server.conf @@ -1,5 +1,5 @@ ## Version 2022/09/22 -# Make sure that your authentik container is in the same user defined bridge network and is named authentik +# Make sure that your authentik container is in the same user defined bridge network and is named authentik-server # all requests to /outpost.goauthentik.io must be accessible without authentication location /outpost.goauthentik.io { @@ -22,4 +22,4 @@ return 302 /outpost.goauthentik.io/start?rd=$request_uri; # For domain level, use the below error_page to redirect to your authentik server with the full redirect path # return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri; - } \ No newline at end of file + } From a95a0f639a4d9703803f604c9c83c6ebfd61312e Mon Sep 17 00:00:00 2001 From: driz <40674481+drizuid@users.noreply.github.com> Date: Wed, 1 Feb 2023 17:17:59 -0500 Subject: [PATCH 06/24] Update authentik-location.conf --- root/defaults/nginx/authentik-location.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/root/defaults/nginx/authentik-location.conf b/root/defaults/nginx/authentik-location.conf index a2c32f3..f36487d 100644 --- a/root/defaults/nginx/authentik-location.conf +++ b/root/defaults/nginx/authentik-location.conf @@ -1,5 +1,5 @@ ## Version 2022/08/20 -# Make sure that your authentik container is in the same user defined bridge network and is named authentik +# Make sure that your authentik container is in the same user defined bridge network and is named authentik-server ############################## # authentik-specific config @@ -20,4 +20,4 @@ proxy_set_header X-authentik-groups $authentik_groups; proxy_set_header X-authentik-email $authentik_email; proxy_set_header X-authentik-name $authentik_name; - proxy_set_header X-authentik-uid $authentik_uid; \ No newline at end of file + proxy_set_header X-authentik-uid $authentik_uid; From 777fa62481f04c4d9fc9868d7e4b8839d6473509 Mon Sep 17 00:00:00 2001 From: Eric Nemchik Date: Wed, 1 Feb 2023 19:35:23 -0600 Subject: [PATCH 07/24] Add new headers --- .../defaults/nginx/authelia-location.conf.sample | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/root/defaults/nginx/authelia-location.conf.sample b/root/defaults/nginx/authelia-location.conf.sample index 5331a9c..566d1b2 100644 --- a/root/defaults/nginx/authelia-location.conf.sample +++ b/root/defaults/nginx/authelia-location.conf.sample @@ -8,18 +8,30 @@ auth_request /authelia/api/verify; ## Set the $target_url variable based on the original request. set_escape_uri $target_url $scheme://$http_host$request_uri; -## Save the upstream response headers from Authelia to variables. +## Save the upstream authorization response headers from Authelia to variables. +auth_request_set $authorization $upstream_http_authorization; +auth_request_set $proxy_authorization $upstream_http_proxy_authorization; + +## Inject the authorization response headers from the variables into the request made to the backend. +proxy_set_header Authorization $authorization; +proxy_set_header Proxy-Authorization $proxy_authorization; + +## Save the upstream metadata response headers from Authelia to variables. auth_request_set $user $upstream_http_remote_user; auth_request_set $groups $upstream_http_remote_groups; auth_request_set $name $upstream_http_remote_name; auth_request_set $email $upstream_http_remote_email; -## Inject the response headers from the variables into the request made to the backend. +## Inject the metadata response headers from the variables into the request made to the backend. proxy_set_header Remote-User $user; proxy_set_header Remote-Groups $groups; proxy_set_header Remote-Name $name; proxy_set_header Remote-Email $email; +## Include the Set-Cookie header if present. +auth_request_set $set_cookie $upstream_http_set_cookie; +add_header Set-Cookie $set_cookie; + ## Set $authelia_backend to route requests to the current domain by default set $authelia_backend $http_host; ## In order for Webauthn to work with multiple subdomains Authelia must operate on a separate subdomain From 7be5f1caec93b5d5e5058e7f461bc0879c05cd37 Mon Sep 17 00:00:00 2001 From: driz <40674481+drizuid@users.noreply.github.com> Date: Thu, 2 Feb 2023 10:32:51 -0500 Subject: [PATCH 08/24] Update authentik-location.conf --- root/defaults/nginx/authentik-location.conf | 36 ++++++++++----------- 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/root/defaults/nginx/authentik-location.conf b/root/defaults/nginx/authentik-location.conf index f36487d..06d8c11 100644 --- a/root/defaults/nginx/authentik-location.conf +++ b/root/defaults/nginx/authentik-location.conf @@ -1,23 +1,23 @@ ## Version 2022/08/20 # Make sure that your authentik container is in the same user defined bridge network and is named authentik-server - ############################## - # authentik-specific config - ############################## - auth_request /outpost.goauthentik.io/auth/nginx; - error_page 401 = @goauthentik_proxy_signin; - auth_request_set $auth_cookie $upstream_http_set_cookie; - add_header Set-Cookie $auth_cookie; +############################## +# authentik-specific config +############################## +auth_request /outpost.goauthentik.io/auth/nginx; +error_page 401 = @goauthentik_proxy_signin; +auth_request_set $auth_cookie $upstream_http_set_cookie; +add_header Set-Cookie $auth_cookie; - # translate headers from the outposts back to the actual upstream - auth_request_set $authentik_username $upstream_http_x_authentik_username; - auth_request_set $authentik_groups $upstream_http_x_authentik_groups; - auth_request_set $authentik_email $upstream_http_x_authentik_email; - auth_request_set $authentik_name $upstream_http_x_authentik_name; - auth_request_set $authentik_uid $upstream_http_x_authentik_uid; +# translate headers from the outposts back to the actual upstream +auth_request_set $authentik_username $upstream_http_x_authentik_username; +auth_request_set $authentik_groups $upstream_http_x_authentik_groups; +auth_request_set $authentik_email $upstream_http_x_authentik_email; +auth_request_set $authentik_name $upstream_http_x_authentik_name; +auth_request_set $authentik_uid $upstream_http_x_authentik_uid; - proxy_set_header X-authentik-username $authentik_username; - proxy_set_header X-authentik-groups $authentik_groups; - proxy_set_header X-authentik-email $authentik_email; - proxy_set_header X-authentik-name $authentik_name; - proxy_set_header X-authentik-uid $authentik_uid; +proxy_set_header X-authentik-username $authentik_username; +proxy_set_header X-authentik-groups $authentik_groups; +proxy_set_header X-authentik-email $authentik_email; +proxy_set_header X-authentik-name $authentik_name; +proxy_set_header X-authentik-uid $authentik_uid; From c137a66726d2e0139b518bf9c89c0b11f505b735 Mon Sep 17 00:00:00 2001 From: driz <40674481+drizuid@users.noreply.github.com> Date: Thu, 2 Feb 2023 10:33:15 -0500 Subject: [PATCH 09/24] Update root/defaults/nginx/authentik-server.conf Co-authored-by: Eric Nemchik --- root/defaults/nginx/authentik-server.conf | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/root/defaults/nginx/authentik-server.conf b/root/defaults/nginx/authentik-server.conf index 8a57af8..047308c 100644 --- a/root/defaults/nginx/authentik-server.conf +++ b/root/defaults/nginx/authentik-server.conf @@ -3,7 +3,9 @@ # all requests to /outpost.goauthentik.io must be accessible without authentication location /outpost.goauthentik.io { - proxy_pass http://authentik-server:9000/outpost.goauthentik.io; + include /config/nginx/resolver.conf; + set $upstream_authentik authentik-server; + proxy_pass http://$upstream_authentik:9000/outpost.goauthentik.io; # ensure the host of this vserver matches your external URL you've configured # in authentik proxy_set_header Host $host; From db4e66112643a5a13e3b5514754417934dab365c Mon Sep 17 00:00:00 2001 From: Eric Nemchik Date: Fri, 3 Feb 2023 09:14:53 -0600 Subject: [PATCH 10/24] Update authelia-location.conf.sample --- root/defaults/nginx/authelia-location.conf.sample | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/root/defaults/nginx/authelia-location.conf.sample b/root/defaults/nginx/authelia-location.conf.sample index 566d1b2..ddd7e0c 100644 --- a/root/defaults/nginx/authelia-location.conf.sample +++ b/root/defaults/nginx/authelia-location.conf.sample @@ -34,7 +34,7 @@ add_header Set-Cookie $set_cookie; ## Set $authelia_backend to route requests to the current domain by default set $authelia_backend $http_host; -## In order for Webauthn to work with multiple subdomains Authelia must operate on a separate subdomain +## In order for Webauthn to work with multiple domains Authelia must operate on a separate subdomain ## To use Authelia on a separate subdomain: ## * comment the $authelia_backend line above ## * rename /config/nginx/site-conf/authelia.conf.sample to /config/nginx/site-conf/authelia.conf From e057a7ce0d24647103af85bb9879f37855f3d966 Mon Sep 17 00:00:00 2001 From: Eric Nemchik Date: Sun, 5 Feb 2023 12:05:18 -0600 Subject: [PATCH 11/24] Unify auth config approach --- README.md | 2 +- readme-vars.yml | 2 +- ...on.conf => authentik-location.conf.sample} | 17 ++++--- root/defaults/nginx/authentik-server.conf | 27 ----------- .../nginx/authentik-server.conf.sample | 45 +++++++++++++++++++ root/defaults/nginx/proxy.conf.sample | 3 +- .../s6-overlay/s6-rc.d/init-nginx-config/run | 8 ++++ 7 files changed, 65 insertions(+), 39 deletions(-) rename root/defaults/nginx/{authentik-location.conf => authentik-location.conf.sample} (53%) delete mode 100644 root/defaults/nginx/authentik-server.conf create mode 100644 root/defaults/nginx/authentik-server.conf.sample diff --git a/README.md b/README.md index e296739..2a87d04 100755 --- a/README.md +++ b/README.md @@ -335,7 +335,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64 ## Versions -* **01.02.23:** - Add includable confs for authentik. +* **05.02.23:** - [Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) proxy.conf - Add includable confs for authentik * **21.01.23:** - Unpin certbot version (allow certbot 2.x). !!BREAKING CHANGE!! We are temporarily removing the certbot porkbun plugin until a new version is released that is compatible with certbot 2.x. * **20.01.23:** - Rebase to alpine 3.17 with php8.1. * **16.01.23:** - Remove nchan module because it keeps causing crashes. diff --git a/readme-vars.yml b/readme-vars.yml index bcc2f5d..1a629a3 100755 --- a/readme-vars.yml +++ b/readme-vars.yml @@ -154,7 +154,7 @@ app_setup_block: | # changelog changelogs: - - { date: "01.02.23:", desc: "Add includable confs for authentik" } + - { date: "05.02.23:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) proxy.conf - Add includable confs for authentik" } - { date: "21.01.23:", desc: "Unpin certbot version (allow certbot 2.x). !!BREAKING CHANGE!! We are temporarily removing the certbot porkbun plugin until a new version is released that is compatible with certbot 2.x." } - { date: "20.01.23:", desc: "Rebase to alpine 3.17 with php8.1." } - { date: "16.01.23:", desc: "Remove nchan module because it keeps causing crashes." } diff --git a/root/defaults/nginx/authentik-location.conf b/root/defaults/nginx/authentik-location.conf.sample similarity index 53% rename from root/defaults/nginx/authentik-location.conf rename to root/defaults/nginx/authentik-location.conf.sample index 06d8c11..1322314 100644 --- a/root/defaults/nginx/authentik-location.conf +++ b/root/defaults/nginx/authentik-location.conf.sample @@ -1,23 +1,22 @@ -## Version 2022/08/20 +## Version 2023/02/05 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/authentik-location.conf.sample # Make sure that your authentik container is in the same user defined bridge network and is named authentik-server -############################## -# authentik-specific config -############################## -auth_request /outpost.goauthentik.io/auth/nginx; -error_page 401 = @goauthentik_proxy_signin; -auth_request_set $auth_cookie $upstream_http_set_cookie; -add_header Set-Cookie $auth_cookie; +## Send a subrequest to Authentik to verify if the user is authenticated and has permission to access the resource. +auth_request /outpost.goauthentik.io/auth/nginx; -# translate headers from the outposts back to the actual upstream +## Save the upstream metadata response headers from Authentik to variables. auth_request_set $authentik_username $upstream_http_x_authentik_username; auth_request_set $authentik_groups $upstream_http_x_authentik_groups; auth_request_set $authentik_email $upstream_http_x_authentik_email; auth_request_set $authentik_name $upstream_http_x_authentik_name; auth_request_set $authentik_uid $upstream_http_x_authentik_uid; +## Inject the metadata response headers from the variables into the request made to the backend. proxy_set_header X-authentik-username $authentik_username; proxy_set_header X-authentik-groups $authentik_groups; proxy_set_header X-authentik-email $authentik_email; proxy_set_header X-authentik-name $authentik_name; proxy_set_header X-authentik-uid $authentik_uid; + +## If the subreqest returns 200 pass to the backend, if the subrequest returns 401 redirect to the portal. +error_page 401 = @authentik_auth_request; diff --git a/root/defaults/nginx/authentik-server.conf b/root/defaults/nginx/authentik-server.conf deleted file mode 100644 index 047308c..0000000 --- a/root/defaults/nginx/authentik-server.conf +++ /dev/null @@ -1,27 +0,0 @@ -## Version 2022/09/22 -# Make sure that your authentik container is in the same user defined bridge network and is named authentik-server - - # all requests to /outpost.goauthentik.io must be accessible without authentication - location /outpost.goauthentik.io { - include /config/nginx/resolver.conf; - set $upstream_authentik authentik-server; - proxy_pass http://$upstream_authentik:9000/outpost.goauthentik.io; - # ensure the host of this vserver matches your external URL you've configured - # in authentik - proxy_set_header Host $host; - proxy_set_header X-Original-URL $scheme://$http_host$request_uri; - add_header Set-Cookie $auth_cookie; - auth_request_set $auth_cookie $upstream_http_set_cookie; - proxy_pass_request_body off; - proxy_set_header Content-Length ""; - } - - # Special location for when the /auth endpoint returns a 401, - # redirect to the /start URL which initiates SSO - location @goauthentik_proxy_signin { - internal; - add_header Set-Cookie $auth_cookie; - return 302 /outpost.goauthentik.io/start?rd=$request_uri; - # For domain level, use the below error_page to redirect to your authentik server with the full redirect path - # return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri; - } diff --git a/root/defaults/nginx/authentik-server.conf.sample b/root/defaults/nginx/authentik-server.conf.sample new file mode 100644 index 0000000..4bdb965 --- /dev/null +++ b/root/defaults/nginx/authentik-server.conf.sample @@ -0,0 +1,45 @@ +## Version 2023/02/05 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/authentik-server.conf.sample +# Make sure that your authentik container is in the same user defined bridge network and is named authentik-server + +# location for authentik auth requests +location /outpost.goauthentik.io { + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_authentik authentik-server; + proxy_pass http://$upstream_authentik:9000/outpost.goauthentik.io; + + ## Headers + proxy_set_header Content-Length ""; + + ## Basic Proxy Configuration + proxy_pass_request_body off; + client_body_buffer_size 128k; + + ## Advanced Proxy Configuration + send_timeout 5m; +} + +# Virtual location for authentik 401 redirects +location @authentik_401_redirect { + internal; + + ## Set the $target_url variable based on the original request. + set_escape_uri $target_url $scheme://$http_host$request_uri; + + ## Include the Set-Cookie header if present. + auth_request_set $set_cookie $upstream_http_set_cookie; + add_header Set-Cookie $set_cookie; + + ## Set $authentik_backend to route requests to the current domain by default + set $authentik_backend $http_host; + ## In order for Webauthn to work with multiple domains authentik must operate on a separate subdomain + ## To use authentik on a separate subdomain: + ## * comment the $authentik_backend line above + ## * rename /config/nginx/proxy-confs/authentik.conf.sample to /config/nginx/proxy-confs/authentik.conf + ## * make sure that your dns has a cname set for authentik + ## * uncomment the $authentik_backend line below and change example.com to your domain + ## * restart the swag container + #set $authentik_backend authentik.example.com; + + return 302 https://$authentik_backend/authentik/?rd=$target_url; +} diff --git a/root/defaults/nginx/proxy.conf.sample b/root/defaults/nginx/proxy.conf.sample index c5a7210..ec61d9f 100644 --- a/root/defaults/nginx/proxy.conf.sample +++ b/root/defaults/nginx/proxy.conf.sample @@ -1,4 +1,4 @@ -## Version 2022/09/01 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/proxy.conf.sample +## Version 2023/02/05 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/proxy.conf.sample # Timeout if the real server is dead proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; @@ -31,5 +31,6 @@ proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-Ssl on; proxy_set_header X-Forwarded-Uri $request_uri; +proxy_set_header X-Original-Method $request_method; proxy_set_header X-Original-URL $scheme://$http_host$request_uri; proxy_set_header X-Real-IP $remote_addr; diff --git a/root/etc/s6-overlay/s6-rc.d/init-nginx-config/run b/root/etc/s6-overlay/s6-rc.d/init-nginx-config/run index e94c92a..5ba2b21 100755 --- a/root/etc/s6-overlay/s6-rc.d/init-nginx-config/run +++ b/root/etc/s6-overlay/s6-rc.d/init-nginx-config/run @@ -14,6 +14,14 @@ if [[ ! -f /config/nginx/authelia-server.conf ]]; then cp /defaults/nginx/authelia-server.conf.sample /config/nginx/authelia-server.conf fi +# copy authentik config files if they don't exist +if [[ ! -f /config/nginx/authentik-location.conf ]]; then + cp /defaults/nginx/authentik-location.conf.sample /config/nginx/authentik-location.conf +fi +if [[ ! -f /config/nginx/authentik-server.conf ]]; then + cp /defaults/nginx/authentik-server.conf.sample /config/nginx/authentik-server.conf +fi + # copy old ldap config file to new location if [[ -f /config/nginx/ldap.conf ]] && [[ ! -f /config/nginx/ldap-server.conf ]]; then cp /config/nginx/ldap.conf /config/nginx/ldap-server.conf From 3ef896e6112883eb013ba91f626746243762e7d7 Mon Sep 17 00:00:00 2001 From: Eric Nemchik Date: Sun, 5 Feb 2023 14:14:29 -0600 Subject: [PATCH 12/24] overwrite header from proxy.conf to not include $server_port --- root/defaults/nginx/authentik-server.conf.sample | 1 + 1 file changed, 1 insertion(+) diff --git a/root/defaults/nginx/authentik-server.conf.sample b/root/defaults/nginx/authentik-server.conf.sample index 4bdb965..be12484 100644 --- a/root/defaults/nginx/authentik-server.conf.sample +++ b/root/defaults/nginx/authentik-server.conf.sample @@ -9,6 +9,7 @@ location /outpost.goauthentik.io { proxy_pass http://$upstream_authentik:9000/outpost.goauthentik.io; ## Headers + proxy_set_header X-Forwarded-Host $host; # overwrite header from proxy.conf to not include $server_port proxy_set_header Content-Length ""; ## Basic Proxy Configuration From 0d92109b684368a5d1021b041b477c1879cc159a Mon Sep 17 00:00:00 2001 From: Eric Nemchik Date: Sun, 5 Feb 2023 16:45:56 -0600 Subject: [PATCH 13/24] Unify auth config approach --- .../nginx/authelia-location.conf.sample | 21 ++------ .../nginx/authelia-server.conf.sample | 52 +++++++++++-------- root/defaults/nginx/proxy.conf.sample | 1 + 3 files changed, 34 insertions(+), 40 deletions(-) diff --git a/root/defaults/nginx/authelia-location.conf.sample b/root/defaults/nginx/authelia-location.conf.sample index ddd7e0c..e7e07eb 100644 --- a/root/defaults/nginx/authelia-location.conf.sample +++ b/root/defaults/nginx/authelia-location.conf.sample @@ -1,12 +1,11 @@ -## Version 2023/02/01 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/authelia-location.conf.sample +## Version 2023/02/05 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/authelia-location.conf.sample # Make sure that your authelia container is in the same user defined bridge network and is named authelia # Make sure that the authelia configuration.yml has 'path: "authelia"' defined ## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource. auth_request /authelia/api/verify; - -## Set the $target_url variable based on the original request. -set_escape_uri $target_url $scheme://$http_host$request_uri; +## If the subreqest returns 200 pass to the backend, if the subrequest returns 401 redirect to the portal. +error_page 401 = @authelia_proxy_signin; ## Save the upstream authorization response headers from Authelia to variables. auth_request_set $authorization $upstream_http_authorization; @@ -31,17 +30,3 @@ proxy_set_header Remote-Email $email; ## Include the Set-Cookie header if present. auth_request_set $set_cookie $upstream_http_set_cookie; add_header Set-Cookie $set_cookie; - -## Set $authelia_backend to route requests to the current domain by default -set $authelia_backend $http_host; -## In order for Webauthn to work with multiple domains Authelia must operate on a separate subdomain -## To use Authelia on a separate subdomain: -## * comment the $authelia_backend line above -## * rename /config/nginx/site-conf/authelia.conf.sample to /config/nginx/site-conf/authelia.conf -## * make sure that your dns has a cname set for authelia -## * uncomment the $authelia_backend line below and change example.com to your domain -## * restart the swag container -#set $authelia_backend authelia.example.com; - -## If the subreqest returns 200 pass to the backend, if the subrequest returns 401 redirect to the portal. -error_page 401 =302 https://$authelia_backend/authelia/?rd=$target_url; diff --git a/root/defaults/nginx/authelia-server.conf.sample b/root/defaults/nginx/authelia-server.conf.sample index 2cb68e1..b744419 100644 --- a/root/defaults/nginx/authelia-server.conf.sample +++ b/root/defaults/nginx/authelia-server.conf.sample @@ -1,8 +1,8 @@ -## Version 2023/02/01 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/authelia-server.conf.sample +## Version 2023/02/05 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/authelia-server.conf.sample # Make sure that your authelia container is in the same user defined bridge network and is named authelia # Make sure that the authelia configuration.yml has 'path: "authelia"' defined -## Virtual endpoints created by nginx to forward auth requests. +# location for authelia subfolder requests location ^~ /authelia { include /config/nginx/proxy.conf; include /config/nginx/resolver.conf; @@ -10,39 +10,47 @@ location ^~ /authelia { proxy_pass http://$upstream_authelia:9091; } +# location for authelia auth requests location = /authelia/api/verify { - ## Essential Proxy Configuration internal; + include /config/nginx/proxy.conf; include /config/nginx/resolver.conf; set $upstream_authelia authelia; - proxy_pass http://$upstream_authelia:9091; + proxy_pass http://$upstream_authelia:9091/authelia/api/verify; ## Headers - ## The headers starting with X-* are required. - proxy_set_header X-Original-URL $scheme://$http_host$request_uri; - proxy_set_header X-Original-Method $request_method; - proxy_set_header X-Forwarded-Method $request_method; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $http_host; - proxy_set_header X-Forwarded-Uri $request_uri; - proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header Content-Length ""; - proxy_set_header Connection ""; ## Basic Proxy Configuration proxy_pass_request_body off; - proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # Timeout if the real server is dead - proxy_redirect http:// $scheme://; - proxy_http_version 1.1; - proxy_cache_bypass $cookie_session; - proxy_no_cache $cookie_session; - proxy_buffers 4 32k; client_body_buffer_size 128k; ## Advanced Proxy Configuration send_timeout 5m; - proxy_read_timeout 240; - proxy_send_timeout 240; - proxy_connect_timeout 240; +} + +# Virtual location for authelia 401 redirects +location @authelia_proxy_signin { + internal; + + ## Set the $target_url variable based on the original request. + set_escape_uri $target_url $scheme://$http_host$request_uri; + + ## Include the Set-Cookie header if present. + auth_request_set $set_cookie $upstream_http_set_cookie; + add_header Set-Cookie $set_cookie; + + ## Set $authelia_backend to route requests to the current domain by default + set $authelia_backend $http_host; + ## In order for Webauthn to work with multiple domains authelia must operate on a separate subdomain + ## To use authelia on a separate subdomain: + ## * comment the $authelia_backend line above + ## * rename /config/nginx/proxy-confs/authelia.conf.sample to /config/nginx/proxy-confs/authelia.conf + ## * make sure that your dns has a cname set for authelia + ## * uncomment the $authelia_backend line below and change example.com to your domain + ## * restart the swag container + #set $authelia_backend authelia.example.com; + + return 302 https://$authelia_backend/authelia/?rd=$target_url; } diff --git a/root/defaults/nginx/proxy.conf.sample b/root/defaults/nginx/proxy.conf.sample index c5a7210..8d6d6e5 100644 --- a/root/defaults/nginx/proxy.conf.sample +++ b/root/defaults/nginx/proxy.conf.sample @@ -31,5 +31,6 @@ proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-Ssl on; proxy_set_header X-Forwarded-Uri $request_uri; +proxy_set_header X-Original-Method $request_method; proxy_set_header X-Original-URL $scheme://$http_host$request_uri; proxy_set_header X-Real-IP $remote_addr; From 01c28da51e9b561272a35515dc5da0223ebd2b11 Mon Sep 17 00:00:00 2001 From: Eric Nemchik Date: Sun, 5 Feb 2023 16:50:45 -0600 Subject: [PATCH 14/24] Adjustments to bring it closer to authentik docs --- .../nginx/authentik-location.conf.sample | 7 ++++-- .../nginx/authentik-server.conf.sample | 23 +++++++------------ 2 files changed, 13 insertions(+), 17 deletions(-) diff --git a/root/defaults/nginx/authentik-location.conf.sample b/root/defaults/nginx/authentik-location.conf.sample index 1322314..ddeb42c 100644 --- a/root/defaults/nginx/authentik-location.conf.sample +++ b/root/defaults/nginx/authentik-location.conf.sample @@ -3,6 +3,8 @@ ## Send a subrequest to Authentik to verify if the user is authenticated and has permission to access the resource. auth_request /outpost.goauthentik.io/auth/nginx; +## If the subreqest returns 200 pass to the backend, if the subrequest returns 401 redirect to the portal. +error_page 401 = @goauthentik_proxy_signin; ## Save the upstream metadata response headers from Authentik to variables. auth_request_set $authentik_username $upstream_http_x_authentik_username; @@ -18,5 +20,6 @@ proxy_set_header X-authentik-email $authentik_email; proxy_set_header X-authentik-name $authentik_name; proxy_set_header X-authentik-uid $authentik_uid; -## If the subreqest returns 200 pass to the backend, if the subrequest returns 401 redirect to the portal. -error_page 401 = @authentik_auth_request; +## Include the Set-Cookie header if present. +auth_request_set $set_cookie $upstream_http_set_cookie; +add_header Set-Cookie $set_cookie; diff --git a/root/defaults/nginx/authentik-server.conf.sample b/root/defaults/nginx/authentik-server.conf.sample index be12484..cf01680 100644 --- a/root/defaults/nginx/authentik-server.conf.sample +++ b/root/defaults/nginx/authentik-server.conf.sample @@ -8,20 +8,16 @@ location /outpost.goauthentik.io { set $upstream_authentik authentik-server; proxy_pass http://$upstream_authentik:9000/outpost.goauthentik.io; - ## Headers - proxy_set_header X-Forwarded-Host $host; # overwrite header from proxy.conf to not include $server_port - proxy_set_header Content-Length ""; - - ## Basic Proxy Configuration + proxy_set_header Host $host; + proxy_set_header X-Original-URL $scheme://$http_host$request_uri; + add_header Set-Cookie $auth_cookie; + auth_request_set $auth_cookie $upstream_http_set_cookie; proxy_pass_request_body off; - client_body_buffer_size 128k; - - ## Advanced Proxy Configuration - send_timeout 5m; + proxy_set_header Content-Length ""; } # Virtual location for authentik 401 redirects -location @authentik_401_redirect { +location @goauthentik_proxy_signin { internal; ## Set the $target_url variable based on the original request. @@ -31,16 +27,13 @@ location @authentik_401_redirect { auth_request_set $set_cookie $upstream_http_set_cookie; add_header Set-Cookie $set_cookie; - ## Set $authentik_backend to route requests to the current domain by default - set $authentik_backend $http_host; ## In order for Webauthn to work with multiple domains authentik must operate on a separate subdomain ## To use authentik on a separate subdomain: - ## * comment the $authentik_backend line above ## * rename /config/nginx/proxy-confs/authentik.conf.sample to /config/nginx/proxy-confs/authentik.conf ## * make sure that your dns has a cname set for authentik - ## * uncomment the $authentik_backend line below and change example.com to your domain + ## * modify the $authentik_backend line below to set example.com to your domain ## * restart the swag container - #set $authentik_backend authentik.example.com; + set $authentik_backend authentik.example.com; return 302 https://$authentik_backend/authentik/?rd=$target_url; } From b73f17181a5c4f2183715a31e9485456cb1dbe43 Mon Sep 17 00:00:00 2001 From: Eric Nemchik Date: Sun, 5 Feb 2023 16:56:36 -0600 Subject: [PATCH 15/24] Remove proxy.conf from authentik location --- root/defaults/nginx/authentik-server.conf.sample | 1 - 1 file changed, 1 deletion(-) diff --git a/root/defaults/nginx/authentik-server.conf.sample b/root/defaults/nginx/authentik-server.conf.sample index cf01680..06e358d 100644 --- a/root/defaults/nginx/authentik-server.conf.sample +++ b/root/defaults/nginx/authentik-server.conf.sample @@ -3,7 +3,6 @@ # location for authentik auth requests location /outpost.goauthentik.io { - include /config/nginx/proxy.conf; include /config/nginx/resolver.conf; set $upstream_authentik authentik-server; proxy_pass http://$upstream_authentik:9000/outpost.goauthentik.io; From cba7e6703c666caba85443e420b2c209a62bf200 Mon Sep 17 00:00:00 2001 From: Eric Nemchik Date: Sun, 5 Feb 2023 16:59:48 -0600 Subject: [PATCH 16/24] Keep subfolder backend signin option --- root/defaults/nginx/authentik-server.conf.sample | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/root/defaults/nginx/authentik-server.conf.sample b/root/defaults/nginx/authentik-server.conf.sample index 06e358d..cfed2d3 100644 --- a/root/defaults/nginx/authentik-server.conf.sample +++ b/root/defaults/nginx/authentik-server.conf.sample @@ -26,13 +26,16 @@ location @goauthentik_proxy_signin { auth_request_set $set_cookie $upstream_http_set_cookie; add_header Set-Cookie $set_cookie; + ## Set $authentik_backend to route requests to the current domain by default + set $authentik_backend $http_host; ## In order for Webauthn to work with multiple domains authentik must operate on a separate subdomain ## To use authentik on a separate subdomain: + ## * comment the $authentik_backend line above ## * rename /config/nginx/proxy-confs/authentik.conf.sample to /config/nginx/proxy-confs/authentik.conf ## * make sure that your dns has a cname set for authentik - ## * modify the $authentik_backend line below to set example.com to your domain + ## * uncomment the $authentik_backend line below and change example.com to your domain ## * restart the swag container - set $authentik_backend authentik.example.com; + #set $authentik_backend authentik.example.com; return 302 https://$authentik_backend/authentik/?rd=$target_url; } From 9e7ef6154d6e0332c8ff84c59a85ed55cb8f7d19 Mon Sep 17 00:00:00 2001 From: Eric Nemchik Date: Sun, 5 Feb 2023 17:14:34 -0600 Subject: [PATCH 17/24] Remove authelia site-conf A proxy-conf is already included --- .../nginx/site-confs/authelia.conf.sample | 32 ------------------- .../s6-overlay/s6-rc.d/init-nginx-config/run | 3 -- 2 files changed, 35 deletions(-) delete mode 100644 root/defaults/nginx/site-confs/authelia.conf.sample diff --git a/root/defaults/nginx/site-confs/authelia.conf.sample b/root/defaults/nginx/site-confs/authelia.conf.sample deleted file mode 100644 index 6300b1c..0000000 --- a/root/defaults/nginx/site-confs/authelia.conf.sample +++ /dev/null @@ -1,32 +0,0 @@ -## Version 2023/02/01 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/site-confs/authelia.conf.sample -# make sure that your dns has a cname set for authelia - -server { - listen 443 ssl; - listen [::]:443 ssl; - - server_name authelia.*; - - include /config/nginx/ssl.conf; - - client_max_body_size 0; - - location / { - include /config/nginx/proxy.conf; - include /config/nginx/resolver.conf; - set $upstream_app authelia; - set $upstream_port 9091; - set $upstream_proto http; - proxy_pass $upstream_proto://$upstream_app:$upstream_port; - - } - - location ~ (/authelia)?/api/verify { - include /config/nginx/resolver.conf; - set $upstream_app authelia; - set $upstream_port 9091; - set $upstream_proto http; - proxy_pass $upstream_proto://$upstream_app:$upstream_port; - - } -} diff --git a/root/etc/s6-overlay/s6-rc.d/init-nginx-config/run b/root/etc/s6-overlay/s6-rc.d/init-nginx-config/run index c265930..e94c92a 100755 --- a/root/etc/s6-overlay/s6-rc.d/init-nginx-config/run +++ b/root/etc/s6-overlay/s6-rc.d/init-nginx-config/run @@ -13,9 +13,6 @@ fi if [[ ! -f /config/nginx/authelia-server.conf ]]; then cp /defaults/nginx/authelia-server.conf.sample /config/nginx/authelia-server.conf fi -if [[ ! -f /config/nginx/site-confs/authelia.conf ]]; then - cp /defaults/nginx/site-confs/authelia.conf.sample /config/nginx/site-confs/authelia.conf -fi # copy old ldap config file to new location if [[ -f /config/nginx/ldap.conf ]] && [[ ! -f /config/nginx/ldap-server.conf ]]; then From 0b038edb4a886e4c98d6153242395137a7dded84 Mon Sep 17 00:00:00 2001 From: Eric Nemchik Date: Wed, 8 Feb 2023 09:26:46 -0600 Subject: [PATCH 18/24] Update authentik-server.conf.sample --- root/defaults/nginx/authentik-server.conf.sample | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/root/defaults/nginx/authentik-server.conf.sample b/root/defaults/nginx/authentik-server.conf.sample index cfed2d3..4e69904 100644 --- a/root/defaults/nginx/authentik-server.conf.sample +++ b/root/defaults/nginx/authentik-server.conf.sample @@ -37,5 +37,5 @@ location @goauthentik_proxy_signin { ## * restart the swag container #set $authentik_backend authentik.example.com; - return 302 https://$authentik_backend/authentik/?rd=$target_url; + return 302 https://$authentik_backend/outpost.goauthentik.io/start?rd=$target_url; } From 3bab8b6b777cba05c11f7765bb9ed0c4841b8171 Mon Sep 17 00:00:00 2001 From: Eric Nemchik Date: Wed, 8 Feb 2023 13:24:03 -0600 Subject: [PATCH 19/24] Update proxy.conf.sample --- root/defaults/nginx/proxy.conf.sample | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/root/defaults/nginx/proxy.conf.sample b/root/defaults/nginx/proxy.conf.sample index ec61d9f..2eb857e 100644 --- a/root/defaults/nginx/proxy.conf.sample +++ b/root/defaults/nginx/proxy.conf.sample @@ -25,8 +25,9 @@ proxy_set_header Host $host; proxy_set_header Proxy ""; proxy_set_header Upgrade $http_upgrade; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; -proxy_set_header X-Forwarded-Host $host:$server_port; +proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Method $request_method; +proxy_set_header X-Forwarded-Port $server_port; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-Ssl on; From ed104eb203622d3206757bb1bebeccacd30fbcae Mon Sep 17 00:00:00 2001 From: Eric Nemchik Date: Wed, 8 Feb 2023 13:25:36 -0600 Subject: [PATCH 20/24] Update authentik-server.conf.sample --- .../nginx/authentik-server.conf.sample | 28 +++++++++---------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/root/defaults/nginx/authentik-server.conf.sample b/root/defaults/nginx/authentik-server.conf.sample index 4e69904..27698c3 100644 --- a/root/defaults/nginx/authentik-server.conf.sample +++ b/root/defaults/nginx/authentik-server.conf.sample @@ -1,14 +1,23 @@ ## Version 2023/02/05 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/authentik-server.conf.sample # Make sure that your authentik container is in the same user defined bridge network and is named authentik-server -# location for authentik auth requests -location /outpost.goauthentik.io { +# location for authentik subfolder requests +location ^~ /outpost.goauthentik.io { + include /config/nginx/proxy.conf; include /config/nginx/resolver.conf; set $upstream_authentik authentik-server; - proxy_pass http://$upstream_authentik:9000/outpost.goauthentik.io; + proxy_pass http://$upstream_authentik:9000; +} + +# location for authentik auth requests +location = /outpost.goauthentik.io/auth/nginx { + internal; + + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_authentik authentik-server; + proxy_pass http://$upstream_authentik:9000/outpost.goauthentik.io/auth/nginx; - proxy_set_header Host $host; - proxy_set_header X-Original-URL $scheme://$http_host$request_uri; add_header Set-Cookie $auth_cookie; auth_request_set $auth_cookie $upstream_http_set_cookie; proxy_pass_request_body off; @@ -28,14 +37,5 @@ location @goauthentik_proxy_signin { ## Set $authentik_backend to route requests to the current domain by default set $authentik_backend $http_host; - ## In order for Webauthn to work with multiple domains authentik must operate on a separate subdomain - ## To use authentik on a separate subdomain: - ## * comment the $authentik_backend line above - ## * rename /config/nginx/proxy-confs/authentik.conf.sample to /config/nginx/proxy-confs/authentik.conf - ## * make sure that your dns has a cname set for authentik - ## * uncomment the $authentik_backend line below and change example.com to your domain - ## * restart the swag container - #set $authentik_backend authentik.example.com; - return 302 https://$authentik_backend/outpost.goauthentik.io/start?rd=$target_url; } From f9f9b677d957ebce6ef33bf1976f23b21bff7416 Mon Sep 17 00:00:00 2001 From: Eric Nemchik Date: Thu, 9 Feb 2023 15:52:20 -0600 Subject: [PATCH 21/24] Update default.conf.sample --- root/defaults/nginx/site-confs/default.conf.sample | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/root/defaults/nginx/site-confs/default.conf.sample b/root/defaults/nginx/site-confs/default.conf.sample index 2b3caf4..a0f4d8a 100644 --- a/root/defaults/nginx/site-confs/default.conf.sample +++ b/root/defaults/nginx/site-confs/default.conf.sample @@ -29,6 +29,9 @@ server { # enable for Authelia (requires authelia-location.conf in the location block) #include /config/nginx/authelia-server.conf; + # enable for Authentik (requires authentik-location.conf in the location block) + #include /config/nginx/authentik-server.conf; + location / { # enable for basic auth #auth_basic "Restricted"; @@ -40,6 +43,9 @@ server { # enable for Authelia (requires authelia-server.conf in the server block) #include /config/nginx/authelia-location.conf; + # enable for Authentik (requires authentik-server.conf in the server block) + #include /config/nginx/authentik-location.conf; + try_files $uri $uri/ /index.html /index.php$is_args$args =404; } From 5683a3f232b5dcbed8f7434a71c3476bbb4cd395 Mon Sep 17 00:00:00 2001 From: Eric Nemchik Date: Thu, 9 Feb 2023 15:52:57 -0600 Subject: [PATCH 22/24] Update default.conf.sample --- root/defaults/nginx/site-confs/default.conf.sample | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/root/defaults/nginx/site-confs/default.conf.sample b/root/defaults/nginx/site-confs/default.conf.sample index a0f4d8a..10756f8 100644 --- a/root/defaults/nginx/site-confs/default.conf.sample +++ b/root/defaults/nginx/site-confs/default.conf.sample @@ -1,4 +1,4 @@ -## Version 2022/10/03 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/site-confs/default.conf.sample +## Version 2023/02/09 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/site-confs/default.conf.sample # redirect all traffic to https server { From 79f6dd4cb19ed2e186ddeb048350c6124e17219a Mon Sep 17 00:00:00 2001 From: Eric Nemchik Date: Thu, 9 Feb 2023 18:19:50 -0600 Subject: [PATCH 23/24] Prevent auth_request on auth subfolder adjust dates and comments --- readme-vars.yml | 2 +- root/defaults/nginx/authentik-location.conf.sample | 6 +++--- root/defaults/nginx/authentik-server.conf.sample | 3 ++- root/defaults/nginx/proxy.conf.sample | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/readme-vars.yml b/readme-vars.yml index 1a629a3..076e6cf 100755 --- a/readme-vars.yml +++ b/readme-vars.yml @@ -154,7 +154,7 @@ app_setup_block: | # changelog changelogs: - - { date: "05.02.23:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) proxy.conf - Add includable confs for authentik" } + - { date: "09.02.23:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) proxy.conf - Add includable confs for authentik" } - { date: "21.01.23:", desc: "Unpin certbot version (allow certbot 2.x). !!BREAKING CHANGE!! We are temporarily removing the certbot porkbun plugin until a new version is released that is compatible with certbot 2.x." } - { date: "20.01.23:", desc: "Rebase to alpine 3.17 with php8.1." } - { date: "16.01.23:", desc: "Remove nchan module because it keeps causing crashes." } diff --git a/root/defaults/nginx/authentik-location.conf.sample b/root/defaults/nginx/authentik-location.conf.sample index ddeb42c..32c9b53 100644 --- a/root/defaults/nginx/authentik-location.conf.sample +++ b/root/defaults/nginx/authentik-location.conf.sample @@ -1,4 +1,4 @@ -## Version 2023/02/05 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/authentik-location.conf.sample +## Version 2023/02/09 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/authentik-location.conf.sample # Make sure that your authentik container is in the same user defined bridge network and is named authentik-server ## Send a subrequest to Authentik to verify if the user is authenticated and has permission to access the resource. @@ -6,14 +6,14 @@ auth_request /outpost.goauthentik.io/auth/nginx; ## If the subreqest returns 200 pass to the backend, if the subrequest returns 401 redirect to the portal. error_page 401 = @goauthentik_proxy_signin; -## Save the upstream metadata response headers from Authentik to variables. +## Translate response headers from Authentik into variables auth_request_set $authentik_username $upstream_http_x_authentik_username; auth_request_set $authentik_groups $upstream_http_x_authentik_groups; auth_request_set $authentik_email $upstream_http_x_authentik_email; auth_request_set $authentik_name $upstream_http_x_authentik_name; auth_request_set $authentik_uid $upstream_http_x_authentik_uid; -## Inject the metadata response headers from the variables into the request made to the backend. +## Inject the response header variables into the request made to the actual upstream proxy_set_header X-authentik-username $authentik_username; proxy_set_header X-authentik-groups $authentik_groups; proxy_set_header X-authentik-email $authentik_email; diff --git a/root/defaults/nginx/authentik-server.conf.sample b/root/defaults/nginx/authentik-server.conf.sample index 27698c3..9f482c3 100644 --- a/root/defaults/nginx/authentik-server.conf.sample +++ b/root/defaults/nginx/authentik-server.conf.sample @@ -1,8 +1,9 @@ -## Version 2023/02/05 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/authentik-server.conf.sample +## Version 2023/02/09 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/authentik-server.conf.sample # Make sure that your authentik container is in the same user defined bridge network and is named authentik-server # location for authentik subfolder requests location ^~ /outpost.goauthentik.io { + auth_request off; # requests to this subfolder must be accessible without authentication include /config/nginx/proxy.conf; include /config/nginx/resolver.conf; set $upstream_authentik authentik-server; diff --git a/root/defaults/nginx/proxy.conf.sample b/root/defaults/nginx/proxy.conf.sample index 2eb857e..967d170 100644 --- a/root/defaults/nginx/proxy.conf.sample +++ b/root/defaults/nginx/proxy.conf.sample @@ -1,4 +1,4 @@ -## Version 2023/02/05 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/proxy.conf.sample +## Version 2023/02/09 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/proxy.conf.sample # Timeout if the real server is dead proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; From 0cc47e692281dce54955c009fc639ab2aec7a94b Mon Sep 17 00:00:00 2001 From: Eric Nemchik Date: Thu, 9 Feb 2023 18:32:49 -0600 Subject: [PATCH 24/24] Additional config comments and consolidation --- .../nginx/authelia-location.conf.sample | 19 ++++++++----------- .../nginx/authelia-server.conf.sample | 15 +++++++-------- .../nginx/authentik-location.conf.sample | 1 + .../nginx/authentik-server.conf.sample | 9 ++++++--- 4 files changed, 22 insertions(+), 22 deletions(-) diff --git a/root/defaults/nginx/authelia-location.conf.sample b/root/defaults/nginx/authelia-location.conf.sample index e7e07eb..c48ef6f 100644 --- a/root/defaults/nginx/authelia-location.conf.sample +++ b/root/defaults/nginx/authelia-location.conf.sample @@ -1,5 +1,6 @@ -## Version 2023/02/05 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/authelia-location.conf.sample +## Version 2023/02/09 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/authelia-location.conf.sample # Make sure that your authelia container is in the same user defined bridge network and is named authelia +# Rename /config/nginx/proxy-confs/authelia.conf.sample to /config/nginx/proxy-confs/authelia.conf # Make sure that the authelia configuration.yml has 'path: "authelia"' defined ## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource. @@ -7,25 +8,21 @@ auth_request /authelia/api/verify; ## If the subreqest returns 200 pass to the backend, if the subrequest returns 401 redirect to the portal. error_page 401 = @authelia_proxy_signin; -## Save the upstream authorization response headers from Authelia to variables. -auth_request_set $authorization $upstream_http_authorization; -auth_request_set $proxy_authorization $upstream_http_proxy_authorization; - -## Inject the authorization response headers from the variables into the request made to the backend. -proxy_set_header Authorization $authorization; -proxy_set_header Proxy-Authorization $proxy_authorization; - -## Save the upstream metadata response headers from Authelia to variables. +## Translate response headers from Authelia into variables auth_request_set $user $upstream_http_remote_user; auth_request_set $groups $upstream_http_remote_groups; auth_request_set $name $upstream_http_remote_name; auth_request_set $email $upstream_http_remote_email; +auth_request_set $authorization $upstream_http_authorization; +auth_request_set $proxy_authorization $upstream_http_proxy_authorization; -## Inject the metadata response headers from the variables into the request made to the backend. +## Inject the response header variables into the request made to the actual upstream proxy_set_header Remote-User $user; proxy_set_header Remote-Groups $groups; proxy_set_header Remote-Name $name; proxy_set_header Remote-Email $email; +proxy_set_header Authorization $authorization; +proxy_set_header Proxy-Authorization $proxy_authorization; ## Include the Set-Cookie header if present. auth_request_set $set_cookie $upstream_http_set_cookie; diff --git a/root/defaults/nginx/authelia-server.conf.sample b/root/defaults/nginx/authelia-server.conf.sample index b744419..742f21e 100644 --- a/root/defaults/nginx/authelia-server.conf.sample +++ b/root/defaults/nginx/authelia-server.conf.sample @@ -1,9 +1,11 @@ -## Version 2023/02/05 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/authelia-server.conf.sample +## Version 2023/02/09 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/authelia-server.conf.sample # Make sure that your authelia container is in the same user defined bridge network and is named authelia +# Rename /config/nginx/proxy-confs/authelia.conf.sample to /config/nginx/proxy-confs/authelia.conf # Make sure that the authelia configuration.yml has 'path: "authelia"' defined # location for authelia subfolder requests location ^~ /authelia { + auth_request off; # requests to this subfolder must be accessible without authentication include /config/nginx/proxy.conf; include /config/nginx/resolver.conf; set $upstream_authelia authelia; @@ -19,15 +21,12 @@ location = /authelia/api/verify { set $upstream_authelia authelia; proxy_pass http://$upstream_authelia:9091/authelia/api/verify; - ## Headers - proxy_set_header Content-Length ""; + ## Include the Set-Cookie header if present. + auth_request_set $set_cookie $upstream_http_set_cookie; + add_header Set-Cookie $set_cookie; - ## Basic Proxy Configuration proxy_pass_request_body off; - client_body_buffer_size 128k; - - ## Advanced Proxy Configuration - send_timeout 5m; + proxy_set_header Content-Length ""; } # Virtual location for authelia 401 redirects diff --git a/root/defaults/nginx/authentik-location.conf.sample b/root/defaults/nginx/authentik-location.conf.sample index 32c9b53..5571c45 100644 --- a/root/defaults/nginx/authentik-location.conf.sample +++ b/root/defaults/nginx/authentik-location.conf.sample @@ -1,5 +1,6 @@ ## Version 2023/02/09 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/authentik-location.conf.sample # Make sure that your authentik container is in the same user defined bridge network and is named authentik-server +# Rename /config/nginx/proxy-confs/authentik.conf.sample to /config/nginx/proxy-confs/authentik.conf ## Send a subrequest to Authentik to verify if the user is authenticated and has permission to access the resource. auth_request /outpost.goauthentik.io/auth/nginx; diff --git a/root/defaults/nginx/authentik-server.conf.sample b/root/defaults/nginx/authentik-server.conf.sample index 9f482c3..8bbadca 100644 --- a/root/defaults/nginx/authentik-server.conf.sample +++ b/root/defaults/nginx/authentik-server.conf.sample @@ -1,5 +1,6 @@ ## Version 2023/02/09 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/authentik-server.conf.sample # Make sure that your authentik container is in the same user defined bridge network and is named authentik-server +# Rename /config/nginx/proxy-confs/authentik.conf.sample to /config/nginx/proxy-confs/authentik.conf # location for authentik subfolder requests location ^~ /outpost.goauthentik.io { @@ -19,10 +20,12 @@ location = /outpost.goauthentik.io/auth/nginx { set $upstream_authentik authentik-server; proxy_pass http://$upstream_authentik:9000/outpost.goauthentik.io/auth/nginx; - add_header Set-Cookie $auth_cookie; - auth_request_set $auth_cookie $upstream_http_set_cookie; + ## Include the Set-Cookie header if present. + auth_request_set $set_cookie $upstream_http_set_cookie; + add_header Set-Cookie $set_cookie; + proxy_pass_request_body off; - proxy_set_header Content-Length ""; + proxy_set_header Content-Length ""; } # Virtual location for authentik 401 redirects