diff --git a/root/defaults/nginx/authelia-location.conf.sample b/root/defaults/nginx/authelia-location.conf.sample index 425b109..5fd7d28 100644 --- a/root/defaults/nginx/authelia-location.conf.sample +++ b/root/defaults/nginx/authelia-location.conf.sample @@ -3,9 +3,9 @@ # Rename /config/nginx/proxy-confs/authelia.subdomain.conf.sample to /config/nginx/proxy-confs/authelia.subdomain.conf # Make sure that the authelia configuration.yml has 'path: "authelia"' defined -## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource. +## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource auth_request /authelia/api/verify; -## If the subreqest returns 200 pass to the backend, if the subrequest returns 401 redirect to the portal. +## If the subreqest returns 200 pass to the backend, if the subrequest returns 401 redirect to the portal error_page 401 = @authelia_proxy_signin; ## Translate the user information response headers from the auth subrequest into variables @@ -20,8 +20,8 @@ proxy_set_header Remote-Groups $groups; proxy_set_header Remote-Name $name; proxy_set_header Remote-User $user; -## Translate the Set-Cookie response header from auth subrequest into a variable +## Translate the Set-Cookie response header from the auth subrequest into a variable auth_request_set $set_cookie $upstream_http_set_cookie; -## Translate the Location response header from auth subrequest into a variable -auth_request_set $redirection_url $upstream_http_location; +## Translate the Location response header from the auth subrequest into a variable +auth_request_set $signin_url $upstream_http_location; diff --git a/root/defaults/nginx/authelia-server.conf.sample b/root/defaults/nginx/authelia-server.conf.sample index 07b8e85..805aadb 100644 --- a/root/defaults/nginx/authelia-server.conf.sample +++ b/root/defaults/nginx/authelia-server.conf.sample @@ -12,6 +12,7 @@ location ^~ /authelia { proxy_pass http://$upstream_authelia:9091; ## Include the Set-Cookie header if present + auth_request_set $set_cookie $upstream_http_set_cookie; add_header Set-Cookie $set_cookie; proxy_pass_request_body off; @@ -23,16 +24,20 @@ location @authelia_proxy_signin { internal; ## Include the Set-Cookie header if present + auth_request_set $set_cookie $upstream_http_set_cookie; add_header Set-Cookie $set_cookie; - ## Set the $target_url variable based on the original request. + ## Set the $target_url variable based on the original request set_escape_uri $target_url $scheme://$http_host$request_uri; - ## Set $redirection_url if it is empty - if ($redirection_url = false) { - set $redirection_url https://$http_host/authelia/?rd=$target_url; + ## Translate the Location response header from the auth subrequest into a variable + auth_request_set $signin_url $upstream_http_location; + + if ($signin_url = '') { + ## Set the $signin_url variable + set $signin_url https://$http_host/authelia/?rd=$target_url; } ## Redirect to login - return 302 $redirection_url; + return 302 $signin_url; } diff --git a/root/defaults/nginx/authentik-location.conf.sample b/root/defaults/nginx/authentik-location.conf.sample index c5f32b2..d27f681 100644 --- a/root/defaults/nginx/authentik-location.conf.sample +++ b/root/defaults/nginx/authentik-location.conf.sample @@ -2,9 +2,9 @@ # Make sure that your authentik container is in the same user defined bridge network and is named authentik-server # Rename /config/nginx/proxy-confs/authentik.subdomain.conf.sample to /config/nginx/proxy-confs/authentik.subdomain.conf -## Send a subrequest to Authentik to verify if the user is authenticated and has permission to access the resource. +## Send a subrequest to Authentik to verify if the user is authenticated and has permission to access the resource auth_request /outpost.goauthentik.io/auth/nginx; -## If the subreqest returns 200 pass to the backend, if the subrequest returns 401 redirect to the portal. +## If the subreqest returns 200 pass to the backend, if the subrequest returns 401 redirect to the portal error_page 401 = @goauthentik_proxy_signin; ## Translate the user information response headers from the auth subrequest into variables @@ -21,5 +21,5 @@ proxy_set_header X-authentik-name $authentik_name; proxy_set_header X-authentik-uid $authentik_uid; proxy_set_header X-authentik-username $authentik_username; -## Translate the Set-Cookie response header from auth subrequest into a variable +## Translate the Set-Cookie response header from the auth subrequest into a variable auth_request_set $set_cookie $upstream_http_set_cookie; diff --git a/root/defaults/nginx/authentik-server.conf.sample b/root/defaults/nginx/authentik-server.conf.sample index e7af24c..29bd233 100644 --- a/root/defaults/nginx/authentik-server.conf.sample +++ b/root/defaults/nginx/authentik-server.conf.sample @@ -11,6 +11,7 @@ location ^~ /outpost.goauthentik.io { proxy_pass http://$upstream_authentik:9000; ## Include the Set-Cookie header if present + auth_request_set $set_cookie $upstream_http_set_cookie; add_header Set-Cookie $set_cookie; proxy_pass_request_body off; @@ -22,16 +23,15 @@ location @goauthentik_proxy_signin { internal; ## Include the Set-Cookie header if present + auth_request_set $set_cookie $upstream_http_set_cookie; add_header Set-Cookie $set_cookie; - ## Set the $target_url variable based on the original request. + ## Set the $target_url variable based on the original request set_escape_uri $target_url $scheme://$http_host$request_uri; - ## Set $redirection_url if it is empty - if ($redirection_url = false) { - set $redirection_url https://$http_host/outpost.goauthentik.io/start?rd=$target_url; - } + ## Set the $signin_url variable + set $signin_url https://$http_host/outpost.goauthentik.io/start?rd=$target_url; ## Redirect to login - return 302 $redirection_url; + return 302 $signin_url; }