From d8f252dd737f887930ff5fe3f245d6138d8c8d9c Mon Sep 17 00:00:00 2001 From: Eric Nemchik Date: Thu, 27 Apr 2023 18:48:27 +0000 Subject: [PATCH] Adjust auth confs to fix cookie header conflict --- .github/workflows/call_issue_pr_tracker.yml | 6 +- .github/workflows/external_trigger.yml | 8 ++ .../workflows/external_trigger_scheduler.yml | 18 ++-- .github/workflows/package_trigger.yml | 4 + .../workflows/package_trigger_scheduler.yml | 8 +- Jenkinsfile | 91 +++++++++++++++++-- README.md | 2 +- readme-vars.yml | 2 +- .../nginx/authelia-location.conf.sample | 13 ++- .../nginx/authelia-server.conf.sample | 8 +- .../nginx/authentik-location.conf.sample | 9 +- .../nginx/authentik-server.conf.sample | 8 +- 12 files changed, 133 insertions(+), 44 deletions(-) diff --git a/.github/workflows/call_issue_pr_tracker.yml b/.github/workflows/call_issue_pr_tracker.yml index 87243e2..2c30784 100755 --- a/.github/workflows/call_issue_pr_tracker.yml +++ b/.github/workflows/call_issue_pr_tracker.yml @@ -2,9 +2,11 @@ name: Issue & PR Tracker on: issues: - types: [opened,reopened,labeled,unlabeled] + types: [opened,reopened,labeled,unlabeled,closed] pull_request_target: - types: [opened,reopened,review_requested,review_request_removed,labeled,unlabeled] + types: [opened,reopened,review_requested,review_request_removed,labeled,unlabeled,closed] + pull_request_review: + types: [submitted,edited,dismissed] jobs: manage-project: diff --git a/.github/workflows/external_trigger.yml b/.github/workflows/external_trigger.yml index 83b56e0..964c9b3 100644 --- a/.github/workflows/external_trigger.yml +++ b/.github/workflows/external_trigger.yml @@ -14,9 +14,11 @@ jobs: run: | if [ -n "${{ secrets.PAUSE_EXTERNAL_TRIGGER_SWAG_MASTER }}" ]; then echo "**** Github secret PAUSE_EXTERNAL_TRIGGER_SWAG_MASTER is set; skipping trigger. ****" + echo "Github secret \`PAUSE_EXTERNAL_TRIGGER_SWAG_MASTER\` is set; skipping trigger." >> $GITHUB_STEP_SUMMARY exit 0 fi echo "**** External trigger running off of master branch. To disable this trigger, set a Github secret named \"PAUSE_EXTERNAL_TRIGGER_SWAG_MASTER\". ****" + echo "External trigger running off of master branch. To disable this trigger, set a Github secret named \`PAUSE_EXTERNAL_TRIGGER_SWAG_MASTER\`" >> $GITHUB_STEP_SUMMARY echo "**** Retrieving external version ****" EXT_RELEASE=$(curl -sL "https://pypi.python.org/pypi/certbot/json" |jq -r '. | .info.version') if [ -z "${EXT_RELEASE}" ] || [ "${EXT_RELEASE}" == "null" ]; then @@ -30,6 +32,7 @@ jobs: fi EXT_RELEASE=$(echo ${EXT_RELEASE} | sed 's/[~,%@+;:/]//g') echo "**** External version: ${EXT_RELEASE} ****" + echo "External version: ${EXT_RELEASE}" >> $GITHUB_STEP_SUMMARY echo "**** Retrieving last pushed version ****" image="linuxserver/swag" tag="latest" @@ -65,14 +68,18 @@ jobs: exit 1 fi echo "**** Last pushed version: ${IMAGE_VERSION} ****" + echo "Last pushed version: ${IMAGE_VERSION}" >> $GITHUB_STEP_SUMMARY if [ "${EXT_RELEASE}" == "${IMAGE_VERSION}" ]; then echo "**** Version ${EXT_RELEASE} already pushed, exiting ****" + echo "Version ${EXT_RELEASE} already pushed, exiting" >> $GITHUB_STEP_SUMMARY exit 0 elif [ $(curl -s https://ci.linuxserver.io/job/Docker-Pipeline-Builders/job/docker-swag/job/master/lastBuild/api/json | jq -r '.building') == "true" ]; then echo "**** New version ${EXT_RELEASE} found; but there already seems to be an active build on Jenkins; exiting ****" + echo "New version ${EXT_RELEASE} found; but there already seems to be an active build on Jenkins; exiting" >> $GITHUB_STEP_SUMMARY exit 0 else echo "**** New version ${EXT_RELEASE} found; old version was ${IMAGE_VERSION}. Triggering new build ****" + echo "New version ${EXT_RELEASE} found; old version was ${IMAGE_VERSION}. Triggering new build" >> $GITHUB_STEP_SUMMARY response=$(curl -iX POST \ https://ci.linuxserver.io/job/Docker-Pipeline-Builders/job/docker-swag/job/master/buildWithParameters?PACKAGE_CHECK=false \ --user ${{ secrets.JENKINS_USER }}:${{ secrets.JENKINS_TOKEN }} | grep -i location | sed "s|^[L|l]ocation: \(.*\)|\1|") @@ -82,6 +89,7 @@ jobs: buildurl=$(curl -s "${response%$'\r'}api/json" | jq -r '.executable.url') buildurl="${buildurl%$'\r'}" echo "**** Jenkins job build url: ${buildurl} ****" + echo "Jenkins job build url: ${buildurl}" >> $GITHUB_STEP_SUMMARY echo "**** Attempting to change the Jenkins job description ****" curl -iX POST \ "${buildurl}submitDescription" \ diff --git a/.github/workflows/external_trigger_scheduler.yml b/.github/workflows/external_trigger_scheduler.yml index 05db26d..353eb4b 100644 --- a/.github/workflows/external_trigger_scheduler.yml +++ b/.github/workflows/external_trigger_scheduler.yml @@ -2,7 +2,7 @@ name: External Trigger Scheduler on: schedule: - - cron: '50 * * * *' + - cron: '2 * * * *' workflow_dispatch: jobs: @@ -17,18 +17,18 @@ jobs: run: | echo "**** Branches found: ****" git for-each-ref --format='%(refname:short)' refs/remotes - echo "**** Pulling the yq docker image ****" - docker pull ghcr.io/linuxserver/yq for br in $(git for-each-ref --format='%(refname:short)' refs/remotes) do br=$(echo "$br" | sed 's|origin/||g') echo "**** Evaluating branch ${br} ****" - ls_branch=$(curl -sX GET https://raw.githubusercontent.com/linuxserver/docker-swag/${br}/jenkins-vars.yml \ - | docker run --rm -i --entrypoint yq ghcr.io/linuxserver/yq -r .ls_branch) - if [ "$br" == "$ls_branch" ]; then - echo "**** Branch ${br} appears to be live; checking workflow. ****" + ls_jenkins_vars=$(curl -sX GET https://raw.githubusercontent.com/linuxserver/docker-swag/${br}/jenkins-vars.yml) + ls_branch=$(echo "${ls_jenkins_vars}" | yq -r '.ls_branch') + ls_trigger=$(echo "${ls_jenkins_vars}" | yq -r '.external_type') + if [[ "${br}" == "${ls_branch}" ]] && [[ "${ls_trigger}" != "os" ]]; then + echo "**** Branch ${br} appears to be live and trigger is not os; checking workflow. ****" if curl -sfX GET https://raw.githubusercontent.com/linuxserver/docker-swag/${br}/.github/workflows/external_trigger.yml > /dev/null 2>&1; then echo "**** Workflow exists. Triggering external trigger workflow for branch ${br} ****." + echo "Triggering external trigger workflow for branch ${br}" >> $GITHUB_STEP_SUMMARY curl -iX POST \ -H "Authorization: token ${{ secrets.CR_PAT }}" \ -H "Accept: application/vnd.github.v3+json" \ @@ -36,8 +36,10 @@ jobs: https://api.github.com/repos/linuxserver/docker-swag/actions/workflows/external_trigger.yml/dispatches else echo "**** Workflow doesn't exist; skipping trigger. ****" + echo "Skipping branch ${br} due to no external trigger workflow present." >> $GITHUB_STEP_SUMMARY fi else - echo "**** ${br} appears to be a dev branch; skipping trigger. ****" + echo "**** ${br} is either a dev branch, or has no external version; skipping trigger. ****" + echo "Skipping branch ${br} due to being detected as dev branch or having no external version." >> $GITHUB_STEP_SUMMARY fi done diff --git a/.github/workflows/package_trigger.yml b/.github/workflows/package_trigger.yml index 35847d5..7e71dfb 100644 --- a/.github/workflows/package_trigger.yml +++ b/.github/workflows/package_trigger.yml @@ -14,13 +14,16 @@ jobs: run: | if [ -n "${{ secrets.PAUSE_PACKAGE_TRIGGER_SWAG_MASTER }}" ]; then echo "**** Github secret PAUSE_PACKAGE_TRIGGER_SWAG_MASTER is set; skipping trigger. ****" + echo "Github secret \`PAUSE_PACKAGE_TRIGGER_SWAG_MASTER\` is set; skipping trigger." >> $GITHUB_STEP_SUMMARY exit 0 fi if [ $(curl -s https://ci.linuxserver.io/job/Docker-Pipeline-Builders/job/docker-swag/job/master/lastBuild/api/json | jq -r '.building') == "true" ]; then echo "**** There already seems to be an active build on Jenkins; skipping package trigger ****" + echo "There already seems to be an active build on Jenkins; skipping package trigger" >> $GITHUB_STEP_SUMMARY exit 0 fi echo "**** Package trigger running off of master branch. To disable, set a Github secret named \"PAUSE_PACKAGE_TRIGGER_SWAG_MASTER\". ****" + echo "Package trigger running off of master branch. To disable, set a Github secret named \`PAUSE_PACKAGE_TRIGGER_SWAG_MASTER\`" >> $GITHUB_STEP_SUMMARY response=$(curl -iX POST \ https://ci.linuxserver.io/job/Docker-Pipeline-Builders/job/docker-swag/job/master/buildWithParameters?PACKAGE_CHECK=true \ --user ${{ secrets.JENKINS_USER }}:${{ secrets.JENKINS_TOKEN }} | grep -i location | sed "s|^[L|l]ocation: \(.*\)|\1|") @@ -30,6 +33,7 @@ jobs: buildurl=$(curl -s "${response%$'\r'}api/json" | jq -r '.executable.url') buildurl="${buildurl%$'\r'}" echo "**** Jenkins job build url: ${buildurl} ****" + echo "Jenkins job build url: ${buildurl}" >> $GITHUB_STEP_SUMMARY echo "**** Attempting to change the Jenkins job description ****" curl -iX POST \ "${buildurl}submitDescription" \ diff --git a/.github/workflows/package_trigger_scheduler.yml b/.github/workflows/package_trigger_scheduler.yml index b92d6f4..b912788 100644 --- a/.github/workflows/package_trigger_scheduler.yml +++ b/.github/workflows/package_trigger_scheduler.yml @@ -17,18 +17,16 @@ jobs: run: | echo "**** Branches found: ****" git for-each-ref --format='%(refname:short)' refs/remotes - echo "**** Pulling the yq docker image ****" - docker pull ghcr.io/linuxserver/yq for br in $(git for-each-ref --format='%(refname:short)' refs/remotes) do br=$(echo "$br" | sed 's|origin/||g') echo "**** Evaluating branch ${br} ****" - ls_branch=$(curl -sX GET https://raw.githubusercontent.com/linuxserver/docker-swag/${br}/jenkins-vars.yml \ - | docker run --rm -i --entrypoint yq ghcr.io/linuxserver/yq -r .ls_branch) + ls_branch=$(curl -sX GET https://raw.githubusercontent.com/linuxserver/docker-swag/${br}/jenkins-vars.yml | yq -r '.ls_branch') if [ "${br}" == "${ls_branch}" ]; then echo "**** Branch ${br} appears to be live; checking workflow. ****" if curl -sfX GET https://raw.githubusercontent.com/linuxserver/docker-swag/${br}/.github/workflows/package_trigger.yml > /dev/null 2>&1; then echo "**** Workflow exists. Triggering package trigger workflow for branch ${br}. ****" + echo "Triggering package trigger workflow for branch ${br}" >> $GITHUB_STEP_SUMMARY triggered_branches="${triggered_branches}${br} " curl -iX POST \ -H "Authorization: token ${{ secrets.CR_PAT }}" \ @@ -38,9 +36,11 @@ jobs: sleep 30 else echo "**** Workflow doesn't exist; skipping trigger. ****" + echo "Skipping branch ${br} due to no package trigger workflow present." >> $GITHUB_STEP_SUMMARY fi else echo "**** ${br} appears to be a dev branch; skipping trigger. ****" + echo "Skipping branch ${br} due to being detected as dev branch." >> $GITHUB_STEP_SUMMARY fi done echo "**** Package check build(s) triggered for branch(es): ${triggered_branches} ****" diff --git a/Jenkinsfile b/Jenkinsfile index b859cf3..86696fe 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -40,10 +40,11 @@ pipeline { // Setup all the basic environment variables needed for the build stage("Set ENV Variables base"){ steps{ + sh '''docker pull quay.io/skopeo/stable:v1 || : ''' script{ env.EXIT_STATUS = '' env.LS_RELEASE = sh( - script: '''docker run --rm ghcr.io/linuxserver/alexeiled-skopeo sh -c 'skopeo inspect docker://docker.io/'${DOCKERHUB_IMAGE}':latest 2>/dev/null' | jq -r '.Labels.build_version' | awk '{print $3}' | grep '\\-ls' || : ''', + script: '''docker run --rm quay.io/skopeo/stable:v1 inspect docker://ghcr.io/${LS_USER}/${CONTAINER_NAME}:latest 2>/dev/null | jq -r '.Labels.build_version' | awk '{print $3}' | grep '\\-ls' || : ''', returnStdout: true).trim() env.LS_RELEASE_NOTES = sh( script: '''cat readme-vars.yml | awk -F \\" '/date: "[0-9][0-9].[0-9][0-9].[0-9][0-9]:/ {print $4;exit;}' | sed -E ':a;N;$!ba;s/\\r{0,1}\\n/\\\\n/g' ''', @@ -228,7 +229,7 @@ pipeline { script{ env.SHELLCHECK_URL = 'https://ci-tests.linuxserver.io/' + env.IMAGE + '/' + env.META_TAG + '/shellcheck-result.xml' } - sh '''curl -sL https://raw.githubusercontent.com/linuxserver/docker-shellcheck/master/checkrun.sh | /bin/bash''' + sh '''curl -sL https://raw.githubusercontent.com/linuxserver/docker-jenkins-builder/master/checkrun.sh | /bin/bash''' sh '''#! /bin/bash docker run --rm \ -v ${WORKSPACE}:/mnt \ @@ -376,6 +377,26 @@ pipeline { } } } + // If this is a master build check the S6 service file perms + stage("Check S6 Service file Permissions"){ + when { + branch "master" + environment name: 'CHANGE_ID', value: '' + environment name: 'EXIT_STATUS', value: '' + } + steps { + script{ + sh '''#! /bin/bash + WRONG_PERM=$(find ./ -path "./.git" -prune -o \\( -name "run" -o -name "finish" -o -name "check" \\) -not -perm -u=x,g=x,o=x -print) + if [[ -n "${WRONG_PERM}" ]]; then + echo "The following S6 service files are missing the executable bit; canceling the faulty build: ${WRONG_PERM}" + exit 1 + else + echo "S6 service file perms look good." + fi ''' + } + } + } /* ####################### GitLab Mirroring ####################### */ @@ -668,6 +689,7 @@ pipeline { ]) { script{ env.CI_URL = 'https://ci-tests.linuxserver.io/' + env.IMAGE + '/' + env.META_TAG + '/index.html' + env.CI_JSON_URL = 'https://ci-tests.linuxserver.io/' + env.IMAGE + '/' + env.META_TAG + '/report.json' } sh '''#! /bin/bash set -e @@ -694,8 +716,6 @@ pipeline { -e WEB_SCREENSHOT=\"${CI_WEB}\" \ -e WEB_AUTH=\"${CI_AUTH}\" \ -e WEB_PATH=\"${CI_WEBPATH}\" \ - -e DO_REGION="ams3" \ - -e DO_BUCKET="lsio-ci" \ -t ghcr.io/linuxserver/ci:latest \ python3 test_build.py''' } @@ -949,8 +969,67 @@ pipeline { environment name: 'EXIT_STATUS', value: '' } steps { - sh '''curl -H "Authorization: token ${GITHUB_TOKEN}" -X POST https://api.github.com/repos/${LS_USER}/${LS_REPO}/issues/${PULL_REQUEST}/comments \ - -d '{"body": "I am a bot, here are the test results for this PR: \\n'${CI_URL}' \\n'${SHELLCHECK_URL}'"}' ''' + sh '''#! /bin/bash + # Function to retrieve JSON data from URL + get_json() { + local url="$1" + local response=$(curl -s "$url") + if [ $? -ne 0 ]; then + echo "Failed to retrieve JSON data from $url" + return 1 + fi + local json=$(echo "$response" | jq .) + if [ $? -ne 0 ]; then + echo "Failed to parse JSON data from $url" + return 1 + fi + echo "$json" + } + + build_table() { + local data="$1" + + # Get the keys in the JSON data + local keys=$(echo "$data" | jq -r 'to_entries | map(.key) | .[]') + + # Check if keys are empty + if [ -z "$keys" ]; then + echo "JSON report data does not contain any keys or the report does not exist." + return 1 + fi + + # Build table header + local header="| Tag | Passed |\\n| --- | --- |\\n" + + # Loop through the JSON data to build the table rows + local rows="" + for build in $keys; do + local status=$(echo "$data" | jq -r ".[\\"$build\\"].test_success") + if [ "$status" = "true" ]; then + status="✅" + else + status="❌" + fi + local row="| "$build" | "$status" |\\n" + rows="${rows}${row}" + done + + local table="${header}${rows}" + local escaped_table=$(echo "$table" | sed 's/\"/\\\\"/g') + echo "$escaped_table" + } + + # Retrieve JSON data from URL + data=$(get_json "$CI_JSON_URL") + # Create table from JSON data + table=$(build_table "$data") + echo -e "$table" + + curl -X POST -H "Authorization: token $GITHUB_TOKEN" \ + -H "Accept: application/vnd.github.v3+json" \ + "https://api.github.com/repos/$LS_USER/$LS_REPO/issues/$PULL_REQUEST/comments" \ + -d "{\\"body\\": \\"I am a bot, here are the test results for this PR: \\n${CI_URL}\\n${SHELLCHECK_URL}\\n${table}\\"}"''' + } } } diff --git a/README.md b/README.md index 8c01885..4543e8a 100644 --- a/README.md +++ b/README.md @@ -336,7 +336,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64 ## Versions -* **13.04.23:** - [Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) authelia-location.conf, authelia-server.conf, authentik-server.conf - Simplify auth configs and include updates for Authelia 4.38. +* **27.04.23:** - [Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) authelia-location.conf, authelia-server.conf, authentik-location.conf, authentik-server.conf - Simplify auth configs and fix Set-Cookie header bug. * **13.04.23:** - [Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) nginx.conf, authelia-location.conf, authentik-location.conf, and site-confs/default.conf - Move ssl.conf include to default.conf. Remove Authorization headers in authelia. Sort proxy_set_header in authelia and authentik. * **25.03.23:** - Fix renewal post hook. * **10.03.23:** - Cleanup unused csr and keys folders. See [certbot 2.3.0 release notes](https://github.com/certbot/certbot/releases/tag/v2.3.0). diff --git a/readme-vars.yml b/readme-vars.yml index 290fc9f..f36b368 100644 --- a/readme-vars.yml +++ b/readme-vars.yml @@ -154,7 +154,7 @@ app_setup_block: | # changelog changelogs: - - { date: "13.04.23:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) authelia-location.conf, authelia-server.conf, authentik-server.conf - Simplify auth configs and include updates for Authelia 4.38." } + - { date: "27.04.23:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) authelia-location.conf, authelia-server.conf, authentik-location.conf, authentik-server.conf - Simplify auth configs and fix Set-Cookie header bug." } - { date: "13.04.23:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) nginx.conf, authelia-location.conf, authentik-location.conf, and site-confs/default.conf - Move ssl.conf include to default.conf. Remove Authorization headers in authelia. Sort proxy_set_header in authelia and authentik." } - { date: "25.03.23:", desc: "Fix renewal post hook." } - { date: "10.03.23:", desc: "Cleanup unused csr and keys folders. See [certbot 2.3.0 release notes](https://github.com/certbot/certbot/releases/tag/v2.3.0)." } diff --git a/root/defaults/nginx/authelia-location.conf.sample b/root/defaults/nginx/authelia-location.conf.sample index 32cd82e..425b109 100644 --- a/root/defaults/nginx/authelia-location.conf.sample +++ b/root/defaults/nginx/authelia-location.conf.sample @@ -1,28 +1,27 @@ -## Version 2023/04/24 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/authelia-location.conf.sample +## Version 2023/04/27 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/authelia-location.conf.sample # Make sure that your authelia container is in the same user defined bridge network and is named authelia # Rename /config/nginx/proxy-confs/authelia.subdomain.conf.sample to /config/nginx/proxy-confs/authelia.subdomain.conf # Make sure that the authelia configuration.yml has 'path: "authelia"' defined ## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource. -auth_request /authelia/api/authz/auth-request; +auth_request /authelia/api/verify; ## If the subreqest returns 200 pass to the backend, if the subrequest returns 401 redirect to the portal. error_page 401 = @authelia_proxy_signin; -## Translate response headers from Authelia into variables +## Translate the user information response headers from the auth subrequest into variables auth_request_set $email $upstream_http_remote_email; auth_request_set $groups $upstream_http_remote_groups; auth_request_set $name $upstream_http_remote_name; auth_request_set $user $upstream_http_remote_user; -## Inject the response header variables into the request made to the actual upstream +## Inject the user information into the request made to the actual upstream proxy_set_header Remote-Email $email; proxy_set_header Remote-Groups $groups; proxy_set_header Remote-Name $name; proxy_set_header Remote-User $user; -## Include the Set-Cookie header if present. +## Translate the Set-Cookie response header from auth subrequest into a variable auth_request_set $set_cookie $upstream_http_set_cookie; -add_header Set-Cookie $set_cookie; -## Set $redirection_url to the location header of the response from the auth request +## Translate the Location response header from auth subrequest into a variable auth_request_set $redirection_url $upstream_http_location; diff --git a/root/defaults/nginx/authelia-server.conf.sample b/root/defaults/nginx/authelia-server.conf.sample index a79fb87..07b8e85 100644 --- a/root/defaults/nginx/authelia-server.conf.sample +++ b/root/defaults/nginx/authelia-server.conf.sample @@ -1,4 +1,4 @@ -## Version 2023/04/24 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/authelia-server.conf.sample +## Version 2023/04/27 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/authelia-server.conf.sample # Make sure that your authelia container is in the same user defined bridge network and is named authelia # Rename /config/nginx/proxy-confs/authelia.subdomain.conf.sample to /config/nginx/proxy-confs/authelia.subdomain.conf # Make sure that the authelia configuration.yml has 'path: "authelia"' defined @@ -11,8 +11,7 @@ location ^~ /authelia { set $upstream_authelia authelia; proxy_pass http://$upstream_authelia:9091; - ## Include the Set-Cookie header if present. - auth_request_set $set_cookie $upstream_http_set_cookie; + ## Include the Set-Cookie header if present add_header Set-Cookie $set_cookie; proxy_pass_request_body off; @@ -23,8 +22,7 @@ location ^~ /authelia { location @authelia_proxy_signin { internal; - ## Include the Set-Cookie header if present. - auth_request_set $set_cookie $upstream_http_set_cookie; + ## Include the Set-Cookie header if present add_header Set-Cookie $set_cookie; ## Set the $target_url variable based on the original request. diff --git a/root/defaults/nginx/authentik-location.conf.sample b/root/defaults/nginx/authentik-location.conf.sample index 39668c6..c5f32b2 100644 --- a/root/defaults/nginx/authentik-location.conf.sample +++ b/root/defaults/nginx/authentik-location.conf.sample @@ -1,4 +1,4 @@ -## Version 2023/04/13 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/authentik-location.conf.sample +## Version 2023/04/27 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/authentik-location.conf.sample # Make sure that your authentik container is in the same user defined bridge network and is named authentik-server # Rename /config/nginx/proxy-confs/authentik.subdomain.conf.sample to /config/nginx/proxy-confs/authentik.subdomain.conf @@ -7,20 +7,19 @@ auth_request /outpost.goauthentik.io/auth/nginx; ## If the subreqest returns 200 pass to the backend, if the subrequest returns 401 redirect to the portal. error_page 401 = @goauthentik_proxy_signin; -## Translate response headers from Authentik into variables +## Translate the user information response headers from the auth subrequest into variables auth_request_set $authentik_email $upstream_http_x_authentik_email; auth_request_set $authentik_groups $upstream_http_x_authentik_groups; auth_request_set $authentik_name $upstream_http_x_authentik_name; auth_request_set $authentik_uid $upstream_http_x_authentik_uid; auth_request_set $authentik_username $upstream_http_x_authentik_username; -## Inject the response header variables into the request made to the actual upstream +## Inject the user information into the request made to the actual upstream proxy_set_header X-authentik-email $authentik_email; proxy_set_header X-authentik-groups $authentik_groups; proxy_set_header X-authentik-name $authentik_name; proxy_set_header X-authentik-uid $authentik_uid; proxy_set_header X-authentik-username $authentik_username; -## Include the Set-Cookie header if present. +## Translate the Set-Cookie response header from auth subrequest into a variable auth_request_set $set_cookie $upstream_http_set_cookie; -add_header Set-Cookie $set_cookie; diff --git a/root/defaults/nginx/authentik-server.conf.sample b/root/defaults/nginx/authentik-server.conf.sample index b5adfd6..e7af24c 100644 --- a/root/defaults/nginx/authentik-server.conf.sample +++ b/root/defaults/nginx/authentik-server.conf.sample @@ -1,4 +1,4 @@ -## Version 2023/04/24 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/authentik-server.conf.sample +## Version 2023/04/27 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/authentik-server.conf.sample # Make sure that your authentik container is in the same user defined bridge network and is named authentik-server # Rename /config/nginx/proxy-confs/authentik.subdomain.conf.sample to /config/nginx/proxy-confs/authentik.subdomain.conf @@ -10,8 +10,7 @@ location ^~ /outpost.goauthentik.io { set $upstream_authentik authentik-server; proxy_pass http://$upstream_authentik:9000; - ## Include the Set-Cookie header if present. - auth_request_set $set_cookie $upstream_http_set_cookie; + ## Include the Set-Cookie header if present add_header Set-Cookie $set_cookie; proxy_pass_request_body off; @@ -22,8 +21,7 @@ location ^~ /outpost.goauthentik.io { location @goauthentik_proxy_signin { internal; - ## Include the Set-Cookie header if present. - auth_request_set $set_cookie $upstream_http_set_cookie; + ## Include the Set-Cookie header if present add_header Set-Cookie $set_cookie; ## Set the $target_url variable based on the original request.