diff --git a/roles/authelia/templates/authelia-auth.conf.j2 b/roles/authelia/templates/authelia-auth.conf.j2 index ef19a01..8c78b57 100644 --- a/roles/authelia/templates/authelia-auth.conf.j2 +++ b/roles/authelia/templates/authelia-auth.conf.j2 @@ -1,14 +1,5 @@ -# Basic Authelia Config -# Send a subsequent request to Authelia to verify if the user is authenticated -# and has the right permissions to access the resource. -auth_request /authelia; -# Set the `target_url` variable based on the request. It will be used to build the portal -# URL with the correct redirection parameter. +auth_request /authelia/api/verify; auth_request_set $target_url $scheme://$http_host$request_uri; -# Set the X-Forwarded-User and X-Forwarded-Groups with the headers -# returned by Authelia for the backends which can consume them. -# This is not safe, as the backend must make sure that they come from the -# proxy. In the future, it's gonna be safe to just use OAuth. auth_request_set $user $upstream_http_remote_user; auth_request_set $groups $upstream_http_remote_groups; auth_request_set $name $upstream_http_remote_name; @@ -17,7 +8,4 @@ proxy_set_header Remote-User $user; proxy_set_header Remote-Groups $groups; proxy_set_header Remote-Name $name; proxy_set_header Remote-Email $email; -# If Authelia returns 401, then nginx redirects the user to the login portal. -# If it returns 200, then the request pass through to the backend. -# For other type of errors, nginx will handle them as usual. -error_page 401 =302 https://auth.{{ base_domain }}/?rd=$target_url; \ No newline at end of file +error_page 401 =302 https://$http_host/authelia/?rd=$target_url; \ No newline at end of file diff --git a/roles/authelia/templates/authelia-endpoint.conf.j2 b/roles/authelia/templates/authelia-endpoint.conf.j2 index 461904e..a218595 100644 --- a/roles/authelia/templates/authelia-endpoint.conf.j2 +++ b/roles/authelia/templates/authelia-endpoint.conf.j2 @@ -1,10 +1,17 @@ -set $upstream_authelia http://authelia:9091/api/verify; +location ^~ /authelia { + include /etc/nginx/snippets/proxy.conf; + set $upstream_authelia authelia; + proxy_pass http://$upstream_authelia:9091; +} -# Virtual endpoint created by nginx to forward auth requests. -location /authelia { +location = /authelia/api/verify { internal; + if ($request_uri ~ [^a-zA-Z0-9_+-=\!@$%&*?~.:#'\;\(\)\[\]]) { + return 401; + } + set $upstream_authelia authelia; proxy_pass_request_body off; - proxy_pass $upstream_authelia; + proxy_pass http://$upstream_authelia:9091; proxy_set_header Content-Length ""; # Timeout if the real server is dead @@ -19,11 +26,11 @@ location /authelia { proxy_set_header Host $host; proxy_set_header X-Original-URL $scheme://$http_host$request_uri; proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Method $request_method; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $http_host; proxy_set_header X-Forwarded-Uri $request_uri; - proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Ssl on; proxy_redirect http:// $scheme://; proxy_http_version 1.1;