From 763b6993fcd35e2e307beec06682a2db26acc05c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Kucharczyk?= Date: Sun, 20 Jun 2021 19:37:45 +0200 Subject: [PATCH 01/15] Add authelia role to playbook --- playbook.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/playbook.yml b/playbook.yml index b2079c2..b38a02c 100644 --- a/playbook.yml +++ b/playbook.yml @@ -6,6 +6,7 @@ - jellyfin - openldap - postgres + - authelia - keycloak vars_files: - vault/certs/{{ base_domain }}.yml -- 2.40.1 From c19bd16a41dc29d72ca5b6070d33e5f03f493536 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Kucharczyk?= Date: Sun, 20 Jun 2021 19:38:06 +0200 Subject: [PATCH 02/15] authelia: add the main task --- roles/authelia/tasks/main.yml | 39 +++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 roles/authelia/tasks/main.yml diff --git a/roles/authelia/tasks/main.yml b/roles/authelia/tasks/main.yml new file mode 100644 index 0000000..7eed48d --- /dev/null +++ b/roles/authelia/tasks/main.yml @@ -0,0 +1,39 @@ +- name: ensure directories exist + file: + path: "{{ item }}" + state: directory + mode: '0755' + loop: + - "{{ data_folder }}/authelia" +- name: copy configuration.yml + template: + src: "configuration.yml.j2" + dest: "{{ data_folder }}/authelia/configuration.yml" + mode: "755" +- name: run container + docker_container: + name: "authelia" + image: "authelia/authelia" + ports: + - "9091:9091" + networks: + - name: bridge + - name: nginx-internal + volumes: + - "{{ data_folder }}/authelia:/config" +- name: copy nginx endpoint conf + template: + src: "authelia-endpoint.conf.j2" + dest: "{{ data_folder }}/nginx/snippets/authelia-endpoint.conf" + mode: "755" +- name: copy nginx auth conf + template: + src: "authelia-auth.conf.j2" + dest: "{{ data_folder }}/nginx/snippets/authelia-auth.conf" + mode: "755" +- name: copy nginx conf + template: + src: "authelia.conf.j2" + dest: "{{ data_folder }}/nginx/conf.d/{{ role_name}}.{{ base_domain }}.conf" + mode: "755" + notify: reload nginx \ No newline at end of file -- 2.40.1 From c45df9911f6fb810279bb3e530671eb64204961c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Kucharczyk?= Date: Sun, 20 Jun 2021 19:38:28 +0200 Subject: [PATCH 03/15] authelia: add the nginx configuration --- roles/authelia/templates/authelia.conf.j2 | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 roles/authelia/templates/authelia.conf.j2 diff --git a/roles/authelia/templates/authelia.conf.j2 b/roles/authelia/templates/authelia.conf.j2 new file mode 100644 index 0000000..463c3dc --- /dev/null +++ b/roles/authelia/templates/authelia.conf.j2 @@ -0,0 +1,15 @@ +server { + listen 80; + return 301 https://$host$request_uri; +} + +server { + server_name auth.{{ base_domain }}; + listen 443 ssl http2; + + location / { + set $upstream_authelia http://authelia:9091; # This example assumes a Docker deployment + proxy_pass $upstream_authelia; + include /etc/nginx/snippets/proxy.conf; + } +} \ No newline at end of file -- 2.40.1 From 851f5ac25efcea4726c9f1809705b5af94483363 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Kucharczyk?= Date: Sun, 20 Jun 2021 19:38:53 +0200 Subject: [PATCH 04/15] authelia: add more nginx configuration --- .../authelia/templates/authelia-auth.conf.j2 | 23 +++++++++++ .../templates/authelia-endpoint.conf.j2 | 40 +++++++++++++++++++ roles/nginx/templates/snippets/proxy.conf.j2 | 33 +++++++++++++++ 3 files changed, 96 insertions(+) create mode 100644 roles/authelia/templates/authelia-auth.conf.j2 create mode 100644 roles/authelia/templates/authelia-endpoint.conf.j2 create mode 100644 roles/nginx/templates/snippets/proxy.conf.j2 diff --git a/roles/authelia/templates/authelia-auth.conf.j2 b/roles/authelia/templates/authelia-auth.conf.j2 new file mode 100644 index 0000000..ef19a01 --- /dev/null +++ b/roles/authelia/templates/authelia-auth.conf.j2 @@ -0,0 +1,23 @@ +# Basic Authelia Config +# Send a subsequent request to Authelia to verify if the user is authenticated +# and has the right permissions to access the resource. +auth_request /authelia; +# Set the `target_url` variable based on the request. It will be used to build the portal +# URL with the correct redirection parameter. +auth_request_set $target_url $scheme://$http_host$request_uri; +# Set the X-Forwarded-User and X-Forwarded-Groups with the headers +# returned by Authelia for the backends which can consume them. +# This is not safe, as the backend must make sure that they come from the +# proxy. In the future, it's gonna be safe to just use OAuth. +auth_request_set $user $upstream_http_remote_user; +auth_request_set $groups $upstream_http_remote_groups; +auth_request_set $name $upstream_http_remote_name; +auth_request_set $email $upstream_http_remote_email; +proxy_set_header Remote-User $user; +proxy_set_header Remote-Groups $groups; +proxy_set_header Remote-Name $name; +proxy_set_header Remote-Email $email; +# If Authelia returns 401, then nginx redirects the user to the login portal. +# If it returns 200, then the request pass through to the backend. +# For other type of errors, nginx will handle them as usual. +error_page 401 =302 https://auth.{{ base_domain }}/?rd=$target_url; \ No newline at end of file diff --git a/roles/authelia/templates/authelia-endpoint.conf.j2 b/roles/authelia/templates/authelia-endpoint.conf.j2 new file mode 100644 index 0000000..461904e --- /dev/null +++ b/roles/authelia/templates/authelia-endpoint.conf.j2 @@ -0,0 +1,40 @@ +set $upstream_authelia http://authelia:9091/api/verify; + +# Virtual endpoint created by nginx to forward auth requests. +location /authelia { + internal; + proxy_pass_request_body off; + proxy_pass $upstream_authelia; + proxy_set_header Content-Length ""; + + # Timeout if the real server is dead + proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; + + # [REQUIRED] Needed by Authelia to check authorizations of the resource. + # Provide either X-Original-URL and X-Forwarded-Proto or + # X-Forwarded-Proto, X-Forwarded-Host and X-Forwarded-Uri or both. + # Those headers will be used by Authelia to deduce the target url of the user. + # Basic Proxy Config + client_body_buffer_size 128k; + proxy_set_header Host $host; + proxy_set_header X-Original-URL $scheme://$http_host$request_uri; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Method $request_method; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header X-Forwarded-Uri $request_uri; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Ssl on; + proxy_redirect http:// $scheme://; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_cache_bypass $cookie_session; + proxy_no_cache $cookie_session; + proxy_buffers 4 32k; + + # Advanced Proxy Config + send_timeout 5m; + proxy_read_timeout 240; + proxy_send_timeout 240; + proxy_connect_timeout 240; +} \ No newline at end of file diff --git a/roles/nginx/templates/snippets/proxy.conf.j2 b/roles/nginx/templates/snippets/proxy.conf.j2 new file mode 100644 index 0000000..26461f5 --- /dev/null +++ b/roles/nginx/templates/snippets/proxy.conf.j2 @@ -0,0 +1,33 @@ +client_body_buffer_size 128k; + +#Timeout if the real server is dead +proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; + +# Advanced Proxy Config +send_timeout 5m; +proxy_read_timeout 360; +proxy_send_timeout 360; +proxy_connect_timeout 360; + +# Basic Proxy Config +proxy_set_header Host $host; +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Forwarded-Proto $scheme; +proxy_set_header X-Forwarded-Host $http_host; +proxy_set_header X-Forwarded-Uri $request_uri; +proxy_set_header X-Forwarded-Ssl on; +proxy_redirect http:// $scheme://; +proxy_http_version 1.1; +proxy_set_header Connection ""; +proxy_cache_bypass $cookie_session; +proxy_no_cache $cookie_session; +proxy_buffers 64 256k; + +# If behind reverse proxy, forwards the correct IP +set_real_ip_from 10.0.0.0/8; +set_real_ip_from 172.16.0.0/12; +set_real_ip_from 192.168.0.0/16; +set_real_ip_from fc00::/7; +real_ip_header X-Forwarded-For; +real_ip_recursive on; \ No newline at end of file -- 2.40.1 From 3d06cf48b8d5a2c450beca337febeadf766ceab1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Kucharczyk?= Date: Sun, 20 Jun 2021 19:39:31 +0200 Subject: [PATCH 05/15] authelia: add configuration.yml --- roles/authelia/templates/configuration.yml.j2 | 60 +++++++++++++++++++ vault/passwords.yml | 34 ++++++----- 2 files changed, 78 insertions(+), 16 deletions(-) create mode 100644 roles/authelia/templates/configuration.yml.j2 diff --git a/roles/authelia/templates/configuration.yml.j2 b/roles/authelia/templates/configuration.yml.j2 new file mode 100644 index 0000000..fbd72a0 --- /dev/null +++ b/roles/authelia/templates/configuration.yml.j2 @@ -0,0 +1,60 @@ +host: 0.0.0.0 +port: 9091 +server: + read_buffer_size: 4096 + write_buffer_size: 4096 + path: "authelia" +log_level: debug +jwt_secret: somethingsomethingrandomrecret +default_redirection_url: https://{{ base_domain }} +authentication_backend: + disable_reset_password: false + ldap: + implementation: custom + url: ldap://openldap + start_tls: false + tls: + server_name: openldap + skip_verify: false + minimum_version: TLS1.2 + base_dn: dc=kucharczyk,dc=xyz + username_attribute: uid + users_filter: ({username_attribute}={input}) + groups_filter: (member={dn}) + mail_attribute: mail + user: cn=admin,dc=kucharczyk,dc=xyz + password: {{ vault_openldap_admin_password }} +access_control: + default_policy: deny + rules: + - domain: + - "keycloak.{{ base_domain }}" + policy: one_factor +session: + name: authelia_session + secret: somerandomsecret + expiration: 1h + inactivity: 5m + remember_me_duration: 1M + domain: {{ base_domain }} +regulation: + max_retries: 3 + find_time: 2m + ban_time: 99y +storage: + local: + path: /config/db.sqlite3 +notifier: + disable_startup_check: false + smtp: + username: kucharczyk.lukas@gmail.com + password: {{ vault_email_gmail_password }} + host: smtp.gmail.com + port: 587 + sender: kucharczyk.lukas@gmail.com + subject: "[Authelia] {title}" + startup_check_address: test@authelia.com + disable_require_tls: false + tls: + skip_verify: false + minimum_version: TLS1.2 \ No newline at end of file diff --git a/vault/passwords.yml b/vault/passwords.yml index f31064e..046e499 100644 --- a/vault/passwords.yml +++ b/vault/passwords.yml @@ -1,17 +1,19 @@ $ANSIBLE_VAULT;1.1;AES256 -65653231333939666430306463383836633664623438373661666234343165633864353934663563 -3335396466623862353633363264373666353036623134360a356438636230613139633264373265 -36643231356335653261616238613266306165616363643763356234363537616138353831383064 -3436353361333263330a313361306236626164343261363432343762313361636338333165376238 -38666336356361613930316536323338653338353666666162666333636261373866653934626536 -31643931343338383039616261616130613763383737313037303163366263623066633031646630 -35373436646635613665343038363931396630653264633964646434346534393531333163643836 -62323634643537363365313662363766373436633262336339643734613732663832326133363434 -38643434326266373638366262386162666661383232383965613536663239336361623861613161 -32313439653132353434316563633638353164626236633766313864343036353562303163373335 -39653437623132623635363266353636613130666363353633366134663638346263643134383762 -37316631313437646232326237313436353732333065363666316364373336396135396238363562 -39633163316532616564366632303965316362653066613536316461643237373834316136383865 -64353238643638623832656463333563633838633931636166323335336662636362643466303566 -31333962656530326664636562343738393864613561333734333134386263356533373664666666 -66373538393037373761 +30346235333931303864373164626134343138306564323034633139363931653066326263333063 +6532376231363635613930376137326439306437636433370a643535356131363164373764613531 +36363735323930306338623164636563626334653532386632303936343737363731323166323530 +3439353635343236350a663261636633633033396262333164363062396464366135306135386337 +37333232376531353332373930306462393634386533636363343736646537666665633262633363 +64373434633963316365306562333765313439366431313234313563376630643931386363383233 +33363665613937366433643133613565646364303362626433396339313535383166326138313139 +61616333333530333761393631323461376536363733323764333631346338393166613531666335 +35373764376434346638356439393964313436366439366363393766643333623165353266386634 +66326434333165663630326332333061626366356363313538393130356365343738363237653565 +63613439373930326165326538386566636466306137636336663736333063613238356137346630 +31643064623563656438613665393332656435636233623265323063366139643937633132656337 +65326137396134333230616262333337373833663439313635663438396461373130396332316331 +66613933343365363335653135663237363538353863623534373563626166313034323039396334 +61383766343264313438353261306233373562343939663232383466336232373865356561316139 +38316466306531326165343265393262646463626563306363353765343462316534323336356432 +34373661363562636137393235323839616430376163393362313363626636343064663739313963 +3361333438346265623738393431346433353436666262396264 -- 2.40.1 From f73272ac91e82950ba79050bf65b63e3c87395c0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Kucharczyk?= Date: Sun, 20 Jun 2021 19:39:46 +0200 Subject: [PATCH 06/15] keycloak: enable authelia interstitial --- roles/keycloak/templates/keycloak.conf.j2 | 3 +++ 1 file changed, 3 insertions(+) diff --git a/roles/keycloak/templates/keycloak.conf.j2 b/roles/keycloak/templates/keycloak.conf.j2 index e16765c..534ee62 100644 --- a/roles/keycloak/templates/keycloak.conf.j2 +++ b/roles/keycloak/templates/keycloak.conf.j2 @@ -13,8 +13,11 @@ server { add_header X-XSS-Protection "1; mode=block"; add_header X-Content-Type-Options "nosniff"; + include /etc/nginx/snippets/authelia-endpoint.conf; + location / { proxy_pass http://$keycloak:8080; + include /etc/nginx/snippets/authelia-auth.conf proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; -- 2.40.1 From 3d353c4b84018977d5353ff41accc6275bbf42ab Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Kucharczyk?= Date: Sun, 20 Jun 2021 19:43:37 +0200 Subject: [PATCH 07/15] general: add show-pass.sh --- show-pass.sh | 2 ++ 1 file changed, 2 insertions(+) create mode 100755 show-pass.sh diff --git a/show-pass.sh b/show-pass.sh new file mode 100755 index 0000000..b8a695e --- /dev/null +++ b/show-pass.sh @@ -0,0 +1,2 @@ +#!/bin/env fish +ansible-vault view --vault-password-file (pass show ansible-homelab | psub) vault/passwords.yml \ No newline at end of file -- 2.40.1 From 8658efa4d98a89015e3f1736dfc1dc28da61e865 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Kucharczyk?= Date: Sun, 20 Jun 2021 19:44:58 +0200 Subject: [PATCH 08/15] minor: add space around variable --- roles/authelia/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/authelia/tasks/main.yml b/roles/authelia/tasks/main.yml index 7eed48d..d8e5b9e 100644 --- a/roles/authelia/tasks/main.yml +++ b/roles/authelia/tasks/main.yml @@ -34,6 +34,6 @@ - name: copy nginx conf template: src: "authelia.conf.j2" - dest: "{{ data_folder }}/nginx/conf.d/{{ role_name}}.{{ base_domain }}.conf" + dest: "{{ data_folder }}/nginx/conf.d/{{ role_name }}.{{ base_domain }}.conf" mode: "755" notify: reload nginx \ No newline at end of file -- 2.40.1 From 3ee7f941942cb7e5256e5f1f3c016618bb951544 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Kucharczyk?= Date: Sun, 20 Jun 2021 20:35:08 +0200 Subject: [PATCH 09/15] minor: add missing semicolon --- roles/keycloak/templates/keycloak.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/keycloak/templates/keycloak.conf.j2 b/roles/keycloak/templates/keycloak.conf.j2 index 534ee62..6bb5776 100644 --- a/roles/keycloak/templates/keycloak.conf.j2 +++ b/roles/keycloak/templates/keycloak.conf.j2 @@ -17,7 +17,7 @@ server { location / { proxy_pass http://$keycloak:8080; - include /etc/nginx/snippets/authelia-auth.conf + include /etc/nginx/snippets/authelia-auth.conf; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; -- 2.40.1 From 171ef655f85d25ffe4889d3b074dd110cd748ada Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Kucharczyk?= Date: Sun, 20 Jun 2021 20:37:06 +0200 Subject: [PATCH 10/15] general: add provision.sh --- provision.sh | 1 + roles/authelia/templates/authelia.conf.j2 | 1 + roles/authelia/templates/configuration.yml.j2 | 4 +++- roles/nginx/templates/snippets/proxy.conf.j2 | 3 +++ 4 files changed, 8 insertions(+), 1 deletion(-) create mode 100755 provision.sh diff --git a/provision.sh b/provision.sh new file mode 100755 index 0000000..d1518ba --- /dev/null +++ b/provision.sh @@ -0,0 +1 @@ +ANSIBLE_VAULT_PASSWORD_FILE=(pass show ansible-homelab | psub) vagrant provision \ No newline at end of file diff --git a/roles/authelia/templates/authelia.conf.j2 b/roles/authelia/templates/authelia.conf.j2 index 463c3dc..c8cb9d2 100644 --- a/roles/authelia/templates/authelia.conf.j2 +++ b/roles/authelia/templates/authelia.conf.j2 @@ -1,5 +1,6 @@ server { listen 80; + server_name auth.{{ base_domain }}; return 301 https://$host$request_uri; } diff --git a/roles/authelia/templates/configuration.yml.j2 b/roles/authelia/templates/configuration.yml.j2 index fbd72a0..0c7d6d4 100644 --- a/roles/authelia/templates/configuration.yml.j2 +++ b/roles/authelia/templates/configuration.yml.j2 @@ -28,8 +28,10 @@ access_control: default_policy: deny rules: - domain: + - "{{ base_domain }}" + - "*.{{ base_domain }}" - "keycloak.{{ base_domain }}" - policy: one_factor + policy: deny session: name: authelia_session secret: somerandomsecret diff --git a/roles/nginx/templates/snippets/proxy.conf.j2 b/roles/nginx/templates/snippets/proxy.conf.j2 index 26461f5..329c492 100644 --- a/roles/nginx/templates/snippets/proxy.conf.j2 +++ b/roles/nginx/templates/snippets/proxy.conf.j2 @@ -27,6 +27,9 @@ proxy_buffers 64 256k; # If behind reverse proxy, forwards the correct IP set_real_ip_from 10.0.0.0/8; set_real_ip_from 172.16.0.0/12; +set_real_ip_from 172.17.0.0/16; +set_real_ip_from 172.18.0.0/16; +set_real_ip_from 172.19.0.0/16; set_real_ip_from 192.168.0.0/16; set_real_ip_from fc00::/7; real_ip_header X-Forwarded-For; -- 2.40.1 From ff9020264633c7440fb522dfc4ba1447538edd32 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Kucharczyk?= Date: Sun, 20 Jun 2021 20:57:30 +0200 Subject: [PATCH 11/15] provision.sh: add fish hashbang --- provision.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/provision.sh b/provision.sh index d1518ba..a77faa4 100755 --- a/provision.sh +++ b/provision.sh @@ -1 +1,2 @@ +#!/bin/env fish ANSIBLE_VAULT_PASSWORD_FILE=(pass show ansible-homelab | psub) vagrant provision \ No newline at end of file -- 2.40.1 From 13c9974b4db884599c2cbfc0a5f9ad480c00073d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Kucharczyk?= Date: Sun, 20 Jun 2021 20:58:09 +0200 Subject: [PATCH 12/15] Fix authelia-*.conf The example at https://www.authelia.com/docs/deployment/supported-proxies/nginx.html does not seem to work. Updated with code from: https://github.com/linuxserver/docker-swag/blob/master/root/defaults/authelia-server.conf https://github.com/linuxserver/docker-swag/blob/master/root/defaults/authelia-location.conf --- roles/authelia/templates/authelia-auth.conf.j2 | 16 ++-------------- .../templates/authelia-endpoint.conf.j2 | 17 ++++++++++++----- 2 files changed, 14 insertions(+), 19 deletions(-) diff --git a/roles/authelia/templates/authelia-auth.conf.j2 b/roles/authelia/templates/authelia-auth.conf.j2 index ef19a01..8c78b57 100644 --- a/roles/authelia/templates/authelia-auth.conf.j2 +++ b/roles/authelia/templates/authelia-auth.conf.j2 @@ -1,14 +1,5 @@ -# Basic Authelia Config -# Send a subsequent request to Authelia to verify if the user is authenticated -# and has the right permissions to access the resource. -auth_request /authelia; -# Set the `target_url` variable based on the request. It will be used to build the portal -# URL with the correct redirection parameter. +auth_request /authelia/api/verify; auth_request_set $target_url $scheme://$http_host$request_uri; -# Set the X-Forwarded-User and X-Forwarded-Groups with the headers -# returned by Authelia for the backends which can consume them. -# This is not safe, as the backend must make sure that they come from the -# proxy. In the future, it's gonna be safe to just use OAuth. auth_request_set $user $upstream_http_remote_user; auth_request_set $groups $upstream_http_remote_groups; auth_request_set $name $upstream_http_remote_name; @@ -17,7 +8,4 @@ proxy_set_header Remote-User $user; proxy_set_header Remote-Groups $groups; proxy_set_header Remote-Name $name; proxy_set_header Remote-Email $email; -# If Authelia returns 401, then nginx redirects the user to the login portal. -# If it returns 200, then the request pass through to the backend. -# For other type of errors, nginx will handle them as usual. -error_page 401 =302 https://auth.{{ base_domain }}/?rd=$target_url; \ No newline at end of file +error_page 401 =302 https://$http_host/authelia/?rd=$target_url; \ No newline at end of file diff --git a/roles/authelia/templates/authelia-endpoint.conf.j2 b/roles/authelia/templates/authelia-endpoint.conf.j2 index 461904e..a218595 100644 --- a/roles/authelia/templates/authelia-endpoint.conf.j2 +++ b/roles/authelia/templates/authelia-endpoint.conf.j2 @@ -1,10 +1,17 @@ -set $upstream_authelia http://authelia:9091/api/verify; +location ^~ /authelia { + include /etc/nginx/snippets/proxy.conf; + set $upstream_authelia authelia; + proxy_pass http://$upstream_authelia:9091; +} -# Virtual endpoint created by nginx to forward auth requests. -location /authelia { +location = /authelia/api/verify { internal; + if ($request_uri ~ [^a-zA-Z0-9_+-=\!@$%&*?~.:#'\;\(\)\[\]]) { + return 401; + } + set $upstream_authelia authelia; proxy_pass_request_body off; - proxy_pass $upstream_authelia; + proxy_pass http://$upstream_authelia:9091; proxy_set_header Content-Length ""; # Timeout if the real server is dead @@ -19,11 +26,11 @@ location /authelia { proxy_set_header Host $host; proxy_set_header X-Original-URL $scheme://$http_host$request_uri; proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Method $request_method; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $http_host; proxy_set_header X-Forwarded-Uri $request_uri; - proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Ssl on; proxy_redirect http:// $scheme://; proxy_http_version 1.1; -- 2.40.1 From a465111aa71da1c3a3802a5be855121eb822d7c4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Kucharczyk?= Date: Sun, 20 Jun 2021 21:53:20 +0200 Subject: [PATCH 13/15] authelia: move proxy config up --- roles/authelia/templates/authelia.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/authelia/templates/authelia.conf.j2 b/roles/authelia/templates/authelia.conf.j2 index c8cb9d2..73e2ddc 100644 --- a/roles/authelia/templates/authelia.conf.j2 +++ b/roles/authelia/templates/authelia.conf.j2 @@ -9,8 +9,8 @@ server { listen 443 ssl http2; location / { + include /etc/nginx/snippets/proxy.conf; set $upstream_authelia http://authelia:9091; # This example assumes a Docker deployment proxy_pass $upstream_authelia; - include /etc/nginx/snippets/proxy.conf; } } \ No newline at end of file -- 2.40.1 From 90d1065f53316e9f1fdabf8a4cc6edc34ec1d638 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Kucharczyk?= Date: Sun, 20 Jun 2021 21:53:45 +0200 Subject: [PATCH 14/15] vault: change keycloak admin --- vault/passwords.yml | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/vault/passwords.yml b/vault/passwords.yml index 046e499..cea236d 100644 --- a/vault/passwords.yml +++ b/vault/passwords.yml @@ -1,19 +1,19 @@ $ANSIBLE_VAULT;1.1;AES256 -30346235333931303864373164626134343138306564323034633139363931653066326263333063 -6532376231363635613930376137326439306437636433370a643535356131363164373764613531 -36363735323930306338623164636563626334653532386632303936343737363731323166323530 -3439353635343236350a663261636633633033396262333164363062396464366135306135386337 -37333232376531353332373930306462393634386533636363343736646537666665633262633363 -64373434633963316365306562333765313439366431313234313563376630643931386363383233 -33363665613937366433643133613565646364303362626433396339313535383166326138313139 -61616333333530333761393631323461376536363733323764333631346338393166613531666335 -35373764376434346638356439393964313436366439366363393766643333623165353266386634 -66326434333165663630326332333061626366356363313538393130356365343738363237653565 -63613439373930326165326538386566636466306137636336663736333063613238356137346630 -31643064623563656438613665393332656435636233623265323063366139643937633132656337 -65326137396134333230616262333337373833663439313635663438396461373130396332316331 -66613933343365363335653135663237363538353863623534373563626166313034323039396334 -61383766343264313438353261306233373562343939663232383466336232373865356561316139 -38316466306531326165343265393262646463626563306363353765343462316534323336356432 -34373661363562636137393235323839616430376163393362313363626636343064663739313963 -3361333438346265623738393431346433353436666262396264 +35356537316639386637316365393533643061363734323630393363313237643935666639653963 +3734376266353938653631323266663139306335646635660a373233663964623335663366333434 +34386136656530386639646234316238326132616131616632346537613963636637393839613661 +6366326639643632320a386436316165343166366134633464393461653434323934326238313430 +39323439306637306134326635323138616337646336653238636539643538613664303764303661 +39636661353538393532663937396363656664613334383261336664336237356366663334633430 +36356235383930653835393439373737623036613565313131626462363034303062323662663832 +66613833613336646633383835653161386363386136663764653734313763383231626434393864 +63313061346335383933623630396336336561633938613237643238616531343766613734666132 +32306362616131396266656162653563356137383239616464306662643032623438373764306361 +32363133626662633435626232653061373831626563323861626635383039613136303632613335 +61363265316534653033393763646565393330633063323634353932353936303638356433306362 +65383938306637333765383263653939633964613230613835326630313761323561376162646439 +62323035323634323766393233326363383364653531306432663263303831623936616139306639 +64303863386265343165666435363761653464386366636366323261353731643263356635383536 +66326666616339653731633530663161363933383334376238313637356331663431336433643338 +64313861306161373538363332663363623131303561373237326436373838393965306663333835 +3764356534323963303832653964666431626538316361613137 -- 2.40.1 From 9cf68c4fda061ce269e0544364ad5680cc226697 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Kucharczyk?= Date: Sun, 20 Jun 2021 21:54:32 +0200 Subject: [PATCH 15/15] authelia: set everything to bypass for now --- roles/authelia/templates/configuration.yml.j2 | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/roles/authelia/templates/configuration.yml.j2 b/roles/authelia/templates/configuration.yml.j2 index 0c7d6d4..f188cbe 100644 --- a/roles/authelia/templates/configuration.yml.j2 +++ b/roles/authelia/templates/configuration.yml.j2 @@ -27,12 +27,8 @@ authentication_backend: access_control: default_policy: deny rules: - - domain: - - "{{ base_domain }}" - - "*.{{ base_domain }}" - - "keycloak.{{ base_domain }}" - policy: deny -session: + - domain: "*.{{ base_domain }}" + policy: bypass name: authelia_session secret: somerandomsecret expiration: 1h -- 2.40.1