diff --git a/hosts/rpi4/authelia.nix b/hosts/rpi4/authelia.nix index 3bd6a2a..efcf419 100644 --- a/hosts/rpi4/authelia.nix +++ b/hosts/rpi4/authelia.nix @@ -80,8 +80,12 @@ let ## Headers ## The headers starting with X-* are required. - proxy_set_header X-Original-Method $request_method; proxy_set_header X-Original-URL $scheme://$http_host$request_uri; + proxy_set_header X-Original-Method $request_method; + proxy_set_header X-Forwarded-Method $request_method; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header X-Forwarded-Uri $request_uri; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header Content-Length ""; proxy_set_header Connection ""; @@ -103,59 +107,39 @@ let proxy_connect_timeout 240; ''; autheliaLocationConfig = pkgs.writeText "authelia-location.conf" autheliaLocation; - autheliaBasicLocationConfig = pkgs.writeText "authelia-location-basic.conf" '' - ${autheliaLocation} - - # Auth Basic Headers - proxy_set_header X-Original-Method $request_method; - proxy_set_header X-Forwarded-Method $request_method; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $http_host; - proxy_set_header X-Forwarded-URI $request_uri; - ''; - - genAuthConfig = - method: - let - snippet_regular = '' - ## Configure the redirection when the authz failure occurs. Lines starting - ## with 'Modern Method' and 'Legacy Method' should be commented / - ## uncommented as pairs. The modern method uses the session cookies - ## configuration's authelia_url value to determine the redirection URL here. - ## It's much simpler and compatible with the mutli-cookie domain easily. - - ## Modern Method: Set the $redirection_url to the Location header of the - ## response to the Authz endpoint. - auth_request_set $redirection_url $upstream_http_location; - - ## Modern Method: When there is a 401 response code from the authz endpoint - ## redirect to the $redirection_url. - error_page 401 =302 $redirection_url; + autheliaBasicLocationConfig = autheliaLocationConfig; + genAuthConfig = method: endpoint: let + redirect = '' + ## If the subreqest returns 200 pass to the backend, if the subrequest returns 401 redirect to the portal. + error_page 401 =302 ${endpoint}/?rd=$target_url; ''; - in - '' - ## Send a subrequest to Authelia to verify if the user is authenticated and - # has permission to access the resource. - + in '' auth_request /internal/authelia/authz${optionalString (method == "basic") "/basic"}; - ## Save the upstream metadata response headers from Authelia to variables. + ## Set the $target_url variable based on the original request. + + ## Comment this line if you're using nginx without the http_set_misc module. + # set_escape_uri $target_url $scheme://$http_host$request_uri; + + ## Uncomment this line if you're using NGINX without the http_set_misc module. + set $target_url $scheme://$http_host$request_uri; + + ## Save the upstream response headers from Authelia to variables. auth_request_set $user $upstream_http_remote_user; auth_request_set $groups $upstream_http_remote_groups; auth_request_set $name $upstream_http_remote_name; auth_request_set $email $upstream_http_remote_email; - ## Inject the metadata response headers from the variables into the request - ## made to the backend. + ## Inject the response headers from the variables into the request made to the backend. proxy_set_header Remote-User $user; proxy_set_header Remote-Groups $groups; proxy_set_header Remote-Name $name; proxy_set_header Remote-Email $email; - ${optionalString (method == "regular") snippet_regular} + ${optionalString (method == "regular") redirect} ''; genAuthConfigPkg = - method: pkgs.writeText "authelia-authrequest-${method}.conf" (genAuthConfig method); + method: endpoint: pkgs.writeText "authelia-authrequest-${method}.conf" (genAuthConfig method endpoint); in { # authelia @@ -174,6 +158,7 @@ in locations = mkAttrsOfSubmoduleOpt (genLocationModule attrs); authelia = { endpoint = { + # endpoint settings instance = lib.mkOption { description = '' Local Authelia instance to act as the authentication endpoint. @@ -192,6 +177,13 @@ in default = null; }; }; + # client settings + endpointURL = lib.mkOption { + description = '' + (temporary) authelia endpoint redirect URL. + ''; + type = with types; str; + }; instance = lib.mkOption { description = '' Local Authelia instance to use. Setting this option will @@ -233,7 +225,7 @@ in # authelia nginx internal endpoints locations = let - api = "${config.authelia.upstream}/api/authz/auth-request"; + api = "${config.authelia.upstream}/api/verify"; in lib.mkMerge [ (lib.mkIf (!(isNull config.authelia.upstream)) { @@ -246,7 +238,7 @@ in ''; }; "/internal/authelia/authz/basic" = { - proxyPass = "${api}/basic"; + proxyPass = "${api}?auth=basic"; recommendedProxySettings = false; extraConfig = '' include ${autheliaBasicLocationConfig}; @@ -291,6 +283,14 @@ in default = vhostConfig.authelia.method; example = "basic"; }; + options.authelia.endpointURL = lib.mkOption { + description = '' + (temporary) authelia endpoint redirect URL. + ''; + type = with types; str; + default = vhostConfig.authelia.endpointURL; + }; + config = lib.mkIf ( @@ -300,7 +300,7 @@ in ) { extraConfig = '' - include ${genAuthConfigPkg config.authelia.method}; + include ${genAuthConfigPkg config.authelia.method config.authelia.endpointURL}; ''; }; };