From dffeccfd5a17234aa6ed9de8a386f5c9256a8c7a Mon Sep 17 00:00:00 2001
From: NullBite <me@nullbite.com>
Date: Mon, 15 Jul 2024 00:23:43 -0400
Subject: [PATCH] authelia: apparently it's outdated (revert later)
---
hosts/rpi4/authelia.nix | 84 ++++++++++++++++++++---------------------
1 file changed, 42 insertions(+), 42 deletions(-)
diff --git a/hosts/rpi4/authelia.nix b/hosts/rpi4/authelia.nix
index 3bd6a2a..efcf419 100644
--- a/hosts/rpi4/authelia.nix
+++ b/hosts/rpi4/authelia.nix
@@ -80,8 +80,12 @@ let
## Headers
## The headers starting with X-* are required.
- proxy_set_header X-Original-Method $request_method;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
+ proxy_set_header X-Original-Method $request_method;
+ proxy_set_header X-Forwarded-Method $request_method;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_set_header X-Forwarded-Host $http_host;
+ proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Content-Length "";
proxy_set_header Connection "";
@@ -103,59 +107,39 @@ let
proxy_connect_timeout 240;
'';
autheliaLocationConfig = pkgs.writeText "authelia-location.conf" autheliaLocation;
- autheliaBasicLocationConfig = pkgs.writeText "authelia-location-basic.conf" ''
- ${autheliaLocation}
-
- # Auth Basic Headers
- proxy_set_header X-Original-Method $request_method;
- proxy_set_header X-Forwarded-Method $request_method;
- proxy_set_header X-Forwarded-Proto $scheme;
- proxy_set_header X-Forwarded-Host $http_host;
- proxy_set_header X-Forwarded-URI $request_uri;
- '';
-
- genAuthConfig =
- method:
- let
- snippet_regular = ''
- ## Configure the redirection when the authz failure occurs. Lines starting
- ## with 'Modern Method' and 'Legacy Method' should be commented /
- ## uncommented as pairs. The modern method uses the session cookies
- ## configuration's authelia_url value to determine the redirection URL here.
- ## It's much simpler and compatible with the mutli-cookie domain easily.
-
- ## Modern Method: Set the $redirection_url to the Location header of the
- ## response to the Authz endpoint.
- auth_request_set $redirection_url $upstream_http_location;
-
- ## Modern Method: When there is a 401 response code from the authz endpoint
- ## redirect to the $redirection_url.
- error_page 401 =302 $redirection_url;
+ autheliaBasicLocationConfig = autheliaLocationConfig;
+ genAuthConfig = method: endpoint: let
+ redirect = ''
+ ## If the subreqest returns 200 pass to the backend, if the subrequest returns 401 redirect to the portal.
+ error_page 401 =302 ${endpoint}/?rd=$target_url;
'';
- in
- ''
- ## Send a subrequest to Authelia to verify if the user is authenticated and
- # has permission to access the resource.
-
+ in ''
auth_request /internal/authelia/authz${optionalString (method == "basic") "/basic"};
- ## Save the upstream metadata response headers from Authelia to variables.
+ ## Set the $target_url variable based on the original request.
+
+ ## Comment this line if you're using nginx without the http_set_misc module.
+ # set_escape_uri $target_url $scheme://$http_host$request_uri;
+
+ ## Uncomment this line if you're using NGINX without the http_set_misc module.
+ set $target_url $scheme://$http_host$request_uri;
+
+ ## Save the upstream response headers from Authelia to variables.
auth_request_set $user $upstream_http_remote_user;
auth_request_set $groups $upstream_http_remote_groups;
auth_request_set $name $upstream_http_remote_name;
auth_request_set $email $upstream_http_remote_email;
- ## Inject the metadata response headers from the variables into the request
- ## made to the backend.
+ ## Inject the response headers from the variables into the request made to the backend.
proxy_set_header Remote-User $user;
proxy_set_header Remote-Groups $groups;
proxy_set_header Remote-Name $name;
proxy_set_header Remote-Email $email;
- ${optionalString (method == "regular") snippet_regular}
+ ${optionalString (method == "regular") redirect}
'';
genAuthConfigPkg =
- method: pkgs.writeText "authelia-authrequest-${method}.conf" (genAuthConfig method);
+ method: endpoint: pkgs.writeText "authelia-authrequest-${method}.conf" (genAuthConfig method endpoint);
in
{
# authelia
@@ -174,6 +158,7 @@ in
locations = mkAttrsOfSubmoduleOpt (genLocationModule attrs);
authelia = {
endpoint = {
+ # endpoint settings
instance = lib.mkOption {
description = ''
Local Authelia instance to act as the authentication endpoint.
@@ -192,6 +177,13 @@ in
default = null;
};
};
+ # client settings
+ endpointURL = lib.mkOption {
+ description = ''
+ (temporary) authelia endpoint redirect URL.
+ '';
+ type = with types; str;
+ };
instance = lib.mkOption {
description = ''
Local Authelia instance to use. Setting this option will
@@ -233,7 +225,7 @@ in
# authelia nginx internal endpoints
locations =
let
- api = "${config.authelia.upstream}/api/authz/auth-request";
+ api = "${config.authelia.upstream}/api/verify";
in
lib.mkMerge [
(lib.mkIf (!(isNull config.authelia.upstream)) {
@@ -246,7 +238,7 @@ in
'';
};
"/internal/authelia/authz/basic" = {
- proxyPass = "${api}/basic";
+ proxyPass = "${api}?auth=basic";
recommendedProxySettings = false;
extraConfig = ''
include ${autheliaBasicLocationConfig};
@@ -291,6 +283,14 @@ in
default = vhostConfig.authelia.method;
example = "basic";
};
+ options.authelia.endpointURL = lib.mkOption {
+ description = ''
+ (temporary) authelia endpoint redirect URL.
+ '';
+ type = with types; str;
+ default = vhostConfig.authelia.endpointURL;
+ };
+
config =
lib.mkIf
(
@@ -300,7 +300,7 @@ in
)
{
extraConfig = ''
- include ${genAuthConfigPkg config.authelia.method};
+ include ${genAuthConfigPkg config.authelia.method config.authelia.endpointURL};
'';
};
};