authelia: wip
This commit is contained in:
parent
c99c0e18d8
commit
f69cec5ba8
GPG Key ID:
6C4D545385D4925A
@ -106,6 +106,48 @@ let
|
|||||||
proxy_set_header X-Forwarded-URI $request_uri;
|
proxy_set_header X-Forwarded-URI $request_uri;
|
||||||
'';
|
'';
|
||||||
|
|
||||||
|
genAuthConfig =
|
||||||
|
method:
|
||||||
|
let
|
||||||
|
snippet_regular = ''
|
||||||
|
## Configure the redirection when the authz failure occurs. Lines starting
|
||||||
|
## with 'Modern Method' and 'Legacy Method' should be commented /
|
||||||
|
## uncommented as pairs. The modern method uses the session cookies
|
||||||
|
## configuration's authelia_url value to determine the redirection URL here.
|
||||||
|
## It's much simpler and compatible with the mutli-cookie domain easily.
|
||||||
|
|
||||||
|
## Modern Method: Set the $redirection_url to the Location header of the
|
||||||
|
## response to the Authz endpoint.
|
||||||
|
auth_request_set $redirection_url $upstream_http_location;
|
||||||
|
|
||||||
|
## Modern Method: When there is a 401 response code from the authz endpoint
|
||||||
|
## redirect to the $redirection_url.
|
||||||
|
error_page 401 =302 $redirection_url;
|
||||||
|
'';
|
||||||
|
in
|
||||||
|
''
|
||||||
|
## Send a subrequest to Authelia to verify if the user is authenticated and
|
||||||
|
# has permission to access the resource.
|
||||||
|
|
||||||
|
auth_request /internal/authelia/authz${optionalString method == "basic" "/basic"};
|
||||||
|
|
||||||
|
## Save the upstream metadata response headers from Authelia to variables.
|
||||||
|
auth_request_set $user $upstream_http_remote_user;
|
||||||
|
auth_request_set $groups $upstream_http_remote_groups;
|
||||||
|
auth_request_set $name $upstream_http_remote_name;
|
||||||
|
auth_request_set $email $upstream_http_remote_email;
|
||||||
|
|
||||||
|
## Inject the metadata response headers from the variables into the request
|
||||||
|
## made to the backend.
|
||||||
|
proxy_set_header Remote-User $user;
|
||||||
|
proxy_set_header Remote-Groups $groups;
|
||||||
|
proxy_set_header Remote-Name $name;
|
||||||
|
proxy_set_header Remote-Email $email;
|
||||||
|
|
||||||
|
${optionalString method == "regular" snippet_regular}
|
||||||
|
'';
|
||||||
|
genAuthConfigPkg =
|
||||||
|
method: pkgs.writeText "authelia-authrequest-${method}.conf" (genAuthConfig method);
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
# authelia
|
# authelia
|
||||||
@ -221,14 +263,13 @@ in
|
|||||||
example = "basic";
|
example = "basic";
|
||||||
};
|
};
|
||||||
config =
|
config =
|
||||||
lib.mkIf (!(isNull vhostConfig.authelia.upstream))
|
lib.mkIf (!(lib.strings.hasPrefix "/internal/authelia/" name))
|
||||||
&& (!(lib.strings.hasPrefix "/internal/authelia/" name)) lib.mkMerge [
|
&& (!(isNull vhostConfig.authelia.upstream))
|
||||||
(
|
&& (!(isNull config.authelia.method)) {
|
||||||
lib.mkIf config.authelia.method == "regular" {
|
extraConfig = ''
|
||||||
|
include ${genAuthConfigPkg config.authelia.method};
|
||||||
}
|
'';
|
||||||
)
|
};
|
||||||
];
|
|
||||||
};
|
};
|
||||||
|
|
||||||
in
|
in
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user