authelia/internal/suites/example/compose/nginx/portal/nginx.conf

#
# You can find a documented example of configuration in ./docs/proxies/nginx.md.
#
worker_processes  1;

events {
    worker_connections  1024;
}

http {
    server {
        listen 8080 ssl;
        server_name     login.example.com;

        resolver 127.0.0.11 ipv6=off;
        set $frontend_endpoint http://authelia-frontend:3000;
        set $backend_endpoint https://authelia-backend:9091;

        ssl_certificate     /etc/ssl/server.cert;
        ssl_certificate_key /etc/ssl/server.key;

        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
        add_header X-Frame-Options "SAMEORIGIN";

        error_page 497 301 =307 https://$host:$server_port$request_uri;

        # Serve the backend API for the portal.
        location /api {
            proxy_set_header  X-Real-IP $remote_addr;

            # Required by Authelia because "trust proxy" option is used.
            # See https://expressjs.com/en/guide/behind-proxies.html
            proxy_set_header  X-Forwarded-Proto $scheme;

            # Required by Authelia to build correct links for identity validation.
            proxy_set_header  X-Forwarded-Host $http_host;

            # Needed for network ACLs to work. It appends the IP of the client to the list of IPs
            # and allows Authelia to use it to match the network-based ACLs.
            proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;

            proxy_intercept_errors on;

            proxy_pass        $backend_endpoint;
        }

        # Serves the portal application.
        location / {
            # Allow websockets for webpack to auto-reload.
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "Upgrade";
            proxy_set_header Host "127.0.0.1";

            proxy_pass        $frontend_endpoint;
        }
    }

    # Serves the home page.
    server {
        listen 8080 ssl;
        server_name     home.example.com;

        resolver 127.0.0.11 ipv6=off;
        set $upstream_endpoint http://nginx-backend;

        ssl_certificate     /etc/ssl/server.cert;
        ssl_certificate_key /etc/ssl/server.key;

        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
        add_header X-Frame-Options "SAMEORIGIN";

        error_page 497 301 =307 https://$host:$server_port$request_uri;

        location / {
            proxy_set_header  Host $http_host;
            proxy_pass        $upstream_endpoint;
        }
    }

    # Example configuration of domains protected by Authelia.
    server {
        listen 8080 ssl; 
        server_name     public.example.com
                        admin.example.com
                        secure.example.com
                        dev.example.com
                        singlefactor.example.com
                        mx1.mail.example.com mx2.mail.example.com;

        resolver 127.0.0.11 ipv6=off;
        set $upstream_verify https://authelia-backend:9091/api/verify;
        set $upstream_endpoint http://nginx-backend;
        set $upstream_headers http://httpbin:8000/headers;

        ssl_certificate     /etc/ssl/server.cert;
        ssl_certificate_key /etc/ssl/server.key;

        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
        add_header X-Frame-Options "SAMEORIGIN";

        error_page 497 301 =307 https://$host:$server_port$request_uri;

        # Reverse proxy to the backend. It is protected by Authelia by forwarding authorization checks
        # to the virtual endpoint introduced by nginx and declared in the next block.
        location / {
            auth_request /auth_verify;
            
            auth_request_set            $user $upstream_http_remote_user;
            proxy_set_header            Remote-User $user;
            
            auth_request_set            $groups $upstream_http_remote_groups;
            proxy_set_header            Remote-Groups $groups;

            auth_request_set            $name $upstream_http_remote_name;
            proxy_set_header            Remote-Name $name;

            auth_request_set            $email $upstream_http_remote_email;
            proxy_set_header            Remote-Email $email;

            # Route the request to the correct virtual host in the backend.
            proxy_set_header            Host $http_host;

            # Authelia relies on Proxy-Authorization header to authenticate in basic auth.
            # but for the sake of simplicity (because Authorization in supported in most
            # clients) we take Authorization from the frontend and rewrite it to
            # Proxy-Authorization before sending it to Authelia.
            proxy_set_header            Proxy-Authorization $http_authorization;

            # mitigate HTTPoxy Vulnerability
            # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
            proxy_set_header            Proxy "";

            # Set the `target_url` variable based on the request. It will be used to build the portal
            # URL with the correct redirection parameter.
            set                         $target_url $scheme://$http_host$request_uri;
            error_page 401 =302         https://login.example.com:8080/?rd=$target_url;

            proxy_pass                  $upstream_endpoint;
        }

        # Virtual endpoint forwarding requests to Authelia server.
        location /auth_verify {
            internal;
            proxy_set_header            X-Real-IP $remote_addr;

            # Provide either X-Original-URL and X-Forwarded-Proto or
            # X-Forwarded-Proto, X-Forwarded-Host and X-Forwarded-URI or both.
            # Those headers will be used by Authelia to deduce the target url of the user.
            #
            # X-Forwarded-Proto is mandatory since Authelia uses the "trust proxy" option.
            # See https://expressjs.com/en/guide/behind-proxies.html
            proxy_set_header            X-Original-URL $scheme://$http_host$request_uri;

            proxy_set_header            X-Forwarded-Proto $scheme;
            proxy_set_header            X-Forwarded-Host $http_host;
            proxy_set_header            X-Forwarded-URI $request_uri;
            
            proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;

            # Authelia can receive Proxy-Authorization to authenticate however most of the clients
            # support Authorization instead. Therefore we rewrite Authorization into Proxy-Authorization.
            proxy_set_header            Proxy-Authorization $http_authorization;

            proxy_pass_request_body     off;
            proxy_set_header            Content-Length "";

            proxy_pass                  $upstream_verify;
        }

        # Used by suites to test the forwarded users and groups headers produced by Authelia.
        location /headers {
            auth_request /auth_verify;

            auth_request_set            $user $upstream_http_remote_user;
            proxy_set_header            Remote-User $user;
            
            auth_request_set            $groups $upstream_http_remote_groups;
            proxy_set_header            Remote-Groups $groups;

            auth_request_set            $name $upstream_http_remote_name;
            proxy_set_header            Remote-Name $name;

            auth_request_set            $email $upstream_http_remote_email;
            proxy_set_header            Remote-Email $email;

            set                         $target_url $scheme://$http_host$request_uri;
            error_page 401 =302         https://login.example.com:8080/?rd=$target_url;

            proxy_pass                  $upstream_headers;
        }
    }

    # Fake Web Mail used to receive emails sent by Authelia.
    server {
        listen 8080 ssl;
        server_name     mail.example.com;

        resolver 127.0.0.11 ipv6=off;
        set $upstream_endpoint http://smtp:1080;

        ssl_certificate     /etc/ssl/server.cert;
        ssl_certificate_key /etc/ssl/server.key;

        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
        add_header X-Frame-Options "SAMEORIGIN";

        error_page 497 301 =307 https://$host:$server_port$request_uri;

        location / {
            proxy_set_header  Host $http_host;
            proxy_pass        $upstream_endpoint;
        }
    }

    # Fake API emulating Duo behavior
    server {
        listen 443 ssl;
        server_name     duo.example.com;

        resolver 127.0.0.11 ipv6=off;
        set $upstream_endpoint http://duo-api:3000;

        ssl_certificate     /etc/ssl/server.cert;
        ssl_certificate_key /etc/ssl/server.key;

        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
        add_header X-Frame-Options "SAMEORIGIN";

        error_page 497 301 =307 https://$host:$server_port$request_uri;

        location / {
            proxy_set_header  Host $http_host;
            proxy_pass        $upstream_endpoint;
        }
    }

    # Matches all domains. It redirects to the home page.
    server {
	    listen 8080 ssl;
	    server_name _;

        ssl_certificate     /etc/ssl/server.cert;
        ssl_certificate_key /etc/ssl/server.key;

	    return 301 https://home.example.com:8080/;
    }
}
-												Add documentation for nginx proxy.

											
										
										
											2019-03-22 14:01:05 +00:00
+								#
 								# You can find a documented example of configuration in ./docs/proxies/nginx.md.
 								#
-												Authelia can be run locally while communicating with docker environment.

											
										
										
											2019-01-27 14:54:29 +00:00
+								worker_processes  1;
 								events {
 								    worker_connections  1024;
 								}
 								http {
 								    server {
-												Add network criteria in ACLs to specify policy based on network subnet.

											
										
										
											2019-03-27 22:09:01 +00:00
+								        listen 8080 ssl;
-												Authelia can be run locally while communicating with docker environment.

											
										
										
											2019-01-27 14:54:29 +00:00
+								        server_name     login.example.com;
 								        resolver 127.0.0.11 ipv6=off;
-												Declare suites as Go structs and bootstrap e2e test framework in Go.

Some tests are not fully rewritten in Go, a typescript wrapper is called
instead until we remove the remaining TS tests and dependencies.

Also, dockerize every components (mainly Authelia backend, frontend and kind)
so that the project does not interfere with user host anymore (open ports for instance).
The only remaining intrusive change is the one done during bootstrap to add entries in /etc/hosts.
It will soon be avoided using authelia.com domain that I own.

											
										
										
											2019-11-02 14:32:58 +00:00
+								        set $frontend_endpoint http://authelia-frontend:3000;
-												[FEATURE] Make Authelia serve over TLS in all suites (#864)

* [BUGFIX] Fix dev workflow by using TLS for all suites.

* Fix traefik 1.x and 2.x suites.

* Display authelia logs on suite failure.

* Fix HAProxy suite.

* Extend timeout of test case.

* Display current URL in verify assertion.

* fix doLoginTwoFactor by adding a timeout

* when doLoginTwoFactor is used with blank target and a protected domain is quickly visited authelia sometimes redirects back to the portal
* fix by adding one second timeout
* bump go version to 1.14.2

* Fix Kube suite and bump dashboard.

* Update dist authelia-frontend to proxy_pass with variable

* Apply suggestions from code review

Co-Authored-By: Amir Zarrinkafsh <nightah@me.com>

* Apply suggestions from code review

Co-Authored-By: Amir Zarrinkafsh <nightah@me.com>

* Remove debug logs since it's polluting logs.

Also set timeout back to 5 seconds in HA suite.

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
											
										
										
											2020-04-13 23:57:28 +00:00
+								        set $backend_endpoint https://authelia-backend:9091;
-												Authelia can be run locally while communicating with docker environment.

											
										
										
											2019-01-27 14:54:29 +00:00
-												Bootstrap Go implementation of Authelia.

This is going to be the v4.

Expected improvements:
- More reliable due to static typing.
- Bump of performance.
- Improvement of logging.
- Authelia can be shipped as a single binary.
- Will likely work on ARM architecture.

											
										
										
											2019-04-24 21:52:08 +00:00
+								        ssl_certificate     /etc/ssl/server.cert;
-												Authelia can be run locally while communicating with docker environment.

											
										
										
											2019-01-27 14:54:29 +00:00
+								        ssl_certificate_key /etc/ssl/server.key;
 								        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
 								        add_header X-Frame-Options "SAMEORIGIN";
-												[MISC] Automatically redirect from http to https in suites. (#769)


											
										
										
											2020-03-22 06:04:51 +00:00
+								        error_page 497 301 =307 https://$host:$server_port$request_uri;
-												Authelia can be run locally while communicating with docker environment.

											
										
										
											2019-01-27 14:54:29 +00:00
+								        # Serve the backend API for the portal.
 								        location /api {
 								            proxy_set_header  X-Real-IP $remote_addr;
-												[BREAKING] Create a suite for Traefik proxy.

* Removal of the Redirect header sent by Authelia /api/verify endpoint.
* Authelia does not consume Host header anymore but X-Forwarded-Proto and X-Forwarded-Host
  to compute the link sent in identity verification emails.
* Authelia used Host header as the application name for U2F authentication but it's now using
  X-Forwarded-* headers.

											
										
										
											2019-04-10 19:27:18 +00:00
 								            # Required by Authelia because "trust proxy" option is used.
 								            # See https://expressjs.com/en/guide/behind-proxies.html
-												Authelia can be run locally while communicating with docker environment.

											
										
										
											2019-01-27 14:54:29 +00:00
+								            proxy_set_header  X-Forwarded-Proto $scheme;
-												[BREAKING] Create a suite for Traefik proxy.

* Removal of the Redirect header sent by Authelia /api/verify endpoint.
* Authelia does not consume Host header anymore but X-Forwarded-Proto and X-Forwarded-Host
  to compute the link sent in identity verification emails.
* Authelia used Host header as the application name for U2F authentication but it's now using
  X-Forwarded-* headers.

											
										
										
											2019-04-10 19:27:18 +00:00
 								            # Required by Authelia to build correct links for identity validation.
 								            proxy_set_header  X-Forwarded-Host $http_host;
-												Add network criteria in ACLs to specify policy based on network subnet.

											
										
										
											2019-03-27 22:09:01 +00:00
+								            # Needed for network ACLs to work. It appends the IP of the client to the list of IPs
 								            # and allows Authelia to use it to match the network-based ACLs.
 								            proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
-												Authelia can be run locally while communicating with docker environment.

											
										
										
											2019-01-27 14:54:29 +00:00
+								            proxy_intercept_errors on;
 								            proxy_pass        $backend_endpoint;
 								        }
-												Add network criteria in ACLs to specify policy based on network subnet.

											
										
										
											2019-03-27 22:09:01 +00:00
 								        # Serves the portal application.
 								        location / {
 								            # Allow websockets for webpack to auto-reload.
 								            proxy_http_version 1.1;
 								            proxy_set_header Upgrade $http_upgrade;
 								            proxy_set_header Connection "Upgrade";
-												Declare suites as Go structs and bootstrap e2e test framework in Go.

Some tests are not fully rewritten in Go, a typescript wrapper is called
instead until we remove the remaining TS tests and dependencies.

Also, dockerize every components (mainly Authelia backend, frontend and kind)
so that the project does not interfere with user host anymore (open ports for instance).
The only remaining intrusive change is the one done during bootstrap to add entries in /etc/hosts.
It will soon be avoided using authelia.com domain that I own.

											
										
										
											2019-11-02 14:32:58 +00:00
+								            proxy_set_header Host "127.0.0.1";
-												Add network criteria in ACLs to specify policy based on network subnet.

											
										
										
											2019-03-27 22:09:01 +00:00
 								            proxy_pass        $frontend_endpoint;
 								        }
-												Authelia can be run locally while communicating with docker environment.

											
										
										
											2019-01-27 14:54:29 +00:00
+								    }
-												Simplify nginx example configuration.

											
										
										
											2019-03-26 20:00:47 +00:00
+								    # Serves the home page.
-												Authelia can be run locally while communicating with docker environment.

											
										
										
											2019-01-27 14:54:29 +00:00
+								    server {
-												Add network criteria in ACLs to specify policy based on network subnet.

											
										
										
											2019-03-27 22:09:01 +00:00
+								        listen 8080 ssl;
-												Authelia can be run locally while communicating with docker environment.

											
										
										
											2019-01-27 14:54:29 +00:00
+								        server_name     home.example.com;
 								        resolver 127.0.0.11 ipv6=off;
 								        set $upstream_endpoint http://nginx-backend;
-												Bootstrap Go implementation of Authelia.

This is going to be the v4.

Expected improvements:
- More reliable due to static typing.
- Bump of performance.
- Improvement of logging.
- Authelia can be shipped as a single binary.
- Will likely work on ARM architecture.

											
										
										
											2019-04-24 21:52:08 +00:00
+								        ssl_certificate     /etc/ssl/server.cert;
-												Authelia can be run locally while communicating with docker environment.

											
										
										
											2019-01-27 14:54:29 +00:00
+								        ssl_certificate_key /etc/ssl/server.key;
 								        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
 								        add_header X-Frame-Options "SAMEORIGIN";
-												[MISC] Automatically redirect from http to https in suites. (#769)


											
										
										
											2020-03-22 06:04:51 +00:00
+								        error_page 497 301 =307 https://$host:$server_port$request_uri;
-												Authelia can be run locally while communicating with docker environment.

											
										
										
											2019-01-27 14:54:29 +00:00
+								        location / {
 								            proxy_set_header  Host $http_host;
 								            proxy_pass        $upstream_endpoint;
 								        }
 								    }
-												Simplify nginx example configuration.

											
										
										
											2019-03-26 20:00:47 +00:00
+								    # Example configuration of domains protected by Authelia.
-												Authelia can be run locally while communicating with docker environment.

											
										
										
											2019-01-27 14:54:29 +00:00
+								    server {
-												Add network criteria in ACLs to specify policy based on network subnet.

											
										
										
											2019-03-27 22:09:01 +00:00
+								        listen 8080 ssl;
-												Simplify nginx example configuration.

											
										
										
											2019-03-26 20:00:47 +00:00
+								        server_name     public.example.com
 								                        admin.example.com
 								                        secure.example.com
 								                        dev.example.com
 								                        singlefactor.example.com
 								                        mx1.mail.example.com mx2.mail.example.com;
-												Authelia can be run locally while communicating with docker environment.

											
										
										
											2019-01-27 14:54:29 +00:00
 								        resolver 127.0.0.11 ipv6=off;
-												[FEATURE] Make Authelia serve over TLS in all suites (#864)

* [BUGFIX] Fix dev workflow by using TLS for all suites.

* Fix traefik 1.x and 2.x suites.

* Display authelia logs on suite failure.

* Fix HAProxy suite.

* Extend timeout of test case.

* Display current URL in verify assertion.

* fix doLoginTwoFactor by adding a timeout

* when doLoginTwoFactor is used with blank target and a protected domain is quickly visited authelia sometimes redirects back to the portal
* fix by adding one second timeout
* bump go version to 1.14.2

* Fix Kube suite and bump dashboard.

* Update dist authelia-frontend to proxy_pass with variable

* Apply suggestions from code review

Co-Authored-By: Amir Zarrinkafsh <nightah@me.com>

* Apply suggestions from code review

Co-Authored-By: Amir Zarrinkafsh <nightah@me.com>

* Remove debug logs since it's polluting logs.

Also set timeout back to 5 seconds in HA suite.

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
											
										
										
											2020-04-13 23:57:28 +00:00
+								        set $upstream_verify https://authelia-backend:9091/api/verify;
-												Authelia can be run locally while communicating with docker environment.

											
										
										
											2019-01-27 14:54:29 +00:00
+								        set $upstream_endpoint http://nginx-backend;
-												Simplify nginx example configuration.

											
										
										
											2019-03-26 20:00:47 +00:00
+								        set $upstream_headers http://httpbin:8000/headers;
-												Authelia can be run locally while communicating with docker environment.

											
										
										
											2019-01-27 14:54:29 +00:00
-												Bootstrap Go implementation of Authelia.

This is going to be the v4.

Expected improvements:
- More reliable due to static typing.
- Bump of performance.
- Improvement of logging.
- Authelia can be shipped as a single binary.
- Will likely work on ARM architecture.

											
										
										
											2019-04-24 21:52:08 +00:00
+								        ssl_certificate     /etc/ssl/server.cert;
-												Authelia can be run locally while communicating with docker environment.

											
										
										
											2019-01-27 14:54:29 +00:00
+								        ssl_certificate_key /etc/ssl/server.key;
 								        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
 								        add_header X-Frame-Options "SAMEORIGIN";
-												[MISC] Automatically redirect from http to https in suites. (#769)


											
										
										
											2020-03-22 06:04:51 +00:00
+								        error_page 497 301 =307 https://$host:$server_port$request_uri;
-												Simplify nginx example configuration.

											
										
										
											2019-03-26 20:00:47 +00:00
+								        # Reverse proxy to the backend. It is protected by Authelia by forwarding authorization checks
 								        # to the virtual endpoint introduced by nginx and declared in the next block.
-												Authelia can be run locally while communicating with docker environment.

											
										
										
											2019-01-27 14:54:29 +00:00
+								        location / {
 								            auth_request /auth_verify;
-												[FEATURE] Add Remote-Name and Remote-Email headers (#1402)


											
										
										
											2020-10-26 11:38:08 +00:00
+								            auth_request_set            $user $upstream_http_remote_user;
 								            proxy_set_header            Remote-User $user;
-												Authelia can be run locally while communicating with docker environment.

											
										
										
											2019-01-27 14:54:29 +00:00
-												[BREAKING] Create a suite for Traefik proxy.

* Removal of the Redirect header sent by Authelia /api/verify endpoint.
* Authelia does not consume Host header anymore but X-Forwarded-Proto and X-Forwarded-Host
  to compute the link sent in identity verification emails.
* Authelia used Host header as the application name for U2F authentication but it's now using
  X-Forwarded-* headers.

											
										
										
											2019-04-10 19:27:18 +00:00
+								            auth_request_set            $groups $upstream_http_remote_groups;
 								            proxy_set_header            Remote-Groups $groups;
-												Authelia can be run locally while communicating with docker environment.

											
										
										
											2019-01-27 14:54:29 +00:00
-												[FEATURE] Add Remote-Name and Remote-Email headers (#1402)


											
										
										
											2020-10-26 11:38:08 +00:00
+								            auth_request_set            $name $upstream_http_remote_name;
 								            proxy_set_header            Remote-Name $name;
 								            auth_request_set            $email $upstream_http_remote_email;
 								            proxy_set_header            Remote-Email $email;
-												[BREAKING] Create a suite for Traefik proxy.

* Removal of the Redirect header sent by Authelia /api/verify endpoint.
* Authelia does not consume Host header anymore but X-Forwarded-Proto and X-Forwarded-Host
  to compute the link sent in identity verification emails.
* Authelia used Host header as the application name for U2F authentication but it's now using
  X-Forwarded-* headers.

											
										
										
											2019-04-10 19:27:18 +00:00
+								            # Route the request to the correct virtual host in the backend.
 								            proxy_set_header            Host $http_host;
-												Authelia can be run locally while communicating with docker environment.

											
										
										
											2019-01-27 14:54:29 +00:00
-												Simplify nginx example configuration.

											
										
										
											2019-03-26 20:00:47 +00:00
+								            # Authelia relies on Proxy-Authorization header to authenticate in basic auth.
 								            # but for the sake of simplicity (because Authorization in supported in most
 								            # clients) we take Authorization from the frontend and rewrite it to
 								            # Proxy-Authorization before sending it to Authelia.
 								            proxy_set_header            Proxy-Authorization $http_authorization;
-												[BREAKING] Create a suite for Traefik proxy.

* Removal of the Redirect header sent by Authelia /api/verify endpoint.
* Authelia does not consume Host header anymore but X-Forwarded-Proto and X-Forwarded-Host
  to compute the link sent in identity verification emails.
* Authelia used Host header as the application name for U2F authentication but it's now using
  X-Forwarded-* headers.

											
										
										
											2019-04-10 19:27:18 +00:00
+								            # mitigate HTTPoxy Vulnerability
 								            # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
 								            proxy_set_header            Proxy "";
-												Authelia can be run locally while communicating with docker environment.

											
										
										
											2019-01-27 14:54:29 +00:00
-												[BREAKING] Create a suite for Traefik proxy.

* Removal of the Redirect header sent by Authelia /api/verify endpoint.
* Authelia does not consume Host header anymore but X-Forwarded-Proto and X-Forwarded-Host
  to compute the link sent in identity verification emails.
* Authelia used Host header as the application name for U2F authentication but it's now using
  X-Forwarded-* headers.

											
										
										
											2019-04-10 19:27:18 +00:00
+								            # Set the `target_url` variable based on the request. It will be used to build the portal
 								            # URL with the correct redirection parameter.
 								            set                         $target_url $scheme://$http_host$request_uri;
-												Rewrite authelia frontend to improve user experience.

This refactoring simplify the code of the frontend and prepare the
portal for receiving a user settings page and an admin page.

											
										
										
											2019-11-18 23:37:36 +00:00
+								            error_page 401 =302         https://login.example.com:8080/?rd=$target_url;
-												[BREAKING] Create a suite for Traefik proxy.

* Removal of the Redirect header sent by Authelia /api/verify endpoint.
* Authelia does not consume Host header anymore but X-Forwarded-Proto and X-Forwarded-Host
  to compute the link sent in identity verification emails.
* Authelia used Host header as the application name for U2F authentication but it's now using
  X-Forwarded-* headers.

											
										
										
											2019-04-10 19:27:18 +00:00
 								            proxy_pass                  $upstream_endpoint;
-												Authelia can be run locally while communicating with docker environment.

											
										
										
											2019-01-27 14:54:29 +00:00
+								        }
-												Simplify nginx example configuration.

											
										
										
											2019-03-26 20:00:47 +00:00
+								        # Virtual endpoint forwarding requests to Authelia server.
-												Authelia can be run locally while communicating with docker environment.

											
										
										
											2019-01-27 14:54:29 +00:00
+								        location /auth_verify {
 								            internal;
-												[BREAKING] Create a suite for Traefik proxy.

* Removal of the Redirect header sent by Authelia /api/verify endpoint.
* Authelia does not consume Host header anymore but X-Forwarded-Proto and X-Forwarded-Host
  to compute the link sent in identity verification emails.
* Authelia used Host header as the application name for U2F authentication but it's now using
  X-Forwarded-* headers.

											
										
										
											2019-04-10 19:27:18 +00:00
+								            proxy_set_header            X-Real-IP $remote_addr;
-												Authelia can be run locally while communicating with docker environment.

											
										
										
											2019-01-27 14:54:29 +00:00
-												[BREAKING] Create a suite for Traefik proxy.

* Removal of the Redirect header sent by Authelia /api/verify endpoint.
* Authelia does not consume Host header anymore but X-Forwarded-Proto and X-Forwarded-Host
  to compute the link sent in identity verification emails.
* Authelia used Host header as the application name for U2F authentication but it's now using
  X-Forwarded-* headers.

											
										
										
											2019-04-10 19:27:18 +00:00
+								            # Provide either X-Original-URL and X-Forwarded-Proto or
-												Bootstrap Go implementation of Authelia.

This is going to be the v4.

Expected improvements:
- More reliable due to static typing.
- Bump of performance.
- Improvement of logging.
- Authelia can be shipped as a single binary.
- Will likely work on ARM architecture.

											
										
										
											2019-04-24 21:52:08 +00:00
+								            # X-Forwarded-Proto, X-Forwarded-Host and X-Forwarded-URI or both.
-												[BREAKING] Create a suite for Traefik proxy.

* Removal of the Redirect header sent by Authelia /api/verify endpoint.
* Authelia does not consume Host header anymore but X-Forwarded-Proto and X-Forwarded-Host
  to compute the link sent in identity verification emails.
* Authelia used Host header as the application name for U2F authentication but it's now using
  X-Forwarded-* headers.

											
										
										
											2019-04-10 19:27:18 +00:00
+								            # Those headers will be used by Authelia to deduce the target url of the user.
 								            #
 								            # X-Forwarded-Proto is mandatory since Authelia uses the "trust proxy" option.
 								            # See https://expressjs.com/en/guide/behind-proxies.html
-												Authelia can be run locally while communicating with docker environment.

											
										
										
											2019-01-27 14:54:29 +00:00
+								            proxy_set_header            X-Original-URL $scheme://$http_host$request_uri;
-												[BREAKING] Create a suite for Traefik proxy.

* Removal of the Redirect header sent by Authelia /api/verify endpoint.
* Authelia does not consume Host header anymore but X-Forwarded-Proto and X-Forwarded-Host
  to compute the link sent in identity verification emails.
* Authelia used Host header as the application name for U2F authentication but it's now using
  X-Forwarded-* headers.

											
										
										
											2019-04-10 19:27:18 +00:00
-												Authelia can be run locally while communicating with docker environment.

											
										
										
											2019-01-27 14:54:29 +00:00
+								            proxy_set_header            X-Forwarded-Proto $scheme;
-												[BREAKING] Create a suite for Traefik proxy.

* Removal of the Redirect header sent by Authelia /api/verify endpoint.
* Authelia does not consume Host header anymore but X-Forwarded-Proto and X-Forwarded-Host
  to compute the link sent in identity verification emails.
* Authelia used Host header as the application name for U2F authentication but it's now using
  X-Forwarded-* headers.

											
										
										
											2019-04-10 19:27:18 +00:00
+								            proxy_set_header            X-Forwarded-Host $http_host;
-												Bootstrap Go implementation of Authelia.

This is going to be the v4.

Expected improvements:
- More reliable due to static typing.
- Bump of performance.
- Improvement of logging.
- Authelia can be shipped as a single binary.
- Will likely work on ARM architecture.

											
										
										
											2019-04-24 21:52:08 +00:00
+								            proxy_set_header            X-Forwarded-URI $request_uri;
-												[BREAKING] Create a suite for Traefik proxy.

* Removal of the Redirect header sent by Authelia /api/verify endpoint.
* Authelia does not consume Host header anymore but X-Forwarded-Proto and X-Forwarded-Host
  to compute the link sent in identity verification emails.
* Authelia used Host header as the application name for U2F authentication but it's now using
  X-Forwarded-* headers.

											
										
										
											2019-04-10 19:27:18 +00:00
-												Authelia can be run locally while communicating with docker environment.

											
										
										
											2019-01-27 14:54:29 +00:00
+								            proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;
-												Simplify nginx example configuration.

											
										
										
											2019-03-26 20:00:47 +00:00
+								            # Authelia can receive Proxy-Authorization to authenticate however most of the clients
 								            # support Authorization instead. Therefore we rewrite Authorization into Proxy-Authorization.
 								            proxy_set_header            Proxy-Authorization $http_authorization;
-												Authelia can be run locally while communicating with docker environment.

											
										
										
											2019-01-27 14:54:29 +00:00
+								            proxy_pass_request_body     off;
 								            proxy_set_header            Content-Length "";
-												[BREAKING] Create a suite for Traefik proxy.

* Removal of the Redirect header sent by Authelia /api/verify endpoint.
* Authelia does not consume Host header anymore but X-Forwarded-Proto and X-Forwarded-Host
  to compute the link sent in identity verification emails.
* Authelia used Host header as the application name for U2F authentication but it's now using
  X-Forwarded-* headers.

											
										
										
											2019-04-10 19:27:18 +00:00
+								            proxy_pass                  $upstream_verify;
-												Authelia can be run locally while communicating with docker environment.

											
										
										
											2019-01-27 14:54:29 +00:00
+								        }
-												Simplify nginx example configuration.

											
										
										
											2019-03-26 20:00:47 +00:00
+								        # Used by suites to test the forwarded users and groups headers produced by Authelia.
-												[BREAKING] Create a suite for kubernetes tests.

Authelia client uses hash router instead of browser router in order to work
with Kubernetes nginx-ingress-controller. This is also better for users having
old browsers.

This commit is breaking because it requires to change the configuration of the
proxy to include the # in the URL of the login portal.

											
										
										
											2019-03-03 22:51:52 +00:00
+								        location /headers {
 								            auth_request /auth_verify;
-												[BREAKING] Create a suite for Traefik proxy.

* Removal of the Redirect header sent by Authelia /api/verify endpoint.
* Authelia does not consume Host header anymore but X-Forwarded-Proto and X-Forwarded-Host
  to compute the link sent in identity verification emails.
* Authelia used Host header as the application name for U2F authentication but it's now using
  X-Forwarded-* headers.

											
										
										
											2019-04-10 19:27:18 +00:00
+								            auth_request_set            $user $upstream_http_remote_user;
-												[MISC] Add coverage for Remote-User and Remote-Groups (#982)

* Fix dev workflow.

* Fix dev workflow.

* Cover Remote-User and Remote-Groups using Traefik.

* Cover Remote-User and Remote-Groups using HAProxy.

* Fix redirection after unauthorized response when using HAProxy.

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
											
										
										
											2020-05-06 01:50:37 +00:00
+								            proxy_set_header            Remote-User $user;
-												[BREAKING] Create a suite for kubernetes tests.

Authelia client uses hash router instead of browser router in order to work
with Kubernetes nginx-ingress-controller. This is also better for users having
old browsers.

This commit is breaking because it requires to change the configuration of the
proxy to include the # in the URL of the login portal.

											
										
										
											2019-03-03 22:51:52 +00:00
-												[BREAKING] Create a suite for Traefik proxy.

* Removal of the Redirect header sent by Authelia /api/verify endpoint.
* Authelia does not consume Host header anymore but X-Forwarded-Proto and X-Forwarded-Host
  to compute the link sent in identity verification emails.
* Authelia used Host header as the application name for U2F authentication but it's now using
  X-Forwarded-* headers.

											
										
										
											2019-04-10 19:27:18 +00:00
+								            auth_request_set            $groups $upstream_http_remote_groups;
-												[MISC] Add coverage for Remote-User and Remote-Groups (#982)

* Fix dev workflow.

* Fix dev workflow.

* Cover Remote-User and Remote-Groups using Traefik.

* Cover Remote-User and Remote-Groups using HAProxy.

* Fix redirection after unauthorized response when using HAProxy.

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
											
										
										
											2020-05-06 01:50:37 +00:00
+								            proxy_set_header            Remote-Groups $groups;
-												[BREAKING] Create a suite for kubernetes tests.

Authelia client uses hash router instead of browser router in order to work
with Kubernetes nginx-ingress-controller. This is also better for users having
old browsers.

This commit is breaking because it requires to change the configuration of the
proxy to include the # in the URL of the login portal.

											
										
										
											2019-03-03 22:51:52 +00:00
-												[FEATURE] Add Remote-Name and Remote-Email headers (#1402)


											
										
										
											2020-10-26 11:38:08 +00:00
+								            auth_request_set            $name $upstream_http_remote_name;
 								            proxy_set_header            Remote-Name $name;
 								            auth_request_set            $email $upstream_http_remote_email;
 								            proxy_set_header            Remote-Email $email;
-												[BREAKING] Create a suite for Traefik proxy.

* Removal of the Redirect header sent by Authelia /api/verify endpoint.
* Authelia does not consume Host header anymore but X-Forwarded-Proto and X-Forwarded-Host
  to compute the link sent in identity verification emails.
* Authelia used Host header as the application name for U2F authentication but it's now using
  X-Forwarded-* headers.

											
										
										
											2019-04-10 19:27:18 +00:00
+								            set                         $target_url $scheme://$http_host$request_uri;
-												Rewrite authelia frontend to improve user experience.

This refactoring simplify the code of the frontend and prepare the
portal for receiving a user settings page and an admin page.

											
										
										
											2019-11-18 23:37:36 +00:00
+								            error_page 401 =302         https://login.example.com:8080/?rd=$target_url;
-												[BREAKING] Create a suite for kubernetes tests.

Authelia client uses hash router instead of browser router in order to work
with Kubernetes nginx-ingress-controller. This is also better for users having
old browsers.

This commit is breaking because it requires to change the configuration of the
proxy to include the # in the URL of the login portal.

											
										
										
											2019-03-03 22:51:52 +00:00
-												[BREAKING] Create a suite for Traefik proxy.

* Removal of the Redirect header sent by Authelia /api/verify endpoint.
* Authelia does not consume Host header anymore but X-Forwarded-Proto and X-Forwarded-Host
  to compute the link sent in identity verification emails.
* Authelia used Host header as the application name for U2F authentication but it's now using
  X-Forwarded-* headers.

											
										
										
											2019-04-10 19:27:18 +00:00
+								            proxy_pass                  $upstream_headers;
-												[BREAKING] Create a suite for kubernetes tests.

Authelia client uses hash router instead of browser router in order to work
with Kubernetes nginx-ingress-controller. This is also better for users having
old browsers.

This commit is breaking because it requires to change the configuration of the
proxy to include the # in the URL of the login portal.

											
										
										
											2019-03-03 22:51:52 +00:00
+								        }
-												Authelia can be run locally while communicating with docker environment.

											
										
										
											2019-01-27 14:54:29 +00:00
+								    }
-												Simplify nginx example configuration.

											
										
										
											2019-03-26 20:00:47 +00:00
+								    # Fake Web Mail used to receive emails sent by Authelia.
-												Authelia can be run locally while communicating with docker environment.

											
										
										
											2019-01-27 14:54:29 +00:00
+								    server {
-												Add network criteria in ACLs to specify policy based on network subnet.

											
										
										
											2019-03-27 22:09:01 +00:00
+								        listen 8080 ssl;
-												Simplify nginx example configuration.

											
										
										
											2019-03-26 20:00:47 +00:00
+								        server_name     mail.example.com;
-												Authelia can be run locally while communicating with docker environment.

											
										
										
											2019-01-27 14:54:29 +00:00
 								        resolver 127.0.0.11 ipv6=off;
-												Simplify nginx example configuration.

											
										
										
											2019-03-26 20:00:47 +00:00
+								        set $upstream_endpoint http://smtp:1080;
-												Authelia can be run locally while communicating with docker environment.

											
										
										
											2019-01-27 14:54:29 +00:00
-												Bootstrap Go implementation of Authelia.

This is going to be the v4.

Expected improvements:
- More reliable due to static typing.
- Bump of performance.
- Improvement of logging.
- Authelia can be shipped as a single binary.
- Will likely work on ARM architecture.

											
										
										
											2019-04-24 21:52:08 +00:00
+								        ssl_certificate     /etc/ssl/server.cert;
-												Authelia can be run locally while communicating with docker environment.

											
										
										
											2019-01-27 14:54:29 +00:00
+								        ssl_certificate_key /etc/ssl/server.key;
 								        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
 								        add_header X-Frame-Options "SAMEORIGIN";
-												[MISC] Automatically redirect from http to https in suites. (#769)


											
										
										
											2020-03-22 06:04:51 +00:00
+								        error_page 497 301 =307 https://$host:$server_port$request_uri;
-												Authelia can be run locally while communicating with docker environment.

											
										
										
											2019-01-27 14:54:29 +00:00
+								        location / {
 								            proxy_set_header  Host $http_host;
 								            proxy_pass        $upstream_endpoint;
 								        }
 								    }
-												Add Duo Push Notification option as 2FA.

											
										
										
											2019-03-24 14:15:49 +00:00
-												Simplify nginx example configuration.

											
										
										
											2019-03-26 20:00:47 +00:00
+								    # Fake API emulating Duo behavior
-												Add Duo Push Notification option as 2FA.

											
										
										
											2019-03-24 14:15:49 +00:00
+								    server {
 								        listen 443 ssl;
 								        server_name     duo.example.com;
 								        resolver 127.0.0.11 ipv6=off;
 								        set $upstream_endpoint http://duo-api:3000;
-												Bootstrap Go implementation of Authelia.

This is going to be the v4.

Expected improvements:
- More reliable due to static typing.
- Bump of performance.
- Improvement of logging.
- Authelia can be shipped as a single binary.
- Will likely work on ARM architecture.

											
										
										
											2019-04-24 21:52:08 +00:00
+								        ssl_certificate     /etc/ssl/server.cert;
-												Add Duo Push Notification option as 2FA.

											
										
										
											2019-03-24 14:15:49 +00:00
+								        ssl_certificate_key /etc/ssl/server.key;
 								        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
 								        add_header X-Frame-Options "SAMEORIGIN";
-												[MISC] Automatically redirect from http to https in suites. (#769)


											
										
										
											2020-03-22 06:04:51 +00:00
+								        error_page 497 301 =307 https://$host:$server_port$request_uri;
-												Add Duo Push Notification option as 2FA.

											
										
										
											2019-03-24 14:15:49 +00:00
+								        location / {
 								            proxy_set_header  Host $http_host;
 								            proxy_pass        $upstream_endpoint;
 								        }
 								    }
-												Add network criteria in ACLs to specify policy based on network subnet.

											
										
										
											2019-03-27 22:09:01 +00:00
 								    # Matches all domains. It redirects to the home page.
 								    server {
 									    listen 8080 ssl;
 									    server_name _;
-												Bootstrap Go implementation of Authelia.

This is going to be the v4.

Expected improvements:
- More reliable due to static typing.
- Bump of performance.
- Improvement of logging.
- Authelia can be shipped as a single binary.
- Will likely work on ARM architecture.

											
										
										
											2019-04-24 21:52:08 +00:00
+								        ssl_certificate     /etc/ssl/server.cert;
-												Add network criteria in ACLs to specify policy based on network subnet.

											
										
										
											2019-03-27 22:09:01 +00:00
+								        ssl_certificate_key /etc/ssl/server.key;
 									    return 301 https://home.example.com:8080/;
 								    }
-												Authelia can be run locally while communicating with docker environment.

											
										
										
											2019-01-27 14:54:29 +00:00
+								}