authelia/example/nginx/nginx.conf

# nginx-sso - example nginx config
#
# (c) 2015 by Johannes Gilger <heipei@hackvalue.de>
#
# This is an example config for using nginx with the nginx-sso cookie system.
# For simplicity, this config sets up two fictional vhosts that you can use to
# test against both components of the nginx-sso system: ssoauth & ssologin.
# In a real deployment, these vhosts would be separate hosts.

#user  nobody;
worker_processes  1;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;

events {
    worker_connections  1024;
}


http {
    server {
        listen 443 ssl;
        server_name     auth.test.local localhost;

        ssl on;
        ssl_certificate     /etc/ssl/server.crt;
        ssl_certificate_key /etc/ssl/server.key;


        location / {
            proxy_set_header  X-Original-URI $request_uri;
            proxy_set_header  Host $http_host;
            proxy_set_header  X-Real-IP $remote_addr;

            proxy_pass        http://authelia/;

            proxy_intercept_errors on;

            if ($request_method !~ ^(POST)$){
              error_page 401 = /error/401;
              error_page 403 = /error/403;
              error_page 404 = /error/404;
            }
        }
    }

    server {
        listen 443 ssl;
        root /usr/share/nginx/html/home.test.local;
 
        server_name     home.test.local;

        ssl on;
        ssl_certificate     /etc/ssl/server.crt;
        ssl_certificate_key /etc/ssl/server.key;
    }

    server {
        listen 443 ssl;
        root /usr/share/nginx/html/public.test.local;
 
        server_name     public.test.local;

        ssl on;
        ssl_certificate     /etc/ssl/server.crt;
        ssl_certificate_key /etc/ssl/server.key;

        location /auth_verify {
            internal;
            proxy_set_header  X-Original-URI $request_uri;
            proxy_set_header  X-Real-IP $remote_addr;
            proxy_set_header  Host $http_host;
            proxy_set_header  Content-Length "";

            proxy_pass        http://authelia/verify;
        }

        location / {
            auth_request /auth_verify;

            auth_request_set $redirect $upstream_http_redirect;
            
            auth_request_set $user $upstream_http_remote_user;
            proxy_set_header X-Forwarded-User $user;
            
            auth_request_set $groups $upstream_http_remote_groups;
            proxy_set_header Remote-Groups $groups;

            error_page 401 =302 https://auth.test.local:8080?redirect=$redirect;
            error_page 403 = https://auth.test.local:8080/error/403;
        }

        location /headers {
            auth_request /auth_verify;

            auth_request_set $redirect $upstream_http_redirect;

            auth_request_set $user $upstream_http_remote_user;
            proxy_set_header Custom-Forwarded-User $user;
            
            auth_request_set $groups $upstream_http_remote_groups;
            proxy_set_header Custom-Forwarded-Groups $groups;

            proxy_pass        http://httpbin:8000/headers;

            error_page 401 =302 https://auth.test.local:8080?redirect=$redirect;
            error_page 403 = https://auth.test.local:8080/error/403;
        } 
    }

    server {
        listen 443 ssl;
        root /usr/share/nginx/html/admin.test.local;
 
        server_name     admin.test.local;

        ssl on;
        ssl_certificate     /etc/ssl/server.crt;
        ssl_certificate_key /etc/ssl/server.key;

        location /auth_verify {
            internal;
            proxy_set_header  X-Original-URI $request_uri;
            proxy_set_header  X-Real-IP $remote_addr;
            proxy_set_header  Host $http_host;
            proxy_set_header  Content-Length "";

            proxy_pass        http://authelia/verify;
        }

        location / {
            auth_request /auth_verify;

            auth_request_set $redirect $upstream_http_redirect;

            auth_request_set $user $upstream_http_remote_user;
            proxy_set_header X-Forwarded-User $user;
            
            auth_request_set $groups $upstream_http_remote_groups;
            proxy_set_header Remote-Groups $groups;

            error_page 401 =302 https://auth.test.local:8080?redirect=$redirect;
            error_page 403 = https://auth.test.local:8080/error/403;
        }
    }

    server {
        listen 443 ssl;
        root /usr/share/nginx/html/dev.test.local;
 
        server_name     dev.test.local;

        ssl on;
        ssl_certificate     /etc/ssl/server.crt;
        ssl_certificate_key /etc/ssl/server.key;

        location /auth_verify {
            internal;
            proxy_set_header  X-Original-URI $request_uri;
            proxy_set_header  X-Real-IP $remote_addr;
            proxy_set_header  Host $http_host;
            proxy_set_header  Content-Length "";

            proxy_pass        http://authelia/verify;
        }

        location / {
            auth_request /auth_verify;

            auth_request_set $redirect $upstream_http_redirect;

            auth_request_set $user $upstream_http_remote_user;
            proxy_set_header X-Forwarded-User $user;
            
            auth_request_set $groups $upstream_http_remote_groups;
            proxy_set_header Remote-Groups $groups;

            error_page 401 =302 https://auth.test.local:8080?redirect=$redirect;
            error_page 403 = https://auth.test.local:8080/error/403;
        }
    }

    server {
        listen 443 ssl;
        root /usr/share/nginx/html/mail.test.local;
 
        server_name     mx1.mail.test.local mx2.mail.test.local;

        ssl on;
        ssl_certificate     /etc/ssl/server.crt;
        ssl_certificate_key /etc/ssl/server.key;

        location /auth_verify {
            internal;
            proxy_set_header  X-Original-URI $request_uri;
            proxy_set_header  X-Real-IP $remote_addr;
            proxy_set_header  Host $http_host;
            proxy_set_header  Content-Length "";

            proxy_pass        http://authelia/verify;
        }

        location / {
            auth_request /auth_verify;

            auth_request_set $redirect $upstream_http_redirect;

            auth_request_set $user $upstream_http_remote_user;
            proxy_set_header X-Forwarded-User $user;
            
            auth_request_set $groups $upstream_http_remote_groups;
            proxy_set_header Remote-Groups $groups;

            error_page 401 =302 https://auth.test.local:8080?redirect=$redirect;
            error_page 403 = https://auth.test.local:8080/error/403;
        }
    }

    server {
        listen 443 ssl;
        root /usr/share/nginx/html/basicauth.test.local;
 
        server_name     basicauth.test.local;

        ssl on;
        ssl_certificate     /etc/ssl/server.crt;
        ssl_certificate_key /etc/ssl/server.key;

        location /auth_verify {
            internal;
            proxy_set_header  X-Original-URI $request_uri;
            proxy_set_header  X-Real-IP $remote_addr;
            proxy_set_header  Host $http_host;
            proxy_set_header  Content-Length "";

            proxy_pass        http://authelia/verify;
        }

        location / {
            auth_request /auth_verify;

            auth_request_set $redirect $upstream_http_redirect;

            auth_request_set $user $upstream_http_remote_user;
            proxy_set_header X-Forwarded-User $user;
            
            auth_request_set $groups $upstream_http_remote_groups;
            proxy_set_header Remote-Groups $groups;

            error_page 401 =302 https://auth.test.local:8080?redirect=$redirect;
            error_page 403 = https://auth.test.local:8080/error/403;
        }
    }
}
Edit nginx configuration and add redirection during login and logout 2016-12-17 18:36:41 +00:00			`# nginx-sso - example nginx config`
			`#`
			`# (c) 2015 by Johannes Gilger <heipei@hackvalue.de>`
			`#`
			`# This is an example config for using nginx with the nginx-sso cookie system.`
			`# For simplicity, this config sets up two fictional vhosts that you can use to`
			`# test against both components of the nginx-sso system: ssoauth & ssologin.`
			`# In a real deployment, these vhosts would be separate hosts.`

			`#user nobody;`
			`worker_processes 1;`

			`#error_log logs/error.log;`
			`#error_log logs/error.log notice;`
			`#error_log logs/error.log info;`

			`#pid logs/nginx.pid;`

			`events {`
			`worker_connections 1024;`
			`}`


			`http {`
			`server {`
Implement FIDO u2f authentication 2017-01-21 16:41:06 +00:00			`listen 443 ssl;`
Handle SSO over multiple subdomains 2017-03-15 22:07:57 +00:00			`server_name auth.test.local localhost;`
Implement FIDO u2f authentication 2017-01-21 16:41:06 +00:00
			`ssl on;`
			`ssl_certificate /etc/ssl/server.crt;`
			`ssl_certificate_key /etc/ssl/server.key;`
Edit nginx configuration and add redirection during login and logout 2016-12-17 18:36:41 +00:00

Remove '/authentication/' base path from endpoint URLs 2017-05-14 15:34:51 +00:00			`location / {`
Edit nginx configuration and add redirection during login and logout 2016-12-17 18:36:41 +00:00			`proxy_set_header X-Original-URI $request_uri;`
			`proxy_set_header Host $http_host;`
			`proxy_set_header X-Real-IP $remote_addr;`

Fix integration test and package Travis scripts 2017-06-28 13:57:58 +00:00			`proxy_pass http://authelia/;`
Implement password reset 2017-01-27 00:20:03 +00:00
Refactor client to make it responsive and testable 2017-05-25 13:09:29 +00:00			`proxy_intercept_errors on;`
Implement password reset 2017-01-27 00:20:03 +00:00
Fix example environment 2017-07-14 17:05:42 +00:00			`if ($request_method !~ ^(POST)$){`
			`error_page 401 = /error/401;`
			`error_page 403 = /error/403;`
			`error_page 404 = /error/404;`
			`}`
Edit nginx configuration and add redirection during login and logout 2016-12-17 18:36:41 +00:00			`}`
Handle SSO over multiple subdomains 2017-03-15 22:07:57 +00:00			`}`

			`server {`
			`listen 443 ssl;`
Refine access control with per resource ACLs ACLs can now be defined by subdomain AND resource using pattern matching with regular expressions. It allows a very fine-grained access control to backend resources. [Note] For using example environmnent, user must update its /etc/hosts with new subdomains updated in README. 2017-09-03 13:22:09 +00:00			`root /usr/share/nginx/html/home.test.local;`
Handle SSO over multiple subdomains 2017-03-15 22:07:57 +00:00
Refine access control with per resource ACLs ACLs can now be defined by subdomain AND resource using pattern matching with regular expressions. It allows a very fine-grained access control to backend resources. [Note] For using example environmnent, user must update its /etc/hosts with new subdomains updated in README. 2017-09-03 13:22:09 +00:00			`server_name home.test.local;`

			`ssl on;`
			`ssl_certificate /etc/ssl/server.crt;`
			`ssl_certificate_key /etc/ssl/server.key;`
			`}`

			`server {`
			`listen 443 ssl;`
			`root /usr/share/nginx/html/public.test.local;`

			`server_name public.test.local;`

			`ssl on;`
			`ssl_certificate /etc/ssl/server.crt;`
			`ssl_certificate_key /etc/ssl/server.key;`

			`location /auth_verify {`
			`internal;`
			`proxy_set_header X-Original-URI $request_uri;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header Host $http_host;`
Add tests on headers forwarded to backend Ensure Remote-User and Remote-Groups can be forwarded to the backend app. 2017-10-14 13:04:43 +00:00			`proxy_set_header Content-Length "";`
Refine access control with per resource ACLs ACLs can now be defined by subdomain AND resource using pattern matching with regular expressions. It allows a very fine-grained access control to backend resources. [Note] For using example environmnent, user must update its /etc/hosts with new subdomains updated in README. 2017-09-03 13:22:09 +00:00
			`proxy_pass http://authelia/verify;`
			`}`

			`location / {`
			`auth_request /auth_verify;`

Add tests on headers forwarded to backend Ensure Remote-User and Remote-Groups can be forwarded to the backend app. 2017-10-14 13:04:43 +00:00			`auth_request_set $redirect $upstream_http_redirect;`

Refine access control with per resource ACLs ACLs can now be defined by subdomain AND resource using pattern matching with regular expressions. It allows a very fine-grained access control to backend resources. [Note] For using example environmnent, user must update its /etc/hosts with new subdomains updated in README. 2017-09-03 13:22:09 +00:00			`auth_request_set $user $upstream_http_remote_user;`
			`proxy_set_header X-Forwarded-User $user;`

			`auth_request_set $groups $upstream_http_remote_groups;`
			`proxy_set_header Remote-Groups $groups;`

			`error_page 401 =302 https://auth.test.local:8080?redirect=$redirect;`
			`error_page 403 = https://auth.test.local:8080/error/403;`
			`}`
Add tests on headers forwarded to backend Ensure Remote-User and Remote-Groups can be forwarded to the backend app. 2017-10-14 13:04:43 +00:00
			`location /headers {`
			`auth_request /auth_verify;`

			`auth_request_set $redirect $upstream_http_redirect;`

			`auth_request_set $user $upstream_http_remote_user;`
			`proxy_set_header Custom-Forwarded-User $user;`

			`auth_request_set $groups $upstream_http_remote_groups;`
			`proxy_set_header Custom-Forwarded-Groups $groups;`

			`proxy_pass http://httpbin:8000/headers;`

			`error_page 401 =302 https://auth.test.local:8080?redirect=$redirect;`
			`error_page 403 = https://auth.test.local:8080/error/403;`
			`}`
Refine access control with per resource ACLs ACLs can now be defined by subdomain AND resource using pattern matching with regular expressions. It allows a very fine-grained access control to backend resources. [Note] For using example environmnent, user must update its /etc/hosts with new subdomains updated in README. 2017-09-03 13:22:09 +00:00			`}`

			`server {`
			`listen 443 ssl;`
			`root /usr/share/nginx/html/admin.test.local;`

			`server_name admin.test.local;`

			`ssl on;`
			`ssl_certificate /etc/ssl/server.crt;`
			`ssl_certificate_key /etc/ssl/server.key;`

			`location /auth_verify {`
			`internal;`
			`proxy_set_header X-Original-URI $request_uri;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header Host $http_host;`
Add tests on headers forwarded to backend Ensure Remote-User and Remote-Groups can be forwarded to the backend app. 2017-10-14 13:04:43 +00:00			`proxy_set_header Content-Length "";`
Refine access control with per resource ACLs ACLs can now be defined by subdomain AND resource using pattern matching with regular expressions. It allows a very fine-grained access control to backend resources. [Note] For using example environmnent, user must update its /etc/hosts with new subdomains updated in README. 2017-09-03 13:22:09 +00:00
			`proxy_pass http://authelia/verify;`
			`}`

			`location / {`
			`auth_request /auth_verify;`
Add tests on headers forwarded to backend Ensure Remote-User and Remote-Groups can be forwarded to the backend app. 2017-10-14 13:04:43 +00:00
Refine access control with per resource ACLs ACLs can now be defined by subdomain AND resource using pattern matching with regular expressions. It allows a very fine-grained access control to backend resources. [Note] For using example environmnent, user must update its /etc/hosts with new subdomains updated in README. 2017-09-03 13:22:09 +00:00			`auth_request_set $redirect $upstream_http_redirect;`

			`auth_request_set $user $upstream_http_remote_user;`
			`proxy_set_header X-Forwarded-User $user;`

			`auth_request_set $groups $upstream_http_remote_groups;`
			`proxy_set_header Remote-Groups $groups;`

			`error_page 401 =302 https://auth.test.local:8080?redirect=$redirect;`
			`error_page 403 = https://auth.test.local:8080/error/403;`
			`}`
			`}`

			`server {`
			`listen 443 ssl;`
			`root /usr/share/nginx/html/dev.test.local;`

			`server_name dev.test.local;`

			`ssl on;`
			`ssl_certificate /etc/ssl/server.crt;`
			`ssl_certificate_key /etc/ssl/server.key;`

			`location /auth_verify {`
			`internal;`
			`proxy_set_header X-Original-URI $request_uri;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header Host $http_host;`
Add tests on headers forwarded to backend Ensure Remote-User and Remote-Groups can be forwarded to the backend app. 2017-10-14 13:04:43 +00:00			`proxy_set_header Content-Length "";`
Refine access control with per resource ACLs ACLs can now be defined by subdomain AND resource using pattern matching with regular expressions. It allows a very fine-grained access control to backend resources. [Note] For using example environmnent, user must update its /etc/hosts with new subdomains updated in README. 2017-09-03 13:22:09 +00:00
			`proxy_pass http://authelia/verify;`
			`}`

			`location / {`
			`auth_request /auth_verify;`
Add tests on headers forwarded to backend Ensure Remote-User and Remote-Groups can be forwarded to the backend app. 2017-10-14 13:04:43 +00:00
Refine access control with per resource ACLs ACLs can now be defined by subdomain AND resource using pattern matching with regular expressions. It allows a very fine-grained access control to backend resources. [Note] For using example environmnent, user must update its /etc/hosts with new subdomains updated in README. 2017-09-03 13:22:09 +00:00			`auth_request_set $redirect $upstream_http_redirect;`

			`auth_request_set $user $upstream_http_remote_user;`
			`proxy_set_header X-Forwarded-User $user;`

			`auth_request_set $groups $upstream_http_remote_groups;`
			`proxy_set_header Remote-Groups $groups;`

			`error_page 401 =302 https://auth.test.local:8080?redirect=$redirect;`
			`error_page 403 = https://auth.test.local:8080/error/403;`
			`}`
			`}`

			`server {`
			`listen 443 ssl;`
			`root /usr/share/nginx/html/mail.test.local;`

			`server_name mx1.mail.test.local mx2.mail.test.local;`
Handle SSO over multiple subdomains 2017-03-15 22:07:57 +00:00
			`ssl on;`
			`ssl_certificate /etc/ssl/server.crt;`
			`ssl_certificate_key /etc/ssl/server.key;`

Remove '/authentication/' base path from endpoint URLs 2017-05-14 15:34:51 +00:00			`location /auth_verify {`
			`internal;`
Handle SSO over multiple subdomains 2017-03-15 22:07:57 +00:00			`proxy_set_header X-Original-URI $request_uri;`
			`proxy_set_header X-Real-IP $remote_addr;`
Add the access_control entry in the config file to allow the user to define per group rules to access the subdomains 2017-03-25 14:17:21 +00:00			`proxy_set_header Host $http_host;`
Add Content-Length header to the forwarded request to Authelia It seems nginx is closing the connection for some backends if `proxy_set_header Content-Length "";` is not added to the verification endpoint. 2017-09-23 16:02:21 +00:00			`proxy_set_header Content-Length "";`
Handle SSO over multiple subdomains 2017-03-15 22:07:57 +00:00
Fix integration test and package Travis scripts 2017-06-28 13:57:58 +00:00			`proxy_pass http://authelia/verify;`
Handle SSO over multiple subdomains 2017-03-15 22:07:57 +00:00			`}`
Edit nginx configuration and add redirection during login and logout 2016-12-17 18:36:41 +00:00
Refine access control with per resource ACLs ACLs can now be defined by subdomain AND resource using pattern matching with regular expressions. It allows a very fine-grained access control to backend resources. [Note] For using example environmnent, user must update its /etc/hosts with new subdomains updated in README. 2017-09-03 13:22:09 +00:00			`location / {`
Remove '/authentication/' base path from endpoint URLs 2017-05-14 15:34:51 +00:00			`auth_request /auth_verify;`
Add tests on headers forwarded to backend Ensure Remote-User and Remote-Groups can be forwarded to the backend app. 2017-10-14 13:04:43 +00:00
Add redirection URL as a query parameter during authentication Before this fix, the redirection URL was stored in the user session, but this has a big drawback since user could open several pages in browser and thus override the redirection URL leading the user to be incorrectly redirected. 2017-09-22 15:53:18 +00:00			`auth_request_set $redirect $upstream_http_redirect;`

Set headers values Remote-User and Remote-Groups in /verify response 2017-09-22 19:18:38 +00:00			`auth_request_set $user $upstream_http_remote_user;`
Edit nginx configuration and add redirection during login and logout 2016-12-17 18:36:41 +00:00			`proxy_set_header X-Forwarded-User $user;`
Add redirection URL as a query parameter during authentication Before this fix, the redirection URL was stored in the user session, but this has a big drawback since user could open several pages in browser and thus override the redirection URL leading the user to be incorrectly redirected. 2017-09-22 15:53:18 +00:00
Edit nginx configuration and add redirection during login and logout 2016-12-17 18:36:41 +00:00			`auth_request_set $groups $upstream_http_remote_groups;`
			`proxy_set_header Remote-Groups $groups;`
Add redirection URL as a query parameter during authentication Before this fix, the redirection URL was stored in the user session, but this has a big drawback since user could open several pages in browser and thus override the redirection URL leading the user to be incorrectly redirected. 2017-09-22 15:53:18 +00:00
			`error_page 401 =302 https://auth.test.local:8080?redirect=$redirect;`
			`error_page 403 = https://auth.test.local:8080/error/403;`
Edit nginx configuration and add redirection during login and logout 2016-12-17 18:36:41 +00:00			`}`
			`}`
Disable second factor for certain subdomain 2017-09-24 21:19:03 +00:00
			`server {`
			`listen 443 ssl;`
			`root /usr/share/nginx/html/basicauth.test.local;`

			`server_name basicauth.test.local;`

			`ssl on;`
			`ssl_certificate /etc/ssl/server.crt;`
			`ssl_certificate_key /etc/ssl/server.key;`

			`location /auth_verify {`
			`internal;`
			`proxy_set_header X-Original-URI $request_uri;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header Host $http_host;`
			`proxy_set_header Content-Length "";`

Customize the authentication method to be used by a sub-domain One can now customize the default authentication method for all sub-domains, i.e., either 'two_factor' or 'basic_auth' and define specific authentication method per sub-domain. For example, one can specify that every sub-domain must be authenticated with two factor except one sub-domain that must be authenticated with basic auth. 2017-10-07 16:37:08 +00:00			`proxy_pass http://authelia/verify;`
Disable second factor for certain subdomain 2017-09-24 21:19:03 +00:00			`}`

			`location / {`
			`auth_request /auth_verify;`
Add tests on headers forwarded to backend Ensure Remote-User and Remote-Groups can be forwarded to the backend app. 2017-10-14 13:04:43 +00:00
Disable second factor for certain subdomain 2017-09-24 21:19:03 +00:00			`auth_request_set $redirect $upstream_http_redirect;`

			`auth_request_set $user $upstream_http_remote_user;`
			`proxy_set_header X-Forwarded-User $user;`

			`auth_request_set $groups $upstream_http_remote_groups;`
			`proxy_set_header Remote-Groups $groups;`

Customize the authentication method to be used by a sub-domain One can now customize the default authentication method for all sub-domains, i.e., either 'two_factor' or 'basic_auth' and define specific authentication method per sub-domain. For example, one can specify that every sub-domain must be authenticated with two factor except one sub-domain that must be authenticated with basic auth. 2017-10-07 16:37:08 +00:00			`error_page 401 =302 https://auth.test.local:8080?redirect=$redirect;`
Disable second factor for certain subdomain 2017-09-24 21:19:03 +00:00			`error_page 403 = https://auth.test.local:8080/error/403;`
			`}`
			`}`
Edit nginx configuration and add redirection during login and logout 2016-12-17 18:36:41 +00:00			`}`
Handle SSO over multiple subdomains 2017-03-15 22:07:57 +00:00