diff --git a/api/openapi.yml b/api/openapi.yml index 1daa5f197..004897111 100644 --- a/api/openapi.yml +++ b/api/openapi.yml @@ -155,7 +155,7 @@ paths: example: '{{ $.Domain | default "example.com" }}' schema: type: string - - name: X-Forwarded-Uri + - name: X-Forwarded-URI in: header description: Redirection URL (URI) required: false @@ -1494,7 +1494,7 @@ components: schema: type: string forwardedURIParam: - name: X-Forwarded-Uri + name: X-Forwarded-URI in: header description: Redirection URL (URI) required: true diff --git a/docs/content/en/integration/proxies/caddy.md b/docs/content/en/integration/proxies/caddy.md index 51b00303c..850538aaa 100644 --- a/docs/content/en/integration/proxies/caddy.md +++ b/docs/content/en/integration/proxies/caddy.md @@ -230,7 +230,7 @@ nextcloud.example.com { rewrite "/api/authz/forward-auth?authelia_url=https://auth.example.com/" header_up X-Forwarded-Method {method} - header_up X-Forwarded-Uri {uri} + header_up X-Forwarded-URI {uri} ## If the auth request: ## 1. Responds with a status code IN the 200-299 range. diff --git a/docs/content/en/integration/proxies/introduction.md b/docs/content/en/integration/proxies/introduction.md index 4670ee6d1..0eb884bee 100644 --- a/docs/content/en/integration/proxies/introduction.md +++ b/docs/content/en/integration/proxies/introduction.md @@ -28,6 +28,29 @@ bootstrapping *Authelia*. See [support](support.md) for support information. +### Required Headers + +__Authelia__ itself requires the following headers are set when secured behind a reverse proxy: + +* Scheme Detection: + * Default: [X-Forwarded-Proto] (header) + * Fallback: TLS (listening socket state) +* Host Detection: + * Default: [X-Forwarded-Host] (header) + * Fallback: [Host] (header) +* Path Detection: + * Default: X-Forwarded-URI (header) + * Fallback: [Start Line] Request Target (start line) +* Remote IP: + * Default: [X-Forwarded-For] + * Fallback: TCP source IP + +[Host]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Host +[Start Line]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Messages#start_line +[X-Forwarded-For]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For +[X-Forwarded-Proto]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto +[X-Forwarded-Host]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host + ## Integration Implementation Authelia is capable of being integrated into many proxies due to the decisions regarding the implementation. We handle @@ -41,12 +64,14 @@ your reverse proxy. The headers we rely on at the authz endpoints are as follows * [X-Forwarded-Proto](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto) * [X-Forwarded-Host](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host) -* X-Forwarded-Uri +* X-Forwarded-URI * [X-Forwarded-For](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For) * X-Forwarded-Method / X-Original-Method * X-Original-URL -The specifics however are dictated by the specific [Authorization Implementation](../../reference/guides/proxy-authorization.md) used. +The specifics however are dictated by the specific +[Authorization Implementation](../../reference/guides/proxy-authorization.md) used. Please refer to the specific +implementation you're using. ### User Identification diff --git a/docs/content/en/integration/proxies/nginx.md b/docs/content/en/integration/proxies/nginx.md index 4c9e9f95a..8d185e697 100644 --- a/docs/content/en/integration/proxies/nginx.md +++ b/docs/content/en/integration/proxies/nginx.md @@ -350,7 +350,7 @@ use cases. The following is an example `proxy.conf`. The important directives include the `real_ip` directives which you should read [Trusted Proxies](#trusted-proxies) section to understand, or set the `X-Forwarded-Proto`, `X-Forwarded-Host`, -`X-Forwarded-Uri`, and `X-Forwarded-For` headers. +`X-Forwarded-URI`, and `X-Forwarded-For` headers. ##### Standard Variant @@ -363,7 +363,7 @@ proxy_set_header Host $host; proxy_set_header X-Original-URL $scheme://$http_host$request_uri; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $http_host; -proxy_set_header X-Forwarded-Uri $request_uri; +proxy_set_header X-Forwarded-URI $request_uri; proxy_set_header X-Forwarded-Ssl on; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Real-IP $remote_addr; @@ -408,7 +408,7 @@ proxy_set_header Host $host; proxy_set_header X-Original-URL $scheme://$http_host$request_uri; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $http_host; -proxy_set_header X-Forwarded-Uri $request_uri; +proxy_set_header X-Forwarded-URI $request_uri; proxy_set_header X-Forwarded-Ssl on; proxy_set_header X-Forwarded-For $remote_addr; ``` @@ -539,7 +539,7 @@ location /internal/authelia/authz/basic { proxy_set_header X-Forwarded-Method $request_method; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $http_host; - proxy_set_header X-Forwarded-Uri $request_uri; + proxy_set_header X-Forwarded-URI $request_uri; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header Content-Length ""; proxy_set_header Connection ""; diff --git a/internal/handlers/const_test.go b/internal/handlers/const_test.go index 4ff49b9bb..142775f51 100644 --- a/internal/handlers/const_test.go +++ b/internal/handlers/const_test.go @@ -21,7 +21,7 @@ var ( const ( testXOriginalMethod = "X-Original-Method" - testXOriginalUrl = "X-Original-Url" + testXOriginalUrl = "X-Original-URL" testBypass = "bypass" testWithoutAccept = "WithoutAccept" testWithXHRHeader = "WithXHRHeader" diff --git a/internal/handlers/handler_authz_impl_forwardauth_test.go b/internal/handlers/handler_authz_impl_forwardauth_test.go index de8be0ba5..fb5ac3066 100644 --- a/internal/handlers/handler_authz_impl_forwardauth_test.go +++ b/internal/handlers/handler_authz_impl_forwardauth_test.go @@ -240,7 +240,7 @@ func (s *ForwardAuthAuthzSuite) TestShouldHandleMissingHostDeny() { mock.Ctx.Request.Header.Set("X-Forwarded-Method", method) mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedProto, "https") mock.Ctx.Request.Header.Del(fasthttp.HeaderXForwardedHost) - mock.Ctx.Request.Header.Set("X-Forwarded-Uri", "/") + mock.Ctx.Request.Header.Set("X-Forwarded-URI", "/") mock.Ctx.Request.Header.Set(fasthttp.HeaderAccept, "text/html; charset=utf-8") authz.Handler(mock.Ctx) @@ -395,7 +395,7 @@ func (s *ForwardAuthAuthzSuite) TestShouldHandleInvalidURLForCVE202132637() { mock.Ctx.Request.Header.Set("X-Forwarded-Method", method) mock.Ctx.Request.Header.SetBytesKV([]byte(fasthttp.HeaderXForwardedProto), tc.scheme) mock.Ctx.Request.Header.SetBytesKV([]byte(fasthttp.HeaderXForwardedHost), tc.host) - mock.Ctx.Request.Header.Set("X-Forwarded-Uri", tc.path) + mock.Ctx.Request.Header.Set("X-Forwarded-URI", tc.path) mock.Ctx.Request.Header.Set(fasthttp.HeaderAccept, "text/html; charset=utf-8") authz.Handler(mock.Ctx) @@ -560,7 +560,7 @@ func setRequestForwardAuth(ctx *middlewares.AutheliaCtx, method string, targetUR if targetURI != nil { ctx.Request.Header.Set(fasthttp.HeaderXForwardedProto, targetURI.Scheme) ctx.Request.Header.Set(fasthttp.HeaderXForwardedHost, targetURI.Host) - ctx.Request.Header.Set("X-Forwarded-Uri", targetURI.Path) + ctx.Request.Header.Set("X-Forwarded-URI", targetURI.Path) } setRequestXHRValues(ctx, accept, xhr) diff --git a/internal/handlers/handler_authz_impl_legacy_test.go b/internal/handlers/handler_authz_impl_legacy_test.go index 3b5238072..30949e387 100644 --- a/internal/handlers/handler_authz_impl_legacy_test.go +++ b/internal/handlers/handler_authz_impl_legacy_test.go @@ -60,7 +60,7 @@ func (s *LegacyAuthzSuite) TestShouldHandleAllMethodsDeny() { mock.Ctx.Request.Header.Set("X-Forwarded-Method", method) mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedProto, pairURI.TargetURI.Scheme) mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedHost, pairURI.TargetURI.Host) - mock.Ctx.Request.Header.Set("X-Forwarded-Uri", pairURI.TargetURI.Path) + mock.Ctx.Request.Header.Set("X-Forwarded-URI", pairURI.TargetURI.Path) mock.Ctx.Request.Header.Set(fasthttp.HeaderAccept, "text/html; charset=utf-8") authz.Handler(mock.Ctx) @@ -108,7 +108,7 @@ func (s *LegacyAuthzSuite) TestShouldHandleAllMethodsOverrideAutheliaURLDeny() { mock.Ctx.Request.Header.Set("X-Forwarded-Method", method) mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedProto, pairURI.TargetURI.Scheme) mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedHost, pairURI.TargetURI.Host) - mock.Ctx.Request.Header.Set("X-Forwarded-Uri", pairURI.TargetURI.Path) + mock.Ctx.Request.Header.Set("X-Forwarded-URI", pairURI.TargetURI.Path) mock.Ctx.Request.Header.Set(fasthttp.HeaderAccept, "text/html; charset=utf-8") authz.Handler(mock.Ctx) @@ -151,7 +151,7 @@ func (s *LegacyAuthzSuite) TestShouldHandleAllMethodsMissingAutheliaURLBypassSta mock.Ctx.Request.Header.Set("X-Forwarded-Method", method) mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedProto, targetURI.Scheme) mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedHost, targetURI.Host) - mock.Ctx.Request.Header.Set("X-Forwarded-Uri", targetURI.Path) + mock.Ctx.Request.Header.Set("X-Forwarded-URI", targetURI.Path) mock.Ctx.Request.Header.Set(fasthttp.HeaderAccept, "text/html; charset=utf-8") authz.Handler(mock.Ctx) @@ -183,7 +183,7 @@ func (s *LegacyAuthzSuite) TestShouldHandleAllMethodsMissingAutheliaURLOneFactor mock.Ctx.Request.Header.Set("X-Forwarded-Method", method) mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedProto, targetURI.Scheme) mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedHost, targetURI.Host) - mock.Ctx.Request.Header.Set("X-Forwarded-Uri", targetURI.Path) + mock.Ctx.Request.Header.Set("X-Forwarded-URI", targetURI.Path) mock.Ctx.Request.Header.Set(fasthttp.HeaderAccept, "text/html; charset=utf-8") authz.Handler(mock.Ctx) @@ -213,7 +213,7 @@ func (s *LegacyAuthzSuite) TestShouldHandleAllMethodsRDAutheliaURLOneFactorStatu mock.Ctx.Request.Header.Set("X-Forwarded-Method", method) mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedProto, targetURI.Scheme) mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedHost, targetURI.Host) - mock.Ctx.Request.Header.Set("X-Forwarded-Uri", targetURI.Path) + mock.Ctx.Request.Header.Set("X-Forwarded-URI", targetURI.Path) mock.Ctx.Request.Header.Set(fasthttp.HeaderAccept, "text/html; charset=utf-8") mock.Ctx.Request.SetRequestURI("/api/verify?rd=https%3A%2F%2Fauth.example.com") @@ -263,7 +263,7 @@ func (s *LegacyAuthzSuite) TestShouldHandleAllMethodsXHRDeny() { mock.Ctx.Request.Header.Set("X-Forwarded-Method", method) mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedProto, pairURI.TargetURI.Scheme) mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedHost, pairURI.TargetURI.Host) - mock.Ctx.Request.Header.Set("X-Forwarded-Uri", pairURI.TargetURI.Path) + mock.Ctx.Request.Header.Set("X-Forwarded-URI", pairURI.TargetURI.Path) if x { mock.Ctx.Request.Header.Set(fasthttp.HeaderAccept, "text/html; charset=utf-8") @@ -311,7 +311,7 @@ func (s *LegacyAuthzSuite) TestShouldHandleInvalidMethodCharsDeny() { mock.Ctx.Request.Header.Set("X-Forwarded-Method", method) mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedProto, targetURI.Scheme) mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedHost, targetURI.Host) - mock.Ctx.Request.Header.Set("X-Forwarded-Uri", targetURI.Path) + mock.Ctx.Request.Header.Set("X-Forwarded-URI", targetURI.Path) mock.Ctx.Request.Header.Set(fasthttp.HeaderAccept, "text/html; charset=utf-8") authz.Handler(mock.Ctx) @@ -338,7 +338,7 @@ func (s *LegacyAuthzSuite) TestShouldHandleMissingHostDeny() { mock.Ctx.Request.Header.Set("X-Forwarded-Method", method) mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedProto, "https") mock.Ctx.Request.Header.Del(fasthttp.HeaderXForwardedHost) - mock.Ctx.Request.Header.Set("X-Forwarded-Uri", "/") + mock.Ctx.Request.Header.Set("X-Forwarded-URI", "/") mock.Ctx.Request.Header.Set(fasthttp.HeaderAccept, "text/html; charset=utf-8") authz.Handler(mock.Ctx) @@ -370,7 +370,7 @@ func (s *LegacyAuthzSuite) TestShouldHandleAllMethodsAllow() { mock.Ctx.Request.Header.Set("X-Forwarded-Method", method) mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedProto, targetURI.Scheme) mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedHost, targetURI.Host) - mock.Ctx.Request.Header.Set("X-Forwarded-Uri", targetURI.Path) + mock.Ctx.Request.Header.Set("X-Forwarded-URI", targetURI.Path) mock.Ctx.Request.Header.Set(fasthttp.HeaderAccept, "text/html; charset=utf-8") authz.Handler(mock.Ctx) @@ -454,7 +454,7 @@ func (s *LegacyAuthzSuite) TestShouldHandleAllMethodsAllowXHR() { mock.Ctx.Request.Header.Set("X-Forwarded-Method", method) mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedProto, targetURI.Scheme) mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedHost, targetURI.Host) - mock.Ctx.Request.Header.Set("X-Forwarded-Uri", targetURI.Path) + mock.Ctx.Request.Header.Set("X-Forwarded-URI", targetURI.Path) mock.Ctx.Request.Header.Set(fasthttp.HeaderAccept, "text/html; charset=utf-8") authz.Handler(mock.Ctx) @@ -613,7 +613,7 @@ func (s *LegacyAuthzSuite) TestShouldHandleInvalidURLForCVE202132637() { mock.Ctx.Request.Header.Set("X-Forwarded-Method", method) mock.Ctx.Request.Header.SetBytesKV([]byte(fasthttp.HeaderXForwardedProto), tc.scheme) mock.Ctx.Request.Header.SetBytesKV([]byte(fasthttp.HeaderXForwardedHost), tc.host) - mock.Ctx.Request.Header.Set("X-Forwarded-Uri", tc.path) + mock.Ctx.Request.Header.Set("X-Forwarded-URI", tc.path) mock.Ctx.Request.Header.Set(fasthttp.HeaderAccept, "text/html; charset=utf-8") authz.Handler(mock.Ctx) diff --git a/internal/middlewares/authelia_context.go b/internal/middlewares/authelia_context.go index e81d7b3b6..c4e6d8b1d 100644 --- a/internal/middlewares/authelia_context.go +++ b/internal/middlewares/authelia_context.go @@ -166,7 +166,7 @@ func (ctx *AutheliaCtx) GetXForwardedHost() (host []byte) { return host } -// XForwardedURI returns the content of the X-Forwarded-Uri header. +// XForwardedURI returns the content of the X-Forwarded-URI header. func (ctx *AutheliaCtx) XForwardedURI() (host []byte) { return ctx.Request.Header.PeekBytes(headerXForwardedURI) } diff --git a/internal/server/template_test.go b/internal/server/template_test.go index 330edb851..8a422f1b6 100644 --- a/internal/server/template_test.go +++ b/internal/server/template_test.go @@ -71,7 +71,7 @@ func TestShouldTemplateOpenAPI(t *testing.T) { mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedProto, "https") mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedHost, "example.com") - mock.Ctx.Request.Header.Set("X-Forwarded-Uri", "/api/openapi.yml") + mock.Ctx.Request.Header.Set("X-Forwarded-URI", "/api/openapi.yml") handler(mock.Ctx)