RPJosh
/
authelia
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

docs: header consistency (#5266)

pull/5267/head
James Elliott 2023-04-18 09:53:26 +10:00 committed by GitHub
parent 1ed79b575e
commit 616fa3c48d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 51 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
api/openapi.yml
View File

@ -155,7 +155,7 @@ paths:
example: '{{ $.Domain | default "example.com" }}'
schema:
type: string
- name: X-Forwarded-Uri
- name: X-Forwarded-URI
in: header
description: Redirection URL (URI)
required: false
@ -1494,7 +1494,7 @@ components:
schema:
type: string
forwardedURIParam:
name: X-Forwarded-Uri
name: X-Forwarded-URI
in: header
description: Redirection URL (URI)
required: true

2
docs/content/en/integration/proxies/caddy.md
View File

@ -230,7 +230,7 @@ nextcloud.example.com {
rewrite "/api/authz/forward-auth?authelia_url=https://auth.example.com/"
header_up X-Forwarded-Method {method}
header_up X-Forwarded-Uri {uri}
header_up X-Forwarded-URI {uri}
## If the auth request:
## 1. Responds with a status code IN the 200-299 range.

29
docs/content/en/integration/proxies/introduction.md
View File

@ -28,6 +28,29 @@ bootstrapping *Authelia*.
See [support](support.md) for support information.
### Required Headers
__Authelia__ itself requires the following headers are set when secured behind a reverse proxy:
* Scheme Detection:
* Default: [X-Forwarded-Proto] (header)
* Fallback: TLS (listening socket state)
* Host Detection:
* Default: [X-Forwarded-Host] (header)
* Fallback: [Host] (header)
* Path Detection:
* Default: X-Forwarded-URI (header)
* Fallback: [Start Line] Request Target (start line)
* Remote IP:
* Default: [X-Forwarded-For]
* Fallback: TCP source IP
[Host]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Host
[Start Line]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Messages#start_line
[X-Forwarded-For]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For
[X-Forwarded-Proto]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto
[X-Forwarded-Host]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host
## Integration Implementation
Authelia is capable of being integrated into many proxies due to the decisions regarding the implementation. We handle
@ -41,12 +64,14 @@ your reverse proxy. The headers we rely on at the authz endpoints are as follows
* [X-Forwarded-Proto](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto)
* [X-Forwarded-Host](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host)
* X-Forwarded-Uri
* X-Forwarded-URI
* [X-Forwarded-For](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For)
* X-Forwarded-Method / X-Original-Method
* X-Original-URL
The specifics however are dictated by the specific [Authorization Implementation](../../reference/guides/proxy-authorization.md) used.
The specifics however are dictated by the specific
[Authorization Implementation](../../reference/guides/proxy-authorization.md) used. Please refer to the specific
implementation you're using.
### User Identification

8
docs/content/en/integration/proxies/nginx.md
View File

@ -350,7 +350,7 @@ use cases.
The following is an example `proxy.conf`. The important directives include the `real_ip` directives which you should read
[Trusted Proxies](#trusted-proxies) section to understand, or set the `X-Forwarded-Proto`, `X-Forwarded-Host`,
`X-Forwarded-Uri`, and `X-Forwarded-For` headers.
`X-Forwarded-URI`, and `X-Forwarded-For` headers.
##### Standard Variant
@ -363,7 +363,7 @@ proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Forwarded-URI $request_uri;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Real-IP $remote_addr;
@ -408,7 +408,7 @@ proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Forwarded-URI $request_uri;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-For $remote_addr;
```
@ -539,7 +539,7 @@ location /internal/authelia/authz/basic {
proxy_set_header X-Forwarded-Method $request_method;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Forwarded-URI $request_uri;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Content-Length "";
proxy_set_header Connection "";

2
internal/handlers/const_test.go
View File

@ -21,7 +21,7 @@ var (
const (
testXOriginalMethod = "X-Original-Method"
testXOriginalUrl = "X-Original-Url"
testXOriginalUrl = "X-Original-URL"
testBypass = "bypass"
testWithoutAccept = "WithoutAccept"
testWithXHRHeader = "WithXHRHeader"

6
internal/handlers/handler_authz_impl_forwardauth_test.go
View File

@ -240,7 +240,7 @@ func (s *ForwardAuthAuthzSuite) TestShouldHandleMissingHostDeny() {
mock.Ctx.Request.Header.Set("X-Forwarded-Method", method)
mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedProto, "https")
mock.Ctx.Request.Header.Del(fasthttp.HeaderXForwardedHost)
mock.Ctx.Request.Header.Set("X-Forwarded-Uri", "/")
mock.Ctx.Request.Header.Set("X-Forwarded-URI", "/")
mock.Ctx.Request.Header.Set(fasthttp.HeaderAccept, "text/html; charset=utf-8")
authz.Handler(mock.Ctx)
@ -395,7 +395,7 @@ func (s *ForwardAuthAuthzSuite) TestShouldHandleInvalidURLForCVE202132637() {
mock.Ctx.Request.Header.Set("X-Forwarded-Method", method)
mock.Ctx.Request.Header.SetBytesKV([]byte(fasthttp.HeaderXForwardedProto), tc.scheme)
mock.Ctx.Request.Header.SetBytesKV([]byte(fasthttp.HeaderXForwardedHost), tc.host)
mock.Ctx.Request.Header.Set("X-Forwarded-Uri", tc.path)
mock.Ctx.Request.Header.Set("X-Forwarded-URI", tc.path)
mock.Ctx.Request.Header.Set(fasthttp.HeaderAccept, "text/html; charset=utf-8")
authz.Handler(mock.Ctx)
@ -560,7 +560,7 @@ func setRequestForwardAuth(ctx *middlewares.AutheliaCtx, method string, targetUR
if targetURI != nil {
ctx.Request.Header.Set(fasthttp.HeaderXForwardedProto, targetURI.Scheme)
ctx.Request.Header.Set(fasthttp.HeaderXForwardedHost, targetURI.Host)
ctx.Request.Header.Set("X-Forwarded-Uri", targetURI.Path)
ctx.Request.Header.Set("X-Forwarded-URI", targetURI.Path)
}
setRequestXHRValues(ctx, accept, xhr)

22
internal/handlers/handler_authz_impl_legacy_test.go
View File

@ -60,7 +60,7 @@ func (s *LegacyAuthzSuite) TestShouldHandleAllMethodsDeny() {
mock.Ctx.Request.Header.Set("X-Forwarded-Method", method)
mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedProto, pairURI.TargetURI.Scheme)
mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedHost, pairURI.TargetURI.Host)
mock.Ctx.Request.Header.Set("X-Forwarded-Uri", pairURI.TargetURI.Path)
mock.Ctx.Request.Header.Set("X-Forwarded-URI", pairURI.TargetURI.Path)
mock.Ctx.Request.Header.Set(fasthttp.HeaderAccept, "text/html; charset=utf-8")
authz.Handler(mock.Ctx)
@ -108,7 +108,7 @@ func (s *LegacyAuthzSuite) TestShouldHandleAllMethodsOverrideAutheliaURLDeny() {
mock.Ctx.Request.Header.Set("X-Forwarded-Method", method)
mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedProto, pairURI.TargetURI.Scheme)
mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedHost, pairURI.TargetURI.Host)
mock.Ctx.Request.Header.Set("X-Forwarded-Uri", pairURI.TargetURI.Path)
mock.Ctx.Request.Header.Set("X-Forwarded-URI", pairURI.TargetURI.Path)
mock.Ctx.Request.Header.Set(fasthttp.HeaderAccept, "text/html; charset=utf-8")
authz.Handler(mock.Ctx)
@ -151,7 +151,7 @@ func (s *LegacyAuthzSuite) TestShouldHandleAllMethodsMissingAutheliaURLBypassSta
mock.Ctx.Request.Header.Set("X-Forwarded-Method", method)
mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedProto, targetURI.Scheme)
mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedHost, targetURI.Host)
mock.Ctx.Request.Header.Set("X-Forwarded-Uri", targetURI.Path)
mock.Ctx.Request.Header.Set("X-Forwarded-URI", targetURI.Path)
mock.Ctx.Request.Header.Set(fasthttp.HeaderAccept, "text/html; charset=utf-8")
authz.Handler(mock.Ctx)
@ -183,7 +183,7 @@ func (s *LegacyAuthzSuite) TestShouldHandleAllMethodsMissingAutheliaURLOneFactor
mock.Ctx.Request.Header.Set("X-Forwarded-Method", method)
mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedProto, targetURI.Scheme)
mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedHost, targetURI.Host)
mock.Ctx.Request.Header.Set("X-Forwarded-Uri", targetURI.Path)
mock.Ctx.Request.Header.Set("X-Forwarded-URI", targetURI.Path)
mock.Ctx.Request.Header.Set(fasthttp.HeaderAccept, "text/html; charset=utf-8")
authz.Handler(mock.Ctx)
@ -213,7 +213,7 @@ func (s *LegacyAuthzSuite) TestShouldHandleAllMethodsRDAutheliaURLOneFactorStatu
mock.Ctx.Request.Header.Set("X-Forwarded-Method", method)
mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedProto, targetURI.Scheme)
mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedHost, targetURI.Host)
mock.Ctx.Request.Header.Set("X-Forwarded-Uri", targetURI.Path)
mock.Ctx.Request.Header.Set("X-Forwarded-URI", targetURI.Path)
mock.Ctx.Request.Header.Set(fasthttp.HeaderAccept, "text/html; charset=utf-8")
mock.Ctx.Request.SetRequestURI("/api/verify?rd=https%3A%2F%2Fauth.example.com")
@ -263,7 +263,7 @@ func (s *LegacyAuthzSuite) TestShouldHandleAllMethodsXHRDeny() {
mock.Ctx.Request.Header.Set("X-Forwarded-Method", method)
mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedProto, pairURI.TargetURI.Scheme)
mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedHost, pairURI.TargetURI.Host)
mock.Ctx.Request.Header.Set("X-Forwarded-Uri", pairURI.TargetURI.Path)
mock.Ctx.Request.Header.Set("X-Forwarded-URI", pairURI.TargetURI.Path)
if x {
mock.Ctx.Request.Header.Set(fasthttp.HeaderAccept, "text/html; charset=utf-8")
@ -311,7 +311,7 @@ func (s *LegacyAuthzSuite) TestShouldHandleInvalidMethodCharsDeny() {
mock.Ctx.Request.Header.Set("X-Forwarded-Method", method)
mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedProto, targetURI.Scheme)
mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedHost, targetURI.Host)
mock.Ctx.Request.Header.Set("X-Forwarded-Uri", targetURI.Path)
mock.Ctx.Request.Header.Set("X-Forwarded-URI", targetURI.Path)
mock.Ctx.Request.Header.Set(fasthttp.HeaderAccept, "text/html; charset=utf-8")
authz.Handler(mock.Ctx)
@ -338,7 +338,7 @@ func (s *LegacyAuthzSuite) TestShouldHandleMissingHostDeny() {
mock.Ctx.Request.Header.Set("X-Forwarded-Method", method)
mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedProto, "https")
mock.Ctx.Request.Header.Del(fasthttp.HeaderXForwardedHost)
mock.Ctx.Request.Header.Set("X-Forwarded-Uri", "/")
mock.Ctx.Request.Header.Set("X-Forwarded-URI", "/")
mock.Ctx.Request.Header.Set(fasthttp.HeaderAccept, "text/html; charset=utf-8")
authz.Handler(mock.Ctx)
@ -370,7 +370,7 @@ func (s *LegacyAuthzSuite) TestShouldHandleAllMethodsAllow() {
mock.Ctx.Request.Header.Set("X-Forwarded-Method", method)
mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedProto, targetURI.Scheme)
mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedHost, targetURI.Host)
mock.Ctx.Request.Header.Set("X-Forwarded-Uri", targetURI.Path)
mock.Ctx.Request.Header.Set("X-Forwarded-URI", targetURI.Path)
mock.Ctx.Request.Header.Set(fasthttp.HeaderAccept, "text/html; charset=utf-8")
authz.Handler(mock.Ctx)
@ -454,7 +454,7 @@ func (s *LegacyAuthzSuite) TestShouldHandleAllMethodsAllowXHR() {
mock.Ctx.Request.Header.Set("X-Forwarded-Method", method)
mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedProto, targetURI.Scheme)
mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedHost, targetURI.Host)
mock.Ctx.Request.Header.Set("X-Forwarded-Uri", targetURI.Path)
mock.Ctx.Request.Header.Set("X-Forwarded-URI", targetURI.Path)
mock.Ctx.Request.Header.Set(fasthttp.HeaderAccept, "text/html; charset=utf-8")
authz.Handler(mock.Ctx)
@ -613,7 +613,7 @@ func (s *LegacyAuthzSuite) TestShouldHandleInvalidURLForCVE202132637() {
mock.Ctx.Request.Header.Set("X-Forwarded-Method", method)
mock.Ctx.Request.Header.SetBytesKV([]byte(fasthttp.HeaderXForwardedProto), tc.scheme)
mock.Ctx.Request.Header.SetBytesKV([]byte(fasthttp.HeaderXForwardedHost), tc.host)
mock.Ctx.Request.Header.Set("X-Forwarded-Uri", tc.path)
mock.Ctx.Request.Header.Set("X-Forwarded-URI", tc.path)
mock.Ctx.Request.Header.Set(fasthttp.HeaderAccept, "text/html; charset=utf-8")
authz.Handler(mock.Ctx)

2
internal/middlewares/authelia_context.go
View File

@ -166,7 +166,7 @@ func (ctx *AutheliaCtx) GetXForwardedHost() (host []byte) {
return host
}
// XForwardedURI returns the content of the X-Forwarded-Uri header.
// XForwardedURI returns the content of the X-Forwarded-URI header.
func (ctx *AutheliaCtx) XForwardedURI() (host []byte) {
return ctx.Request.Header.PeekBytes(headerXForwardedURI)
}

2
internal/server/template_test.go
View File

@ -71,7 +71,7 @@ func TestShouldTemplateOpenAPI(t *testing.T) {
mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedProto, "https")
mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedHost, "example.com")
mock.Ctx.Request.Header.Set("X-Forwarded-Uri", "/api/openapi.yml")
mock.Ctx.Request.Header.Set("X-Forwarded-URI", "/api/openapi.yml")
handler(mock.Ctx)