[FEATURE] Make Authelia serve over TLS in all suites (#864)

* [BUGFIX] Fix dev workflow by using TLS for all suites.

* Fix traefik 1.x and 2.x suites.

* Display authelia logs on suite failure.

* Fix HAProxy suite.

* Extend timeout of test case.

* Display current URL in verify assertion.

* fix doLoginTwoFactor by adding a timeout

* when doLoginTwoFactor is used with blank target and a protected domain is quickly visited authelia sometimes redirects back to the portal
* fix by adding one second timeout
* bump go version to 1.14.2

* Fix Kube suite and bump dashboard.

* Update dist authelia-frontend to proxy_pass with variable

* Apply suggestions from code review

Co-Authored-By: Amir Zarrinkafsh <nightah@me.com>

* Apply suggestions from code review

Co-Authored-By: Amir Zarrinkafsh <nightah@me.com>

* Remove debug logs since it's polluting logs.

Also set timeout back to 5 seconds in HA suite.

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>

internal/suites/BypassAll/configuration.yml

@@ -3,6 +3,8 @@
 ###############################################################
 
 port: 9091
+tls_cert: /var/lib/authelia/ssl/cert.pem
+tls_key: /var/lib/authelia/ssl/key.pem
 
 log_level: debug
 

internal/suites/BypassAll/docker-compose.yml

@@ -4,3 +4,4 @@ services:
     volumes:
       - './BypassAll/configuration.yml:/etc/authelia/configuration.yml:ro'
       - './BypassAll/users.yml:/var/lib/authelia/users.yml'
+      - './common/ssl:/var/lib/authelia/ssl:ro'

internal/suites/Docker/configuration.yml

@@ -3,6 +3,8 @@
 ###############################################################
 
 port: 9091
+tls_cert: /var/lib/authelia/ssl/cert.pem
+tls_key: /var/lib/authelia/ssl/key.pem
 
 log_level: debug
 

internal/suites/Docker/docker-compose.yml

@@ -4,3 +4,4 @@ services:
     volumes:
       - './Docker/configuration.yml:/etc/authelia/configuration.yml:ro'
       - './Docker/users.yml:/var/lib/authelia/users.yml'
+      - './common/ssl:/var/lib/authelia/ssl:ro'

internal/suites/DuoPush/configuration.yml

@@ -3,6 +3,8 @@
 ###############################################################
 
 port: 9091
+tls_cert: /var/lib/authelia/ssl/cert.pem
+tls_key: /var/lib/authelia/ssl/key.pem
 
 log_level: trace
 

internal/suites/DuoPush/docker-compose.yml

@@ -4,3 +4,4 @@ services:
     volumes:
       - './DuoPush/configuration.yml:/etc/authelia/configuration.yml:ro'
       - './DuoPush/users.yml:/var/lib/authelia/users.yml'
+      - './common/ssl:/var/lib/authelia/ssl:ro'

internal/suites/HAProxy/configuration.yml

@@ -3,6 +3,8 @@
 ###############################################################
 
 port: 9091
+tls_cert: /var/lib/authelia/ssl/cert.pem
+tls_key: /var/lib/authelia/ssl/key.pem
 
 log_level: debug
 

internal/suites/HAProxy/docker-compose.yml

@@ -4,3 +4,4 @@ services:
     volumes:
       - './HAProxy/configuration.yml:/etc/authelia/configuration.yml:ro'
       - './HAProxy/users.yml:/var/lib/authelia/users.yml'
+      - './common/ssl:/var/lib/authelia/ssl:ro'

internal/suites/HighAvailability/configuration.yml

@@ -3,6 +3,8 @@
 ###############################################################
 
 port: 9091
+tls_cert: /var/lib/authelia/ssl/cert.pem
+tls_key: /var/lib/authelia/ssl/key.pem
 
 log_level: debug
 

internal/suites/HighAvailability/docker-compose.yml

@@ -3,3 +3,4 @@ services:
   authelia-backend:
     volumes:
       - './HighAvailability/configuration.yml:/etc/authelia/configuration.yml:ro'
+      - './common/ssl:/var/lib/authelia/ssl:ro'

internal/suites/LDAP/configuration.yml

@@ -3,6 +3,8 @@
 ###############################################################
 
 port: 9091
+tls_cert: /var/lib/authelia/ssl/cert.pem
+tls_key: /var/lib/authelia/ssl/key.pem
 
 log_level: debug
 

internal/suites/LDAP/docker-compose.yml

@@ -3,3 +3,4 @@ services:
   authelia-backend:
     volumes:
       - './LDAP/configuration.yml:/etc/authelia/configuration.yml:ro'
+      - './common/ssl:/var/lib/authelia/ssl:ro'

internal/suites/Mariadb/configuration.yml

@@ -3,6 +3,8 @@
 ###############################################################
 
 port: 9091
+tls_cert: /var/lib/authelia/ssl/cert.pem
+tls_key: /var/lib/authelia/ssl/key.pem
 
 log_level: debug
 

internal/suites/Mariadb/docker-compose.yml

@@ -4,3 +4,4 @@ services:
     volumes:
       - './Mariadb/configuration.yml:/etc/authelia/configuration.yml:ro'
       - './Mariadb/users.yml:/var/lib/authelia/users.yml'
+      - './common/ssl:/var/lib/authelia/ssl:ro'

internal/suites/MySQL/configuration.yml

@@ -3,6 +3,8 @@
 ###############################################################
 
 port: 9091
+tls_cert: /var/lib/authelia/ssl/cert.pem
+tls_key: /var/lib/authelia/ssl/key.pem
 
 log_level: debug
 

internal/suites/MySQL/docker-compose.yml

@@ -4,3 +4,4 @@ services:
     volumes:
       - './MySQL/configuration.yml:/etc/authelia/configuration.yml:ro'
       - './MySQL/users.yml:/var/lib/authelia/users.yml'
+      - './common/ssl:/var/lib/authelia/ssl:ro'

internal/suites/NetworkACL/configuration.yml

@@ -3,6 +3,8 @@
 ###############################################################
 
 port: 9091
+tls_cert: /var/lib/authelia/ssl/cert.pem
+tls_key: /var/lib/authelia/ssl/key.pem
 
 log_level: debug
 

internal/suites/NetworkACL/docker-compose.yml

@@ -4,3 +4,4 @@ services:
     volumes:
       - './NetworkACL/configuration.yml:/etc/authelia/configuration.yml:ro'
       - './NetworkACL/users.yml:/var/lib/authelia/users.yml'
+      - './common/ssl:/var/lib/authelia/ssl:ro'

internal/suites/OneFactorOnly/configuration.yml

@@ -3,6 +3,8 @@
 ###############################################################
 
 port: 9091
+tls_cert: /var/lib/authelia/ssl/cert.pem
+tls_key: /var/lib/authelia/ssl/key.pem
 
 log_level: debug
 

internal/suites/OneFactorOnly/docker-compose.yml

@@ -4,3 +4,4 @@ services:
     volumes:
       - './OneFactorOnly/configuration.yml:/etc/authelia/configuration.yml:ro'
       - './OneFactorOnly/users.yml:/var/lib/authelia/users.yml'
+      - './common/ssl:/var/lib/authelia/ssl:ro'

internal/suites/Postgres/configuration.yml

@@ -3,6 +3,8 @@
 ###############################################################
 
 port: 9091
+tls_cert: /var/lib/authelia/ssl/cert.pem
+tls_key: /var/lib/authelia/ssl/key.pem
 
 log_level: debug
 

internal/suites/Postgres/docker-compose.yml

@@ -4,3 +4,4 @@ services:
     volumes:
       - './Postgres/configuration.yml:/etc/authelia/configuration.yml:ro'
       - './Postgres/users.yml:/var/lib/authelia/users.yml'
+      - './common/ssl:/var/lib/authelia/ssl:ro'

internal/suites/ShortTimeouts/configuration.yml

@@ -3,6 +3,8 @@
 ###############################################################
 
 port: 9091
+tls_cert: /var/lib/authelia/ssl/cert.pem
+tls_key: /var/lib/authelia/ssl/key.pem
 
 log_level: debug
 

internal/suites/ShortTimeouts/docker-compose.yml

@@ -4,3 +4,4 @@ services:
     volumes:
       - './ShortTimeouts/configuration.yml:/etc/authelia/configuration.yml:ro'
       - './ShortTimeouts/users.yml:/var/lib/authelia/users.yml'
+      - './common/ssl:/var/lib/authelia/ssl:ro'

internal/suites/Standalone/docker-compose.yml

@@ -7,6 +7,6 @@ services:
     volumes:
       - './Standalone/configuration.yml:/etc/authelia/configuration.yml:ro'
       - './Standalone/users.yml:/var/lib/authelia/users.yml'
-      - './Standalone/ssl:/var/lib/authelia/ssl'
+      - './common/ssl:/var/lib/authelia/ssl:ro'
       - '/tmp:/tmp'
     user: ${USER_ID}:${GROUP_ID}

internal/suites/Traefik/configuration.yml

@@ -3,6 +3,8 @@
 ###############################################################
 
 port: 9091
+tls_cert: /var/lib/authelia/ssl/cert.pem
+tls_key: /var/lib/authelia/ssl/key.pem
 
 log_level: debug
 

internal/suites/Traefik/docker-compose.yml

@@ -4,3 +4,4 @@ services:
     volumes:
       - './Traefik/configuration.yml:/etc/authelia/configuration.yml:ro'
       - './Traefik/users.yml:/var/lib/authelia/users.yml'
+      - './common/ssl:/var/lib/authelia/ssl:ro'

internal/suites/Traefik2/configuration.yml

@@ -3,6 +3,8 @@
 ###############################################################
 
 port: 9091
+tls_cert: /var/lib/authelia/ssl/cert.pem
+tls_key: /var/lib/authelia/ssl/key.pem
 
 log_level: debug
 

internal/suites/Traefik2/docker-compose.yml

@@ -4,3 +4,4 @@ services:
     volumes:
       - './Traefik2/configuration.yml:/etc/authelia/configuration.yml:ro'
       - './Traefik2/users.yml:/var/lib/authelia/users.yml'
+      - './common/ssl:/var/lib/authelia/ssl:ro'

internal/suites/action_login.go

@@ -3,6 +3,7 @@ package suites
 import (
 	"context"
 	"testing"
+	"time"
 
 	"github.com/stretchr/testify/require"
 )
@@ -38,6 +39,10 @@ func (wds *WebDriverSession) doLoginTwoFactor(ctx context.Context, t *testing.T,
 	wds.doLoginOneFactor(ctx, t, username, password, keepMeLoggedIn, targetURL)
 	wds.verifyIsSecondFactorPage(ctx, t)
 	wds.doValidateTOTP(ctx, t, otpSecret)
+	// timeout when targetURL is not defined to prevent a show stopping redirect when visiting a protected domain
+	if targetURL == "" {
+		time.Sleep(1 * time.Second)
+	}
 }
 
 // Login 1FA and register 2FA.
@@ -53,6 +58,6 @@ func (wds *WebDriverSession) doLoginAndRegisterTOTP(ctx context.Context, t *test
 func (wds *WebDriverSession) doRegisterAndLogin2FA(ctx context.Context, t *testing.T, username, password string, keepMeLoggedIn bool, targetURL string) string { //nolint:unparam
 	// Register TOTP secret and logout.
 	secret := wds.doRegisterThenLogout(ctx, t, username, password)
-	wds.doLoginTwoFactor(ctx, t, username, password, false, secret, targetURL)
+	wds.doLoginTwoFactor(ctx, t, username, password, keepMeLoggedIn, secret, targetURL)
 	return secret
 }

internal/suites/example/compose/authelia/docker-compose.backend.dev.yml

@@ -14,10 +14,13 @@ services:
       - '../..:/app'
       - '${GOPATH}:/go'
     labels:
+      # Traefik 1.x
       - 'traefik.frontend.rule=Host:login.example.com;PathPrefix:/api'
+      # Traefik 2.x
       - 'traefik.http.routers.authelia_backend.rule=Host(`login.example.com`) && PathPrefix(`/api`)'
       - 'traefik.http.routers.authelia_backend.entrypoints=https'
       - 'traefik.http.routers.authelia_backend.tls=true'
+      - 'traefik.http.services.authelia_backend.loadbalancer.server.scheme=https'
     environment:
       - ENVIRONMENT=dev
     networks:

internal/suites/example/compose/authelia/docker-compose.backend.dist.yml

@@ -3,10 +3,14 @@ services:
   authelia-backend:
     image: authelia:dist
     labels:
-      - 'traefik.frontend.rule=Host:login.example.com'
+      # Traefik 1.x
-      - 'traefik.http.routers.authelia.rule=Host(`login.example.com`)'
+      - 'traefik.frontend.rule=Host:login.example.com;PathPrefix:/api'
-      - 'traefik.http.routers.authelia.entrypoints=https'
+      - 'traefik.protocol=https'
-      - 'traefik.http.routers.authelia.tls=true'
+      # Traefik 2.x
+      - 'traefik.http.routers.authelia_backend.rule=Host(`login.example.com`) && PathPrefix(`/api`)'
+      - 'traefik.http.routers.authelia_backend.entrypoints=https'
+      - 'traefik.http.routers.authelia_backend.tls=true'
+      - 'traefik.http.services.authelia_backend.loadbalancer.server.scheme=https'
     environment:
       - ENVIRONMENT=dev
     restart: always

internal/suites/example/compose/authelia/docker-compose.frontend.dev.yml

@@ -14,7 +14,9 @@ services:
       - './example/compose/authelia/resources/:/resources'
       - '../../web:/app'
     labels:
+      # Traefik 1.x
       - 'traefik.frontend.rule=Host:login.example.com'
+      # Traefik 2.x
       - 'traefik.http.routers.authelia_frontend.rule=Host(`login.example.com`)'
       - 'traefik.http.routers.authelia_frontend.entrypoints=https'
       - 'traefik.http.routers.authelia_frontend.tls=true'

internal/suites/example/compose/authelia/docker-compose.frontend.dist.yml

@@ -4,5 +4,15 @@ services:
     image: nginx:alpine
     volumes:
       - './example/compose/authelia/resources/nginx.conf:/etc/nginx/nginx.conf'
+    labels:
+      # Traefik 1.x
+      - 'traefik.frontend.rule=Host:login.example.com'
+      # Traefik 2.x
+      - 'traefik.http.routers.authelia_frontend.rule=Host(`login.example.com`)'
+      - 'traefik.http.routers.authelia_frontend.entrypoints=https'
+      - 'traefik.http.routers.authelia_frontend.tls=true'
+      - 'traefik.http.services.authelia_frontend.loadbalancer.server.port=3000'
     networks:
       - authelianet
+    expose:
+      - 3000

internal/suites/example/compose/authelia/resources/nginx.conf

@@ -9,19 +9,12 @@ http {
     server {
         listen 3000;
 
-        location / {
+        resolver 127.0.0.11 ipv6=off;
-            proxy_set_header  Host $http_host;
+        set $backend_endpoint https://authelia-backend:9091;
-            proxy_pass        http://authelia-backend:9091;
-        }
-    }
-
-    server {
-        # Reach authelia-backend using TLS.
-        listen 3001;
 
         location / {
             proxy_set_header  Host $http_host;
-            proxy_pass        https://authelia-backend:9091;
+            proxy_pass        $backend_endpoint;
         }
     }
 }

internal/suites/example/compose/haproxy/docker-compose.yml

@@ -3,7 +3,7 @@ services:
   haproxy:
     build: ./example/compose/haproxy/
     volumes:
-      - ./example/compose/haproxy/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg
+      - ./example/compose/haproxy/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg:ro
     networks:
       authelianet:
         # Set the IP to be able to query on port 8080

internal/suites/example/compose/haproxy/haproxy.cfg

@@ -33,7 +33,9 @@ frontend fe_http
     http-request add-header X-Forwarded-Port %[dst_port]
     http-request set-header X-Forwarded-Uri %[path]%[var(req.questionmark)]%[query]
 
-    http-request lua.auth-request be_authelia /api/verify if protected-frontends
+    # be_auth_request is used to make HAProxy do the TLS termination since the Lua script
+    # does not know how to handle it (see https://github.com/TimWolla/haproxy-auth-request/issues/12).
+    http-request lua.auth-request be_auth_request /api/verify if protected-frontends
 
     use_backend be_authelia if host-authelia-portal api-path
     use_backend fe_authelia if host-authelia-portal !api-path
@@ -42,7 +44,16 @@ frontend fe_http
     use_backend be_mail if { hdr(host) -i mail.example.com:8080 }
 
 backend be_authelia
-    server authelia-backend authelia-backend:9091
+    server authelia-backend authelia-backend:9091 ssl verify none
+
+backend be_auth_request
+  mode http
+  server proxy 127.0.0.1:8085
+
+listen be_auth_request_proxy
+  mode http
+  bind 127.0.0.1:8085
+  server authelia-backend authelia-backend:9091 ssl verify none
 
 backend fe_authelia
     server authelia-frontend authelia-frontend:3000

internal/suites/example/compose/nginx/backend/docker-compose.yml

@@ -5,7 +5,7 @@ services:
       context: ./example/compose/nginx/backend
     labels:
       - 'traefik.frontend.rule=Host:home.example.com,public.example.com,secure.example.com,admin.example.com,singlefactor.example.com' # Traefik 1.x
-      - 'traefik.frontend.auth.forward.address=http://authelia-backend:9091/api/verify?rd=https://login.example.com:8080/' # Traefik 1.x
+      - 'traefik.frontend.auth.forward.address=https://authelia-backend:9091/api/verify?rd=https://login.example.com:8080/' # Traefik 1.x
       - 'traefik.frontend.auth.forward.tls.insecureSkipVerify=true' # Traefik 1.x
       - 'traefik.frontend.auth.forward.trustForwardHeader=true' # Traefik 1.x
       - 'traefik.frontend.auth.forward.authResponseHeaders=Remote-User,Remote-Groups' # Traefik 1.x
@@ -13,7 +13,7 @@ services:
       - 'traefik.http.routers.protectedapps.entrypoints=https' # Traefik 2.x
       - 'traefik.http.routers.protectedapps.tls=true' # Traefik 2.x
       - 'traefik.http.routers.protectedapps.middlewares=authelia' # Traefik 2.x
-      - 'traefik.http.middlewares.authelia.forwardauth.address=http://authelia-backend:9091/api/verify?rd=https://login.example.com:8080/' # Traefik 2.x
+      - 'traefik.http.middlewares.authelia.forwardauth.address=https://authelia-backend:9091/api/verify?rd=https://login.example.com:8080/' # Traefik 2.x
       - 'traefik.http.middlewares.authelia.forwardauth.tls.insecureSkipVerify=true' # Traefik 2.x
       - 'traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true' # Traefik 2.x
       - 'traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User, Remote-Groups' # Traefik 2.x

internal/suites/example/compose/nginx/portal/docker-compose.https.yml

@@ -1,16 +0,0 @@
-version: '3'
-services:
-  nginx-portal:
-    image: nginx:alpine
-    volumes:
-      - ./example/compose/nginx/portal/nginx.https.conf:/etc/nginx/nginx.conf
-      - ./example/compose/nginx/portal/ssl:/etc/ssl
-    networks:
-      authelianet:
-        aliases:
-          - public.example.com
-          - secure.example.com
-          - login.example.com
-          - duo.example.com
-        # Set the IP to be able to query on port 443
-        ipv4_address: 192.168.240.100

internal/suites/example/compose/nginx/portal/nginx.conf

@@ -14,7 +14,7 @@ http {
 
         resolver 127.0.0.11 ipv6=off;
         set $frontend_endpoint http://authelia-frontend:3000;
-        set $backend_endpoint http://authelia-backend:9091;
+        set $backend_endpoint https://authelia-backend:9091;
 
         ssl_certificate     /etc/ssl/server.cert;
         ssl_certificate_key /etc/ssl/server.key;
@@ -89,7 +89,7 @@ http {
                         mx1.mail.example.com mx2.mail.example.com;
 
         resolver 127.0.0.11 ipv6=off;
-        set $upstream_verify http://authelia-backend:9091/api/verify;
+        set $upstream_verify https://authelia-backend:9091/api/verify;
         set $upstream_endpoint http://nginx-backend;
         set $upstream_headers http://httpbin:8000/headers;
 

internal/suites/example/compose/nginx/portal/nginx.https.conf

@@ -1,242 +0,0 @@
-#
-# You can find a documented example of configuration in ./docs/proxies/nginx.md.
-#
-worker_processes  1;
-
-events {
-    worker_connections  1024;
-}
-
-http {
-    upstream authelia-frontend {
-        server authelia-frontend:3001 fail_timeout=180s;
-        server authelia-frontend:3000 backup;
-    }
-
-    server {
-        listen 8080 ssl;
-        server_name     login.example.com;
-
-        resolver 127.0.0.11 ipv6=off;
-        set $frontend_endpoint http://authelia-frontend;
-        set $backend_endpoint https://authelia-backend:9091;
-
-        ssl_certificate     /etc/ssl/server.cert;
-        ssl_certificate_key /etc/ssl/server.key;
-
-        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
-        add_header X-Frame-Options "SAMEORIGIN";
-
-        error_page 497 301 =307 https://$host:$server_port$request_uri;
-
-        # Serve the backend API for the portal.
-        location /api {
-            proxy_set_header  X-Real-IP $remote_addr;
-
-            # Required by Authelia because "trust proxy" option is used.
-            # See https://expressjs.com/en/guide/behind-proxies.html
-            proxy_set_header  X-Forwarded-Proto $scheme;
-
-            # Required by Authelia to build correct links for identity validation.
-            proxy_set_header  X-Forwarded-Host $http_host;
-
-            # Needed for network ACLs to work. It appends the IP of the client to the list of IPs
-            # and allows Authelia to use it to match the network-based ACLs.
-            proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
-
-            proxy_intercept_errors on;
-
-            proxy_pass        $backend_endpoint;
-        }
-
-        # Serves the portal application.
-        location / {
-            # Allow websockets for webpack to auto-reload.
-            proxy_http_version 1.1;
-            proxy_set_header Upgrade $http_upgrade;
-            proxy_set_header Connection "Upgrade";
-            proxy_set_header Host "127.0.0.1";
-
-            proxy_pass        $frontend_endpoint;
-        }
-    }
-
-    # Serves the home page.
-    server {
-        listen 8080 ssl;
-        server_name     home.example.com;
-
-        resolver 127.0.0.11 ipv6=off;
-        set $upstream_endpoint http://nginx-backend;
-
-        ssl_certificate     /etc/ssl/server.cert;
-        ssl_certificate_key /etc/ssl/server.key;
-
-        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
-        add_header X-Frame-Options "SAMEORIGIN";
-
-        error_page 497 301 =307 https://$host:$server_port$request_uri;
-
-        location / {
-            proxy_set_header  Host $http_host;
-            proxy_pass        $upstream_endpoint;
-        }
-    }
-
-    # Example configuration of domains protected by Authelia.
-    server {
-        listen 8080 ssl; 
-        server_name     public.example.com
-                        admin.example.com
-                        secure.example.com
-                        dev.example.com
-                        singlefactor.example.com
-                        mx1.mail.example.com mx2.mail.example.com;
-
-        resolver 127.0.0.11 ipv6=off;
-        set $upstream_verify https://authelia-backend:9091/api/verify;
-        set $upstream_endpoint http://nginx-backend;
-        set $upstream_headers http://httpbin:8000/headers;
-
-        ssl_certificate     /etc/ssl/server.cert;
-        ssl_certificate_key /etc/ssl/server.key;
-
-        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
-        add_header X-Frame-Options "SAMEORIGIN";
-
-        error_page 497 301 =307 https://$host:$server_port$request_uri;
-
-        # Reverse proxy to the backend. It is protected by Authelia by forwarding authorization checks
-        # to the virtual endpoint introduced by nginx and declared in the next block.
-        location / {
-            auth_request /auth_verify;
-            
-            auth_request_set $user      $upstream_http_remote_user;
-            proxy_set_header            X-Forwarded-User $user;
-            
-            auth_request_set            $groups $upstream_http_remote_groups;
-            proxy_set_header            Remote-Groups $groups;
-
-            # Route the request to the correct virtual host in the backend.
-            proxy_set_header            Host $http_host;
-
-            # Authelia relies on Proxy-Authorization header to authenticate in basic auth.
-            # but for the sake of simplicity (because Authorization in supported in most
-            # clients) we take Authorization from the frontend and rewrite it to
-            # Proxy-Authorization before sending it to Authelia.
-            proxy_set_header            Proxy-Authorization $http_authorization;
-
-            # mitigate HTTPoxy Vulnerability
-            # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
-            proxy_set_header            Proxy "";
-
-            # Set the `target_url` variable based on the request. It will be used to build the portal
-            # URL with the correct redirection parameter.
-            set                         $target_url $scheme://$http_host$request_uri;
-            error_page 401 =302         https://login.example.com:8080/?rd=$target_url;
-
-            proxy_pass                  $upstream_endpoint;
-        }
-
-        # Virtual endpoint forwarding requests to Authelia server.
-        location /auth_verify {
-            internal;
-            proxy_set_header            X-Real-IP $remote_addr;
-
-            # Provide either X-Original-URL and X-Forwarded-Proto or
-            # X-Forwarded-Proto, X-Forwarded-Host and X-Forwarded-URI or both.
-            # Those headers will be used by Authelia to deduce the target url of the user.
-            #
-            # X-Forwarded-Proto is mandatory since Authelia uses the "trust proxy" option.
-            # See https://expressjs.com/en/guide/behind-proxies.html
-            proxy_set_header            X-Original-URL $scheme://$http_host$request_uri;
-
-            proxy_set_header            X-Forwarded-Proto $scheme;
-            proxy_set_header            X-Forwarded-Host $http_host;
-            proxy_set_header            X-Forwarded-URI $request_uri;
-            
-            proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;
-
-            # Authelia can receive Proxy-Authorization to authenticate however most of the clients
-            # support Authorization instead. Therefore we rewrite Authorization into Proxy-Authorization.
-            proxy_set_header            Proxy-Authorization $http_authorization;
-
-            proxy_pass_request_body     off;
-            proxy_set_header            Content-Length "";
-
-            proxy_pass                  $upstream_verify;
-        }
-
-        # Used by suites to test the forwarded users and groups headers produced by Authelia.
-        location /headers {
-            auth_request /auth_verify;
-
-            auth_request_set            $user $upstream_http_remote_user;
-            proxy_set_header            Custom-Forwarded-User $user;
-            
-            auth_request_set            $groups $upstream_http_remote_groups;
-            proxy_set_header            Custom-Forwarded-Groups $groups;
-
-            set                         $target_url $scheme://$http_host$request_uri;
-            error_page 401 =302         https://login.example.com:8080/?rd=$target_url;
-
-            proxy_pass                  $upstream_headers;
-        }
-    }
-
-    # Fake Web Mail used to receive emails sent by Authelia.
-    server {
-        listen 8080 ssl;
-        server_name     mail.example.com;
-
-        resolver 127.0.0.11 ipv6=off;
-        set $upstream_endpoint http://smtp:1080;
-
-        ssl_certificate     /etc/ssl/server.cert;
-        ssl_certificate_key /etc/ssl/server.key;
-
-        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
-        add_header X-Frame-Options "SAMEORIGIN";
-
-        error_page 497 301 =307 https://$host:$server_port$request_uri;
-
-        location / {
-            proxy_set_header  Host $http_host;
-            proxy_pass        $upstream_endpoint;
-        }
-    }
-
-    # Fake API emulating Duo behavior
-    server {
-        listen 443 ssl;
-        server_name     duo.example.com;
-
-        resolver 127.0.0.11 ipv6=off;
-        set $upstream_endpoint http://duo-api:3000;
-
-        ssl_certificate     /etc/ssl/server.cert;
-        ssl_certificate_key /etc/ssl/server.key;
-
-        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
-        add_header X-Frame-Options "SAMEORIGIN";
-
-        error_page 497 301 =307 https://$host:$server_port$request_uri;
-
-        location / {
-            proxy_set_header  Host $http_host;
-            proxy_pass        $upstream_endpoint;
-        }
-    }
-
-    # Matches all domains. It redirects to the home page.
-    server {
-	    listen 8080 ssl;
-	    server_name _;
-
-        ssl_certificate     /etc/ssl/server.cert;
-        ssl_certificate_key /etc/ssl/server.key;
-
-	    return 301 https://home.example.com:8080/;
-    }
-}
-

internal/suites/example/compose/traefik/docker-compose.yml

@@ -17,6 +17,7 @@ services:
       - '--traefiklog.filepath=/var/log/traefik.log'
       - '--entryPoints=Name:https Address::8080 TLS'
       - '--entryPoints=Name:api Address::8081'
+      - '--insecureSkipVerify=true'
     networks:
       authelianet:
         # Set the IP to be able to query on port 8080

internal/suites/example/compose/traefik2/docker-compose.yml

@@ -17,6 +17,7 @@ services:
       - '--log=true'
       - '--log.level=DEBUG'
       - '--log.filepath=/var/log/traefik.log'
+      - '--serversTransport.insecureSkipVerify=true'
     networks:
       authelianet:
         # Set the IP to be able to query on port 8080

internal/suites/example/kube/apps/apps.yml

@@ -74,7 +74,7 @@ metadata:
     kubernetes.io/ingress.class: "nginx"
     kubernetes.io/ingress.allow-http: "false"
     nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
-    nginx.ingress.kubernetes.io/auth-url: "http://authelia-service.authelia.svc.cluster.local/api/verify"
+    nginx.ingress.kubernetes.io/auth-url: "https://authelia-service.authelia.svc.cluster.local/api/verify"
     nginx.ingress.kubernetes.io/auth-signin: "https://login.example.com:8080/"
 spec:
   tls:

internal/suites/example/kube/authelia/configs/configuration.yml

@@ -2,7 +2,10 @@
 #                   Authelia configuration                    #
 ###############################################################
 
-port: 80
+port: 443
+tls_cert: /var/lib/authelia/ssl/cert.pem
+tls_key: /var/lib/authelia/ssl/key.pem
+
 log_level: debug
 
 default_redirection_url: https://home.example.com:8080

internal/suites/example/kube/authelia/deployment.yml

@@ -20,10 +20,12 @@ spec:
         - name: authelia
           image: authelia:dist
           ports:
-            - containerPort: 80
+            - containerPort: 443
           volumeMounts:
             - name: config-volume
               mountPath: /etc/authelia
+            - name: ssl-volume
+              mountPath: /var/lib/authelia/ssl
           env:
             # We set secrets directly here for ease of deployment but all secrets
             # should be stored in the Kube Vault in production.
@@ -42,3 +44,12 @@ spec:
             items:
               - key: configuration.yml
                 path: configuration.yml
+        - name: ssl-volume
+          configMap:
+            name: authelia-ssl
+            items:
+              - key: cert.pem
+                path: cert.pem
+              - key: key.pem
+                path: key.pem
+

internal/suites/example/kube/authelia/ingress.yml

@@ -6,6 +6,7 @@ metadata:
   namespace: authelia
   annotations:
     kubernetes.io/ingress.class: "nginx"
+    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
 spec:
   tls:
   - secretName: authelia-tls
@@ -18,4 +19,4 @@ spec:
       - path: /
         backend:
           serviceName: authelia-service
-          servicePort: 80
+          servicePort: 443

internal/suites/example/kube/authelia/service.yml

@@ -9,5 +9,5 @@ spec:
     app: authelia
   ports:
   - protocol: TCP
-    port: 80
+    port: 443
-    targetPort: 80
+    targetPort: 443

internal/suites/example/kube/authelia/ssl/cert.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIC/jCCAeagAwIBAgIRAKF0IRxC55eee6icERVf6fgwDQYJKoZIhvcNAQELBQAw
+EjEQMA4GA1UEChMHQWNtZSBDbzAgFw0yMDAzMDExMjMzMzlaGA8yMTIwMDIwNjEy
+MzMzOVowEjEQMA4GA1UEChMHQWNtZSBDbzCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBAMi7/oSazFIxP3rHsSLjw5XPnpMKEaVwU1zLRzW6W80BDa/ER5to
+I3POGLv8lAhtUwB6WvyilrCZfs/D5lkcCxswafU/2LNppFuODnW+PG9eobgOy6Nv
+f+KbnZFPRV7PB2yK6DqMyb+tbTQ7F6rEf4i6n28DI0dNyNvUCk0ld3o93LZBvC/D
+/+Ulf3Vtdfsd2TckXvdA8lH4VGQJ+FIxhboTlbW8VJlk1V7FZef7+m867kOnPSaj
+zv5yygrIA0XPaMAZC/SZrXHMdhvcs43fgmmTel7JD4Sy/Z/pmFlrZr5Xa8jcWycJ
+ILLuPnXhgKstgq5wtDkTMZ6rpgMrKcjMKcMCAwEAAaNNMEswDgYDVR0PAQH/BAQD
+AgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwFgYDVR0RBA8w
+DYILZXhhbXBsZS5jb20wDQYJKoZIhvcNAQELBQADggEBABdWkbipzPivAvvamMmQ
+5iPPeStfdr5MBxJGT9nPbeXdtS/13FJnspLBMMYOw/2AZk7VFrNjxkXc4NHZSlGz
+FcGMlSO40fyirdYaQTDtS230ucLB+LzfZx37y9dKpEKVmQ151kKJjJ4hAZ47LmAQ
+aFoDLRo7PA2HmnJ60GrI9wVp96uy1sQ6PcToIyMcVEQ/tLEEow+ykSeiZb9+qBKV
+K9GUcu2LorhBtUMmEWs0TJElaf6eKUoG6JXM2byulDg24w5b9gC26kAlHWc5WDU5
+pAXOjlN/OYHB0sDbYViWIL390376fYIfu2N5EDKY4QjEYsWEs4Wm9HVS9IgHP/Gi
+Xbo=
+-----END CERTIFICATE-----

internal/suites/example/kube/authelia/ssl/key.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDIu/6EmsxSMT96
+x7Ei48OVz56TChGlcFNcy0c1ulvNAQ2vxEebaCNzzhi7/JQIbVMAelr8opawmX7P
+w+ZZHAsbMGn1P9izaaRbjg51vjxvXqG4Dsujb3/im52RT0Vezwdsiug6jMm/rW00
+OxeqxH+Iup9vAyNHTcjb1ApNJXd6Pdy2Qbwvw//lJX91bXX7Hdk3JF73QPJR+FRk
+CfhSMYW6E5W1vFSZZNVexWXn+/pvOu5Dpz0mo87+csoKyANFz2jAGQv0ma1xzHYb
+3LON34Jpk3peyQ+Esv2f6ZhZa2a+V2vI3FsnCSCy7j514YCrLYKucLQ5EzGeq6YD
+KynIzCnDAgMBAAECggEAC13R0LJvRWwyewJZvm8FQTNreEoGq8aLgeKk2p792cLo
+gn5ry5n+/+y4q9RmkX+XRpynEE0omUFn09306jDTVCvOpCuEWsxtmR2XJgWqqGfE
+Yoa78zo6FJvZNUQ22mKAuh23frFAL1FjsKRz96B+1EA1DPUxhzUZXZFJMAsiE9LZ
+PxqPmnqXbPZsOb1XG33TAdCp6CC3H8KHICC+i4IC8prjKHGH/Q1saoNw8jmgwv0S
+DelQUbEtqfmE6BmyTGxdeu4uW2Nv/wcENwySAOPKi5gstlbSKTa4IpKGp7CdquWi
+stUW6pnSiEeDrDAzwC8uWdncOvnkAy2lRJkz/F9YoQKBgQDrCCqYdvGshecBBnfQ
+fowxak2YBfG2jhAKPMHzrvQn5FIb+11x/jeXPEfOB6FShIzZ97JpFIpH3tcONlj3
+OVzGCTD6WdRTcltzXVneJtNog7DliNFY4YmIPmQJ+y+EvJW1rSZTZAZI1Nbijg3n
+fSd0PTzvgOGHSl1//RI1mFx7MwKBgQDapIPPSF0yf1UJ6Hhzam5NHGZ9fSqV5Qs0
+Gi7uM08iDV5K7xiPglBkbN2EuMlgVnHaa5g8X897uwRSYR6nL4PRvcJiNSvnhWhe
++K3x7iHewIPYVfcghoqzuPKsXH2Zm26usdXHxBBa3IBbKtGaHnAd9h65AOUYAmAx
+C2BzN90XMQKBgE2MjEFyPZunMulrsOziVG+Zm7ClhXOuvCwkj/pPp8/hzhXdgp+y
+ObV09lxMuDX59l+VExEI7fd414yg8gngq3PMZJS2PxCpkvMlwhlCxk6d5ShXVHv3
+LuH9dBS3BJ7PerZPQ24QeuJdF+n45S2UZgg8jHaaF9AEAYXRgsicVSdxAoGAJI0U
+K/bg/awjv0BJwqGsRt/Ukm32TJC5ysAF0HRrajnp5YULChKy9dbtQV7S63QIHIeY
+L5+kw/6DvnHV+gULeGjMsjZJXK8Ev7u6+JLivqZYZDYa1iknztvAVegwZxmA61t3
+bantQgNSwerql2U3QQsAH9Vydw0On6RTP2+7WkECgYBWD3u64hBKmAxPkqPotkgI
+w/jdOlv8FLHO79+oH1PtKvkzspcYaecKGDm/RNLIXLYnt0AmZEK4qQ4/zDFaR/rc
+AhoxK2cKTRltMrhp1ivtFfLggVGogtYNxEnjnsD4KMvH3SjSNdt06YgtZ92++fOp
+UsE8Mpf4/G5X7DmcHJHk+w==
+-----END PRIVATE KEY-----

internal/suites/example/kube/bootstrap-authelia.sh

@@ -2,6 +2,7 @@
 
 start_authelia() {
   kubectl create configmap authelia-config --namespace=authelia --from-file=authelia/configs/configuration.yml
+  kubectl create configmap authelia-ssl --namespace=authelia --from-file=authelia/ssl/cert.pem --from-file=authelia/ssl/key.pem
   kubectl apply -f authelia
 }
 

internal/suites/example/kube/bootstrap-dashboard.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 start_dashboard() {
-  kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0-beta4/aio/deploy/recommended.yaml
+  kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0-beta8/aio/deploy/recommended.yaml
   kubectl apply -f dashboard.yml
 
   echo "Bearer token for UI user."

internal/suites/suite_bypass_all.go

@@ -28,7 +28,7 @@ func init() {
 		return waitUntilAutheliaIsReady(dockerEnvironment)
 	}
 
-	onSetupTimeout := func() error {
+	displayAutheliaLogs := func() error {
 		backendLogs, err := dockerEnvironment.Logs("authelia-backend", nil)
 		if err != nil {
 			return err
@@ -50,7 +50,8 @@ func init() {
 	GlobalRegistry.Register(bypassAllSuiteName, Suite{
 		SetUp:           setup,
 		SetUpTimeout:    5 * time.Minute,
-		OnSetupTimeout:  onSetupTimeout,
+		OnSetupTimeout:  displayAutheliaLogs,
+		OnError:         displayAutheliaLogs,
 		TestTimeout:     1 * time.Minute,
 		TearDown:        teardown,
 		TearDownTimeout: 2 * time.Minute,

internal/suites/suite_docker.go

@@ -24,7 +24,7 @@ func init() {
 		return waitUntilAutheliaIsReady(dockerEnvironment)
 	}
 
-	onSetupTimeout := func() error {
+	displayAutheliaLogs := func() error {
 		backendLogs, err := dockerEnvironment.Logs("authelia-backend", nil)
 		if err != nil {
 			return err
@@ -46,7 +46,8 @@ func init() {
 	GlobalRegistry.Register("Docker", Suite{
 		SetUp:           setup,
 		SetUpTimeout:    5 * time.Minute,
-		OnSetupTimeout:  onSetupTimeout,
+		OnSetupTimeout:  displayAutheliaLogs,
+		OnError:         displayAutheliaLogs,
 		TestTimeout:     1 * time.Minute,
 		TearDown:        teardown,
 		TearDownTimeout: 2 * time.Minute,

internal/suites/suite_duo_push.go

@@ -26,7 +26,7 @@ func init() {
 		return waitUntilAutheliaIsReady(dockerEnvironment)
 	}
 
-	onSetupTimeout := func() error {
+	displayAutheliaLogs := func() error {
 		backendLogs, err := dockerEnvironment.Logs("authelia-backend", nil)
 		if err != nil {
 			return err
@@ -48,7 +48,8 @@ func init() {
 	GlobalRegistry.Register(duoPushSuiteName, Suite{
 		SetUp:           setup,
 		SetUpTimeout:    5 * time.Minute,
-		OnSetupTimeout:  onSetupTimeout,
+		OnSetupTimeout:  displayAutheliaLogs,
+		OnError:         displayAutheliaLogs,
 		TestTimeout:     2 * time.Minute,
 		TearDown:        teardown,
 		TearDownTimeout: 2 * time.Minute,

internal/suites/suite_haproxy.go

@@ -28,7 +28,7 @@ func init() {
 		return waitUntilAutheliaIsReady(dockerEnvironment)
 	}
 
-	onSetupTimeout := func() error {
+	displayAutheliaLogs := func() error {
 		backendLogs, err := dockerEnvironment.Logs("authelia-backend", nil)
 		if err != nil {
 			return err
@@ -51,7 +51,8 @@ func init() {
 	GlobalRegistry.Register(haproxySuiteName, Suite{
 		SetUp:           setup,
 		SetUpTimeout:    5 * time.Minute,
-		OnSetupTimeout:  onSetupTimeout,
+		OnSetupTimeout:  displayAutheliaLogs,
+		OnError:         displayAutheliaLogs,
 		TestTimeout:     2 * time.Minute,
 		TearDown:        teardown,
 		TearDownTimeout: 2 * time.Minute,

internal/suites/suite_mariadb.go

@@ -28,7 +28,7 @@ func init() {
 		return waitUntilAutheliaIsReady(dockerEnvironment)
 	}
 
-	onSetupTimeout := func() error {
+	displayAutheliaLogs := func() error {
 		backendLogs, err := dockerEnvironment.Logs("authelia-backend", nil)
 		if err != nil {
 			return err
@@ -51,7 +51,8 @@ func init() {
 	GlobalRegistry.Register(mariadbSuiteName, Suite{
 		SetUp:           setup,
 		SetUpTimeout:    5 * time.Minute,
-		OnSetupTimeout:  onSetupTimeout,
+		OnSetupTimeout:  displayAutheliaLogs,
+		OnError:         displayAutheliaLogs,
 		TearDown:        teardown,
 		TearDownTimeout: 2 * time.Minute,
 	})

internal/suites/suite_mysql.go

@@ -28,7 +28,7 @@ func init() {
 		return waitUntilAutheliaIsReady(dockerEnvironment)
 	}
 
-	onSetupTimeout := func() error {
+	displayAutheliaLogs := func() error {
 		backendLogs, err := dockerEnvironment.Logs("authelia-backend", nil)
 		if err != nil {
 			return err
@@ -51,7 +51,8 @@ func init() {
 	GlobalRegistry.Register(mysqlSuiteName, Suite{
 		SetUp:           setup,
 		SetUpTimeout:    5 * time.Minute,
-		OnSetupTimeout:  onSetupTimeout,
+		OnSetupTimeout:  displayAutheliaLogs,
+		OnError:         displayAutheliaLogs,
 		TearDown:        teardown,
 		TearDownTimeout: 2 * time.Minute,
 	})

internal/suites/suite_network_acl.go

@@ -29,7 +29,7 @@ func init() {
 		return waitUntilAutheliaIsReady(dockerEnvironment)
 	}
 
-	onSetupTimeout := func() error {
+	displayAutheliaLogs := func() error {
 		backendLogs, err := dockerEnvironment.Logs("authelia-backend", nil)
 		if err != nil {
 			return err
@@ -51,7 +51,8 @@ func init() {
 	GlobalRegistry.Register(networkACLSuiteName, Suite{
 		SetUp:           setup,
 		SetUpTimeout:    5 * time.Minute,
-		OnSetupTimeout:  onSetupTimeout,
+		OnSetupTimeout:  displayAutheliaLogs,
+		OnError:         displayAutheliaLogs,
 		TestTimeout:     1 * time.Minute,
 		TearDown:        teardown,
 		TearDownTimeout: 2 * time.Minute,

internal/suites/suite_one_factor_only.go

@@ -25,7 +25,7 @@ func init() {
 		return waitUntilAutheliaIsReady(dockerEnvironment)
 	}
 
-	onSetupTimeout := func() error {
+	displayAutheliaLogs := func() error {
 		backendLogs, err := dockerEnvironment.Logs("authelia-backend", nil)
 		if err != nil {
 			return err
@@ -47,7 +47,8 @@ func init() {
 	GlobalRegistry.Register(oneFactorOnlySuiteName, Suite{
 		SetUp:           setup,
 		SetUpTimeout:    5 * time.Minute,
-		OnSetupTimeout:  onSetupTimeout,
+		OnSetupTimeout:  displayAutheliaLogs,
+		OnError:         displayAutheliaLogs,
 		TestTimeout:     1 * time.Minute,
 		TearDown:        teardown,
 		TearDownTimeout: 2 * time.Minute,

internal/suites/suite_postgres.go

@@ -28,7 +28,7 @@ func init() {
 		return waitUntilAutheliaIsReady(dockerEnvironment)
 	}
 
-	onSetupTimeout := func() error {
+	displayAutheliaLogs := func() error {
 		backendLogs, err := dockerEnvironment.Logs("authelia-backend", nil)
 		if err != nil {
 			return err
@@ -51,7 +51,8 @@ func init() {
 	GlobalRegistry.Register(postgresSuiteName, Suite{
 		SetUp:           setup,
 		SetUpTimeout:    5 * time.Minute,
-		OnSetupTimeout:  onSetupTimeout,
+		OnSetupTimeout:  displayAutheliaLogs,
+		OnError:         displayAutheliaLogs,
 		TearDown:        teardown,
 		TearDownTimeout: 2 * time.Minute,
 	})

internal/suites/suite_short_timeouts.go

@@ -26,7 +26,7 @@ func init() {
 		return waitUntilAutheliaIsReady(dockerEnvironment)
 	}
 
-	onSetupTimeout := func() error {
+	displayAutheliaLogs := func() error {
 		backendLogs, err := dockerEnvironment.Logs("authelia-backend", nil)
 		if err != nil {
 			return err
@@ -48,7 +48,8 @@ func init() {
 	GlobalRegistry.Register(shortTimeoutsSuiteName, Suite{
 		SetUp:           setup,
 		SetUpTimeout:    5 * time.Minute,
-		OnSetupTimeout:  onSetupTimeout,
+		OnSetupTimeout:  displayAutheliaLogs,
+		OnError:         displayAutheliaLogs,
 		TestTimeout:     3 * time.Minute,
 		TearDown:        teardown,
 		TearDownTimeout: 2 * time.Minute,

internal/suites/suite_standalone.go

@@ -14,7 +14,7 @@ func init() {
 		"internal/suites/example/compose/authelia/docker-compose.backend.{}.yml",
 		"internal/suites/example/compose/authelia/docker-compose.frontend.{}.yml",
 		"internal/suites/example/compose/nginx/backend/docker-compose.yml",
-		"internal/suites/example/compose/nginx/portal/docker-compose.https.yml",
+		"internal/suites/example/compose/nginx/portal/docker-compose.yml",
 		"internal/suites/example/compose/smtp/docker-compose.yml",
 	})
 

internal/suites/suite_traefik.go

@@ -28,7 +28,7 @@ func init() {
 		return waitUntilAutheliaIsReady(dockerEnvironment)
 	}
 
-	onSetupTimeout := func() error {
+	displayAutheliaLogs := func() error {
 		backendLogs, err := dockerEnvironment.Logs("authelia-backend", nil)
 		if err != nil {
 			return err
@@ -51,7 +51,8 @@ func init() {
 	GlobalRegistry.Register(traefikSuiteName, Suite{
 		SetUp:           setup,
 		SetUpTimeout:    5 * time.Minute,
-		OnSetupTimeout:  onSetupTimeout,
+		OnSetupTimeout:  displayAutheliaLogs,
+		OnError:         displayAutheliaLogs,
 		TestTimeout:     2 * time.Minute,
 		TearDown:        teardown,
 		TearDownTimeout: 2 * time.Minute,

internal/suites/suite_traefik2.go

@@ -28,7 +28,7 @@ func init() {
 		return waitUntilAutheliaIsReady(dockerEnvironment)
 	}
 
-	onSetupTimeout := func() error {
+	displayAutheliaLogs := func() error {
 		backendLogs, err := dockerEnvironment.Logs("authelia-backend", nil)
 		if err != nil {
 			return err
@@ -51,7 +51,8 @@ func init() {
 	GlobalRegistry.Register(traefik2SuiteName, Suite{
 		SetUp:           setup,
 		SetUpTimeout:    5 * time.Minute,
-		OnSetupTimeout:  onSetupTimeout,
+		OnSetupTimeout:  displayAutheliaLogs,
+		OnError:         displayAutheliaLogs,
 		TestTimeout:     2 * time.Minute,
 		TearDown:        teardown,
 		TearDownTimeout: 2 * time.Minute,