From c7cc70d6a82fe640342285f06bc8be196483700d Mon Sep 17 00:00:00 2001 From: James Elliott Date: Mon, 1 May 2023 13:36:25 +1000 Subject: [PATCH] refactor: move auth_request_set in nginx Signed-off-by: James Elliott --- .../example/compose/nginx/portal/nginx.conf | 84 +++++++------------ 1 file changed, 30 insertions(+), 54 deletions(-) diff --git a/internal/suites/example/compose/nginx/portal/nginx.conf b/internal/suites/example/compose/nginx/portal/nginx.conf index a667ba80d..df73da8ee 100644 --- a/internal/suites/example/compose/nginx/portal/nginx.conf +++ b/internal/suites/example/compose/nginx/portal/nginx.conf @@ -166,30 +166,6 @@ http { ## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource. auth_request /internal/authelia/authz; - ## Save the upstream authorization response headers from Authelia to variables. - auth_request_set $authorization $upstream_http_authorization; - auth_request_set $proxy_authorization $upstream_http_proxy_authorization; - - ## Inject the authorization response headers from the variables into the request made to the backend. - proxy_set_header Authorization $authorization; - proxy_set_header Proxy-Authorization $proxy_authorization; - - ## Save the upstream metadata response headers from Authelia to variables. - auth_request_set $user $upstream_http_remote_user; - auth_request_set $groups $upstream_http_remote_groups; - auth_request_set $name $upstream_http_remote_name; - auth_request_set $email $upstream_http_remote_email; - - ## Inject the metadata response headers from the variables into the request made to the backend. - proxy_set_header Remote-User $user; - proxy_set_header Remote-Groups $groups; - proxy_set_header Remote-Email $email; - proxy_set_header Remote-Name $name; - - ## Include the Set-Cookie header if present. - auth_request_set $cookie $upstream_http_set_cookie; - add_header Set-Cookie $cookie; - ## Configure the redirection when the Authz failure occurs. Lines starting with 'Modern Method' and 'Legacy Method' ## should be commented / uncommented as pairs. The modern method uses the session cookies configuration's authelia_url ## value to determine the redirection URL here. It's much simpler and compatible with the mutli-cookie domain easily. @@ -257,12 +233,6 @@ http { proxy_read_timeout 240; proxy_send_timeout 240; proxy_connect_timeout 240; - } - - # Used by suites to test the forwarded users and groups headers produced by Authelia. - location /headers { - ## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource. - auth_request /internal/authelia/authz; ## Save the upstream authorization response headers from Authelia to variables. auth_request_set $authorization $upstream_http_authorization; @@ -287,6 +257,12 @@ http { ## Include the Set-Cookie header if present. auth_request_set $cookie $upstream_http_set_cookie; add_header Set-Cookie $cookie; + } + + # Used by suites to test the forwarded users and groups headers produced by Authelia. + location /headers { + ## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource. + auth_request /internal/authelia/authz; ## Configure the redirection when the Authz failure occurs. Lines starting with 'Modern Method' and 'Legacy Method' ## should be commented / uncommented as pairs. The modern method uses the session cookies configuration's authelia_url @@ -333,30 +309,6 @@ http { ## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource. auth_request /internal/authelia/authz; - ## Save the upstream authorization response headers from Authelia to variables. - auth_request_set $authorization $upstream_http_authorization; - auth_request_set $proxy_authorization $upstream_http_proxy_authorization; - - ## Inject the authorization response headers from the variables into the request made to the backend. - proxy_set_header Authorization $authorization; - proxy_set_header Proxy-Authorization $proxy_authorization; - - ## Save the upstream metadata response headers from Authelia to variables. - auth_request_set $user $upstream_http_remote_user; - auth_request_set $groups $upstream_http_remote_groups; - auth_request_set $name $upstream_http_remote_name; - auth_request_set $email $upstream_http_remote_email; - - ## Inject the metadata response headers from the variables into the request made to the backend. - proxy_set_header Remote-User $user; - proxy_set_header Remote-Groups $groups; - proxy_set_header Remote-Email $email; - proxy_set_header Remote-Name $name; - - ## Include the Set-Cookie header if present. - auth_request_set $cookie $upstream_http_set_cookie; - add_header Set-Cookie $cookie; - ## Configure the redirection when the Authz failure occurs. Lines starting with 'Modern Method' and 'Legacy Method' ## should be commented / uncommented as pairs. The modern method uses the session cookies configuration's authelia_url ## value to determine the redirection URL here. It's much simpler and compatible with the mutli-cookie domain easily. @@ -417,6 +369,30 @@ http { proxy_read_timeout 240; proxy_send_timeout 240; proxy_connect_timeout 240; + + ## Save the upstream authorization response headers from Authelia to variables. + auth_request_set $authorization $upstream_http_authorization; + auth_request_set $proxy_authorization $upstream_http_proxy_authorization; + + ## Inject the authorization response headers from the variables into the request made to the backend. + proxy_set_header Authorization $authorization; + proxy_set_header Proxy-Authorization $proxy_authorization; + + ## Save the upstream metadata response headers from Authelia to variables. + auth_request_set $user $upstream_http_remote_user; + auth_request_set $groups $upstream_http_remote_groups; + auth_request_set $name $upstream_http_remote_name; + auth_request_set $email $upstream_http_remote_email; + + ## Inject the metadata response headers from the variables into the request made to the backend. + proxy_set_header Remote-User $user; + proxy_set_header Remote-Groups $groups; + proxy_set_header Remote-Email $email; + proxy_set_header Remote-Name $name; + + ## Include the Set-Cookie header if present. + auth_request_set $cookie $upstream_http_set_cookie; + add_header Set-Cookie $cookie; } }