diff --git a/internal/suites/example/compose/nginx/portal/nginx.conf b/internal/suites/example/compose/nginx/portal/nginx.conf index 1b87495ff..5d7e4f641 100644 --- a/internal/suites/example/compose/nginx/portal/nginx.conf +++ b/internal/suites/example/compose/nginx/portal/nginx.conf @@ -45,7 +45,43 @@ http { proxy_pass $backend_endpoint; } - location /.well-known/openid-configuration { + location /.well-known { + # Required by Authelia because "trust proxy" option is used. + # See https://expressjs.com/en/guide/behind-proxies.html + proxy_set_header X-Forwarded-Proto $scheme; + + # Required by Authelia to build correct links for identity validation. + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header X-Forwarded-URI $request_uri; + + # Needed for network ACLs to work. It appends the IP of the client to the list of IPs + # and allows Authelia to use it to match the network-based ACLs. + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_intercept_errors on; + + proxy_pass $backend_endpoint; + } + + location /locales { + # Required by Authelia because "trust proxy" option is used. + # See https://expressjs.com/en/guide/behind-proxies.html + proxy_set_header X-Forwarded-Proto $scheme; + + # Required by Authelia to build correct links for identity validation. + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header X-Forwarded-URI $request_uri; + + # Needed for network ACLs to work. It appends the IP of the client to the list of IPs + # and allows Authelia to use it to match the network-based ACLs. + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_intercept_errors on; + + proxy_pass $backend_endpoint; + } + + location /jwks.json { # Required by Authelia because "trust proxy" option is used. # See https://expressjs.com/en/guide/behind-proxies.html proxy_set_header X-Forwarded-Proto $scheme; @@ -333,4 +369,3 @@ http { return 301 https://home.example.com:8080/; } } -