[FEATURE] Add TLS support. (#677)

* [FEATURE] Add TLS support.

Fixes #368.

* [FEATURE] Introduce OnError hook in suites.

This hook allows to perform actions following an erroneous suite
like displaying the logs of Authelia.

* Display Authelia logs of Standalone suite when tests fail.

* Fix Standalone suite.

* Apply suggestions from code review

* Rename ssl_key and ssl_cert into tls_key and tls_cert.

cmd/authelia-scripts/cmd_suites.go

@@ -151,6 +151,14 @@ func runOnSetupTimeout(suite string) error {
 	return utils.RunCommandWithTimeout(cmd, 15*time.Second)
 }
 
+func runOnError(suite string) error {
+	cmd := utils.CommandWithStdout("go", "run", "cmd/authelia-suites/main.go", "error", suite)
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+	cmd.Env = os.Environ()
+	return utils.RunCommandWithTimeout(cmd, 15*time.Second)
+}
+
 func setupSuite(suiteName string) error {
 	log.Infof("Setup environment for suite %s...", suiteName)
 	signalChannel := make(chan os.Signal)
@@ -261,11 +269,19 @@ func runSuiteTests(suiteName string, withEnv bool) error {
 
 	testErr := cmd.Run()
 
-	if withEnv {
-		err := teardownSuite(suiteName)
+	// If the tests failed, run the error hook.
+	if testErr != nil {
+		if err := runOnError(suiteName); err != nil {
+			// Do not return this error to return the test error instead
+			// and not skip the teardown phase.
+			log.Errorf("Error executing OnError callback: %v", err)
+		}
+	}
 
-		if err != nil {
-			log.Error(err)
+	if withEnv {
+		if err := teardownSuite(suiteName); err != nil {
+			// Do not return this error to return the test error instead
+			log.Errorf("Error running teardown: %v", err)
 		}
 	}
 

cmd/authelia-suites/main.go

@@ -38,6 +38,12 @@ func main() {
 		Run:   setupTimeoutSuite,
 	}
 
+	errorCmd := &cobra.Command{
+		Use:   "error [suite]",
+		Short: "Run the OnError callback when some tests fail",
+		Run:   runErrorCallback,
+	}
+
 	stopCmd := &cobra.Command{
 		Use:   "teardown [suite]",
 		Short: "Teardown the suite environment",
@@ -46,8 +52,11 @@ func main() {
 
 	rootCmd.AddCommand(startCmd)
 	rootCmd.AddCommand(setupTimeoutCmd)
+	rootCmd.AddCommand(errorCmd)
 	rootCmd.AddCommand(stopCmd)
-	rootCmd.Execute()
+	if err := rootCmd.Execute(); err != nil {
+		log.Fatal(err)
+	}
 }
 
 func createRunningSuiteFile(suite string) error {
@@ -120,6 +129,18 @@ func setupTimeoutSuite(cmd *cobra.Command, args []string) {
 	}
 }
 
+func runErrorCallback(cmd *cobra.Command, args []string) {
+	suiteName := args[0]
+	s := suites.GlobalRegistry.Get(suiteName)
+
+	if s.OnError == nil {
+		return
+	}
+	if err := s.OnError(); err != nil {
+		log.Fatal(err)
+	}
+}
+
 func teardownSuite(cmd *cobra.Command, args []string) {
 	if os.Getenv("SKIP_TEARDOWN") != "" {
 		return

config.template.yml

@@ -5,6 +5,8 @@
 # The host and port to listen on
 host: 0.0.0.0
 port: 9091
+# tls_key: /var/lib/authelia/ssl/key.pem
+# tls_cert: /var/lib/authelia/ssl/cert.pem
 
 # Level of verbosity for logs: info, debug, trace
 logs_level: debug

docs/configuration/miscellaneous.md

@@ -10,6 +10,7 @@ nav_order: 5
 Here are the main customizable options in Authelia.
 
 ## Host & Port
+
 `optional: true`
 
 Defines the address to listen on.
@@ -17,6 +18,17 @@ Defines the address to listen on.
     host: 0.0.0.0
     port: 9091
 
+## TLS
+
+`optional: true`
+
+Authelia can use TLS. Provide the certificate and the key with the
+following configuration options:
+
+    tls_key: /var/lib/authelia/ssl/key.pem
+    tls_cert: /var/lib/authelia/ssl/cert.pem
+
+
 ## Logs level
 
 `optional: true`

internal/configuration/schema/configuration.go

@@ -4,6 +4,9 @@ package schema
 type Configuration struct {
 	Host    string `mapstructure:"host"`
 	Port    int    `mapstructure:"port"`
+	TLSCert string `mapstructure:"tls_cert"`
+	TLSKey  string `mapstructure:"tls_key"`
+
 	LogsLevel string `mapstructure:"logs_level"`
 
 	// This secret is used by the identity validation process to forge JWT tokens

internal/configuration/validator/configuration.go

@@ -24,6 +24,12 @@ func Validate(configuration *schema.Configuration, validator *schema.StructValid
 		configuration.LogsLevel = defaultLogsLevel
 	}
 
+	if configuration.TLSKey != "" && configuration.TLSCert == "" {
+		validator.Push(fmt.Errorf("No TLS certificate provided, please check the \"tls_cert\" which has been configured"))
+	} else if configuration.TLSKey == "" && configuration.TLSCert != "" {
+		validator.Push(fmt.Errorf("No TLS key provided, please check the \"tls_key\" which has been configured"))
+	}
+
 	if configuration.DefaultRedirectionURL != "" {
 		_, err := url.ParseRequestURI(configuration.DefaultRedirectionURL)
 		if err != nil {

internal/configuration/validator/configuration_test.go

@@ -99,3 +99,33 @@ func TestShouldAddDefaultAccessControl(t *testing.T) {
 	assert.NotNil(t, config.AccessControl)
 	assert.Equal(t, "deny", config.AccessControl.DefaultPolicy)
 }
+
+func TestShouldRaiseErrorWhenTLSCertWithoutKeyIsProvided(t *testing.T) {
+	validator := schema.NewStructValidator()
+	config := newDefaultConfig()
+	config.TLSCert = "/tmp/cert.pem"
+
+	Validate(&config, validator)
+	require.Len(t, validator.Errors(), 1)
+	assert.EqualError(t, validator.Errors()[0], "No TLS key provided, please check the \"tls_key\" which has been configured")
+}
+
+func TestShouldRaiseErrorWhenTLSKeyWithoutCertIsProvided(t *testing.T) {
+	validator := schema.NewStructValidator()
+	config := newDefaultConfig()
+	config.TLSKey = "/tmp/key.pem"
+
+	Validate(&config, validator)
+	require.Len(t, validator.Errors(), 1)
+	assert.EqualError(t, validator.Errors()[0], "No TLS certificate provided, please check the \"tls_cert\" which has been configured")
+}
+
+func TestShouldNotRaiseErrorWhenBothTLSCertificateAndKeyAreProvided(t *testing.T) {
+	validator := schema.NewStructValidator()
+	config := newDefaultConfig()
+	config.TLSCert = "/tmp/cert.pem"
+	config.TLSKey = "/tmp/key.pem"
+
+	Validate(&config, validator)
+	require.Len(t, validator.Errors(), 0)
+}

internal/server/server.go

@@ -101,9 +101,18 @@ func StartServer(configuration schema.Configuration, providers middlewares.Provi
 		ctx.SendFile(path.Join(publicDir, "index.html"))
 	}
 
-	portPattern := fmt.Sprintf("%s:%d", configuration.Host, configuration.Port)
-	logging.Logger().Infof("Authelia is listening on %s", portPattern)
+	addrPattern := fmt.Sprintf("%s:%d", configuration.Host, configuration.Port)
 
-	logging.Logger().Fatal(fasthttp.ListenAndServe(portPattern,
+	if configuration.TLSCert != "" && configuration.TLSKey != "" {
+		logging.Logger().Infof("Authelia is listening on %s and uses TLS", addrPattern)
+
+		logging.Logger().Fatal(fasthttp.ListenAndServeTLS(addrPattern,
+			configuration.TLSCert, configuration.TLSKey,
+			middlewares.LogRequestMiddleware(router.Handler)))
+	} else {
+		logging.Logger().Infof("Authelia is listening on %s and do not use TLS", addrPattern)
+
+		logging.Logger().Fatal(fasthttp.ListenAndServe(addrPattern,
 			middlewares.LogRequestMiddleware(router.Handler)))
 	}
+}

internal/suites/Standalone/configuration.yml

@@ -3,6 +3,8 @@
 ###############################################################
 
 port: 9091
+tls_cert: /var/lib/authelia/ssl/cert.pem
+tls_key: /var/lib/authelia/ssl/key.pem
 
 logs_level: debug
 

internal/suites/Standalone/docker-compose.yml

@@ -7,5 +7,6 @@ services:
     volumes:
       - './Standalone/configuration.yml:/etc/authelia/configuration.yml:ro'
       - './Standalone/users.yml:/var/lib/authelia/users.yml'
+      - './Standalone/ssl:/var/lib/authelia/ssl'
       - '/tmp:/tmp'
     user: ${USER_ID}:${GROUP_ID}

internal/suites/Standalone/ssl/cert.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIC/jCCAeagAwIBAgIRAKF0IRxC55eee6icERVf6fgwDQYJKoZIhvcNAQELBQAw
+EjEQMA4GA1UEChMHQWNtZSBDbzAgFw0yMDAzMDExMjMzMzlaGA8yMTIwMDIwNjEy
+MzMzOVowEjEQMA4GA1UEChMHQWNtZSBDbzCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBAMi7/oSazFIxP3rHsSLjw5XPnpMKEaVwU1zLRzW6W80BDa/ER5to
+I3POGLv8lAhtUwB6WvyilrCZfs/D5lkcCxswafU/2LNppFuODnW+PG9eobgOy6Nv
+f+KbnZFPRV7PB2yK6DqMyb+tbTQ7F6rEf4i6n28DI0dNyNvUCk0ld3o93LZBvC/D
+/+Ulf3Vtdfsd2TckXvdA8lH4VGQJ+FIxhboTlbW8VJlk1V7FZef7+m867kOnPSaj
+zv5yygrIA0XPaMAZC/SZrXHMdhvcs43fgmmTel7JD4Sy/Z/pmFlrZr5Xa8jcWycJ
+ILLuPnXhgKstgq5wtDkTMZ6rpgMrKcjMKcMCAwEAAaNNMEswDgYDVR0PAQH/BAQD
+AgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwFgYDVR0RBA8w
+DYILZXhhbXBsZS5jb20wDQYJKoZIhvcNAQELBQADggEBABdWkbipzPivAvvamMmQ
+5iPPeStfdr5MBxJGT9nPbeXdtS/13FJnspLBMMYOw/2AZk7VFrNjxkXc4NHZSlGz
+FcGMlSO40fyirdYaQTDtS230ucLB+LzfZx37y9dKpEKVmQ151kKJjJ4hAZ47LmAQ
+aFoDLRo7PA2HmnJ60GrI9wVp96uy1sQ6PcToIyMcVEQ/tLEEow+ykSeiZb9+qBKV
+K9GUcu2LorhBtUMmEWs0TJElaf6eKUoG6JXM2byulDg24w5b9gC26kAlHWc5WDU5
+pAXOjlN/OYHB0sDbYViWIL390376fYIfu2N5EDKY4QjEYsWEs4Wm9HVS9IgHP/Gi
+Xbo=
+-----END CERTIFICATE-----

internal/suites/Standalone/ssl/key.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDIu/6EmsxSMT96
+x7Ei48OVz56TChGlcFNcy0c1ulvNAQ2vxEebaCNzzhi7/JQIbVMAelr8opawmX7P
+w+ZZHAsbMGn1P9izaaRbjg51vjxvXqG4Dsujb3/im52RT0Vezwdsiug6jMm/rW00
+OxeqxH+Iup9vAyNHTcjb1ApNJXd6Pdy2Qbwvw//lJX91bXX7Hdk3JF73QPJR+FRk
+CfhSMYW6E5W1vFSZZNVexWXn+/pvOu5Dpz0mo87+csoKyANFz2jAGQv0ma1xzHYb
+3LON34Jpk3peyQ+Esv2f6ZhZa2a+V2vI3FsnCSCy7j514YCrLYKucLQ5EzGeq6YD
+KynIzCnDAgMBAAECggEAC13R0LJvRWwyewJZvm8FQTNreEoGq8aLgeKk2p792cLo
+gn5ry5n+/+y4q9RmkX+XRpynEE0omUFn09306jDTVCvOpCuEWsxtmR2XJgWqqGfE
+Yoa78zo6FJvZNUQ22mKAuh23frFAL1FjsKRz96B+1EA1DPUxhzUZXZFJMAsiE9LZ
+PxqPmnqXbPZsOb1XG33TAdCp6CC3H8KHICC+i4IC8prjKHGH/Q1saoNw8jmgwv0S
+DelQUbEtqfmE6BmyTGxdeu4uW2Nv/wcENwySAOPKi5gstlbSKTa4IpKGp7CdquWi
+stUW6pnSiEeDrDAzwC8uWdncOvnkAy2lRJkz/F9YoQKBgQDrCCqYdvGshecBBnfQ
+fowxak2YBfG2jhAKPMHzrvQn5FIb+11x/jeXPEfOB6FShIzZ97JpFIpH3tcONlj3
+OVzGCTD6WdRTcltzXVneJtNog7DliNFY4YmIPmQJ+y+EvJW1rSZTZAZI1Nbijg3n
+fSd0PTzvgOGHSl1//RI1mFx7MwKBgQDapIPPSF0yf1UJ6Hhzam5NHGZ9fSqV5Qs0
+Gi7uM08iDV5K7xiPglBkbN2EuMlgVnHaa5g8X897uwRSYR6nL4PRvcJiNSvnhWhe
++K3x7iHewIPYVfcghoqzuPKsXH2Zm26usdXHxBBa3IBbKtGaHnAd9h65AOUYAmAx
+C2BzN90XMQKBgE2MjEFyPZunMulrsOziVG+Zm7ClhXOuvCwkj/pPp8/hzhXdgp+y
+ObV09lxMuDX59l+VExEI7fd414yg8gngq3PMZJS2PxCpkvMlwhlCxk6d5ShXVHv3
+LuH9dBS3BJ7PerZPQ24QeuJdF+n45S2UZgg8jHaaF9AEAYXRgsicVSdxAoGAJI0U
+K/bg/awjv0BJwqGsRt/Ukm32TJC5ysAF0HRrajnp5YULChKy9dbtQV7S63QIHIeY
+L5+kw/6DvnHV+gULeGjMsjZJXK8Ev7u6+JLivqZYZDYa1iknztvAVegwZxmA61t3
+bantQgNSwerql2U3QQsAH9Vydw0On6RTP2+7WkECgYBWD3u64hBKmAxPkqPotkgI
+w/jdOlv8FLHO79+oH1PtKvkzspcYaecKGDm/RNLIXLYnt0AmZEK4qQ4/zDFaR/rc
+AhoxK2cKTRltMrhp1ivtFfLggVGogtYNxEnjnsD4KMvH3SjSNdt06YgtZ92++fOp
+UsE8Mpf4/G5X7DmcHJHk+w==
+-----END PRIVATE KEY-----

internal/suites/constants.go

@@ -39,4 +39,4 @@ var MX2MailBaseURL = fmt.Sprintf("https://mx2.mail.%s", BaseDomain)
 var DuoBaseURL = "https://duo.example.com"
 
 // AutheliaBaseURL the base URL of Authelia service
-var AutheliaBaseURL = "http://authelia.example.com:9091"
+var AutheliaBaseURL = "https://authelia.example.com:9091"

internal/suites/example/compose/authelia/resources/nginx.conf

@@ -14,4 +14,14 @@ http {
             proxy_pass        http://authelia-backend:9091;
         }
     }
+
+    server {
+        # Reach authelia-backend using TLS.
+        listen 3001;
+
+        location / {
+            proxy_set_header  Host $http_host;
+            proxy_pass        https://authelia-backend:9091;
+        }
+    }
 }

internal/suites/example/compose/nginx/portal/docker-compose.https.yml

@@ -0,0 +1,16 @@
+version: '3'
+services:
+  nginx-portal:
+    image: nginx:alpine
+    volumes:
+      - ./example/compose/nginx/portal/nginx.https.conf:/etc/nginx/nginx.conf
+      - ./example/compose/nginx/portal/ssl:/etc/ssl
+    networks:
+      authelianet:
+        aliases:
+          - public.example.com
+          - secure.example.com
+          - login.example.com
+          - duo.example.com
+        # Set the IP to be able to query on port 443
+        ipv4_address: 192.168.240.100

internal/suites/example/compose/nginx/portal/nginx.https.conf

@@ -0,0 +1,227 @@
+#
+# You can find a documented example of configuration in ./docs/proxies/nginx.md.
+#
+worker_processes  1;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+    server {
+        listen 8080 ssl;
+        server_name     login.example.com;
+
+        resolver 127.0.0.11 ipv6=off;
+        set $frontend_endpoint http://authelia-frontend:3001;
+        set $backend_endpoint https://authelia-backend:9091;
+
+        ssl_certificate     /etc/ssl/server.cert;
+        ssl_certificate_key /etc/ssl/server.key;
+
+        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+        add_header X-Frame-Options "SAMEORIGIN";
+
+        # Serve the backend API for the portal.
+        location /api {
+            proxy_set_header  X-Real-IP $remote_addr;
+
+            # Required by Authelia because "trust proxy" option is used.
+            # See https://expressjs.com/en/guide/behind-proxies.html
+            proxy_set_header  X-Forwarded-Proto $scheme;
+
+            # Required by Authelia to build correct links for identity validation.
+            proxy_set_header  X-Forwarded-Host $http_host;
+
+            # Needed for network ACLs to work. It appends the IP of the client to the list of IPs
+            # and allows Authelia to use it to match the network-based ACLs.
+            proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
+
+            proxy_intercept_errors on;
+
+            proxy_pass        $backend_endpoint;
+        }
+
+        # Serves the portal application.
+        location / {
+            # Allow websockets for webpack to auto-reload.
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "Upgrade";
+            proxy_set_header Host "127.0.0.1";
+
+            proxy_pass        $frontend_endpoint;
+        }
+    }
+
+    # Serves the home page.
+    server {
+        listen 8080 ssl;
+        server_name     home.example.com;
+
+        resolver 127.0.0.11 ipv6=off;
+        set $upstream_endpoint http://nginx-backend;
+
+        ssl_certificate     /etc/ssl/server.cert;
+        ssl_certificate_key /etc/ssl/server.key;
+
+        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+        add_header X-Frame-Options "SAMEORIGIN";
+
+        location / {
+            proxy_set_header  Host $http_host;
+            proxy_pass        $upstream_endpoint;
+        }
+    }
+
+    # Example configuration of domains protected by Authelia.
+    server {
+        listen 8080 ssl; 
+        server_name     public.example.com
+                        admin.example.com
+                        secure.example.com
+                        dev.example.com
+                        singlefactor.example.com
+                        mx1.mail.example.com mx2.mail.example.com;
+
+        resolver 127.0.0.11 ipv6=off;
+        set $upstream_verify https://authelia-backend:9091/api/verify;
+        set $upstream_endpoint http://nginx-backend;
+        set $upstream_headers http://httpbin:8000/headers;
+
+        ssl_certificate     /etc/ssl/server.cert;
+        ssl_certificate_key /etc/ssl/server.key;
+
+        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+        add_header X-Frame-Options "SAMEORIGIN";
+
+        # Reverse proxy to the backend. It is protected by Authelia by forwarding authorization checks
+        # to the virtual endpoint introduced by nginx and declared in the next block.
+        location / {
+            auth_request /auth_verify;
+            
+            auth_request_set $user      $upstream_http_remote_user;
+            proxy_set_header            X-Forwarded-User $user;
+            
+            auth_request_set            $groups $upstream_http_remote_groups;
+            proxy_set_header            Remote-Groups $groups;
+
+            # Route the request to the correct virtual host in the backend.
+            proxy_set_header            Host $http_host;
+
+            # Authelia relies on Proxy-Authorization header to authenticate in basic auth.
+            # but for the sake of simplicity (because Authorization in supported in most
+            # clients) we take Authorization from the frontend and rewrite it to
+            # Proxy-Authorization before sending it to Authelia.
+            proxy_set_header            Proxy-Authorization $http_authorization;
+
+            # mitigate HTTPoxy Vulnerability
+            # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
+            proxy_set_header            Proxy "";
+
+            # Set the `target_url` variable based on the request. It will be used to build the portal
+            # URL with the correct redirection parameter.
+            set                         $target_url $scheme://$http_host$request_uri;
+            error_page 401 =302         https://login.example.com:8080/?rd=$target_url;
+
+            proxy_pass                  $upstream_endpoint;
+        }
+
+        # Virtual endpoint forwarding requests to Authelia server.
+        location /auth_verify {
+            internal;
+            proxy_set_header            X-Real-IP $remote_addr;
+
+            # Provide either X-Original-URL and X-Forwarded-Proto or
+            # X-Forwarded-Proto, X-Forwarded-Host and X-Forwarded-URI or both.
+            # Those headers will be used by Authelia to deduce the target url of the user.
+            #
+            # X-Forwarded-Proto is mandatory since Authelia uses the "trust proxy" option.
+            # See https://expressjs.com/en/guide/behind-proxies.html
+            proxy_set_header            X-Original-URL $scheme://$http_host$request_uri;
+
+            proxy_set_header            X-Forwarded-Proto $scheme;
+            proxy_set_header            X-Forwarded-Host $http_host;
+            proxy_set_header            X-Forwarded-URI $request_uri;
+            
+            proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;
+
+            # Authelia can receive Proxy-Authorization to authenticate however most of the clients
+            # support Authorization instead. Therefore we rewrite Authorization into Proxy-Authorization.
+            proxy_set_header            Proxy-Authorization $http_authorization;
+
+            proxy_pass_request_body     off;
+            proxy_set_header            Content-Length "";
+
+            proxy_pass                  $upstream_verify;
+        }
+
+        # Used by suites to test the forwarded users and groups headers produced by Authelia.
+        location /headers {
+            auth_request /auth_verify;
+
+            auth_request_set            $user $upstream_http_remote_user;
+            proxy_set_header            Custom-Forwarded-User $user;
+            
+            auth_request_set            $groups $upstream_http_remote_groups;
+            proxy_set_header            Custom-Forwarded-Groups $groups;
+
+            set                         $target_url $scheme://$http_host$request_uri;
+            error_page 401 =302         https://login.example.com:8080/?rd=$target_url;
+
+            proxy_pass                  $upstream_headers;
+        }
+    }
+
+    # Fake Web Mail used to receive emails sent by Authelia.
+    server {
+        listen 8080 ssl;
+        server_name     mail.example.com;
+
+        resolver 127.0.0.11 ipv6=off;
+        set $upstream_endpoint http://smtp:1080;
+
+        ssl_certificate     /etc/ssl/server.cert;
+        ssl_certificate_key /etc/ssl/server.key;
+
+        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+        add_header X-Frame-Options "SAMEORIGIN";
+
+        location / {
+            proxy_set_header  Host $http_host;
+            proxy_pass        $upstream_endpoint;
+        }
+    }
+
+    # Fake API emulating Duo behavior
+    server {
+        listen 443 ssl;
+        server_name     duo.example.com;
+
+        resolver 127.0.0.11 ipv6=off;
+        set $upstream_endpoint http://duo-api:3000;
+
+        ssl_certificate     /etc/ssl/server.cert;
+        ssl_certificate_key /etc/ssl/server.key;
+
+        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+        add_header X-Frame-Options "SAMEORIGIN";
+
+        location / {
+            proxy_set_header  Host $http_host;
+            proxy_pass        $upstream_endpoint;
+        }
+    }
+
+    # Matches all domains. It redirects to the home page.
+    server {
+	    listen 8080 ssl;
+	    server_name _;
+
+        ssl_certificate     /etc/ssl/server.cert;
+        ssl_certificate_key /etc/ssl/server.key;
+
+	    return 301 https://home.example.com:8080/;
+    }
+}
+

internal/suites/registry.go

@@ -11,8 +11,13 @@ import (
 type Suite struct {
 	SetUp        func(tmpPath string) error
 	SetUpTimeout time.Duration
+
+	// Callback called when an error occur during setup phase.
 	OnSetupTimeout func() error
 
+	// Callback called when at least one test fail
+	OnError func() error
+
 	TestTimeout time.Duration
 
 	TearDown        func(tmpPath string) error

internal/suites/scenario_backend_protection_test.go

@@ -9,6 +9,8 @@ import (
 	"github.com/stretchr/testify/suite"
 )
 
+// WARNING: This scenario is intended to be used with TLS enabled in the authelia backend.
+
 type BackendProtectionScenario struct {
 	suite.Suite
 }

internal/suites/suite_standalone.go

@@ -14,7 +14,7 @@ func init() {
 		"internal/suites/example/compose/authelia/docker-compose.backend.{}.yml",
 		"internal/suites/example/compose/authelia/docker-compose.frontend.{}.yml",
 		"internal/suites/example/compose/nginx/backend/docker-compose.yml",
-		"internal/suites/example/compose/nginx/portal/docker-compose.yml",
+		"internal/suites/example/compose/nginx/portal/docker-compose.https.yml",
 		"internal/suites/example/compose/smtp/docker-compose.yml",
 	})
 
@@ -28,7 +28,7 @@ func init() {
 		return waitUntilAutheliaBackendIsReady(dockerEnvironment)
 	}
 
-	onSetupTimeout := func() error {
+	displayAutheliaLogs := func() error {
 		backendLogs, err := dockerEnvironment.Logs("authelia-backend", nil)
 		if err != nil {
 			return err
@@ -51,7 +51,8 @@ func init() {
 	GlobalRegistry.Register(standaloneSuiteName, Suite{
 		SetUp:           setup,
 		SetUpTimeout:    5 * time.Minute,
-		OnSetupTimeout:  onSetupTimeout,
+		OnError:         displayAutheliaLogs,
+		OnSetupTimeout:  displayAutheliaLogs,
 		TearDown:        teardown,
 		TestTimeout:     3 * time.Minute,
 		TearDownTimeout: 2 * time.Minute,