diff --git a/docs/content/en/integration/proxies/nginx.md b/docs/content/en/integration/proxies/nginx.md index 373834264..b53de1df4 100644 --- a/docs/content/en/integration/proxies/nginx.md +++ b/docs/content/en/integration/proxies/nginx.md @@ -383,7 +383,7 @@ proxy_set_header X-Forwarded-For $remote_addr; set $upstream_authelia http://authelia:9091/api/authz/auth-request; ## Virtual endpoint created by nginx to forward auth requests. -location /authelia { +location /internal/authelia/authz { ## Essential Proxy Configuration internal; proxy_pass $upstream_authelia; @@ -423,7 +423,7 @@ and is paired with [authelia-location.conf](#authelia-locationconf).* {{< details "/config/nginx/snippets/authelia-authrequest.conf" >}} ```nginx ## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource. -auth_request /authelia; +auth_request /internal/authelia/authz; ## Set the $target_url variable based on the original request. @@ -478,7 +478,7 @@ implementation `AuthRequest` which contains the `HeaderAuthorization` and `Heade set $upstream_authelia http://authelia:9091/api/authz/auth-request/basic; # Virtual endpoint created by nginx to forward auth requests. -location /authelia-basic { +location /internal/authelia/authz/basic { ## Essential Proxy Configuration internal; proxy_pass $upstream_authelia; @@ -526,7 +526,7 @@ endpoint. It's recommended to use [authelia-authrequest.conf](#authelia-authrequ {{< details "/config/nginx/snippets/authelia-authrequest-basic.conf" >}} ```nginx ## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource. -auth_request /authelia-basic; +auth_request /internal/authelia/authz/basic; ## Comment this line if you're using nginx without the http_set_misc module. set_escape_uri $target_url $scheme://$http_host$request_uri; @@ -570,7 +570,7 @@ if ($request_uri = "/force-basic") { } ## A new virtual endpoint to used if the auth_request failed -location /authelia-detect { +location /internal/authelia/authz/detect { internal; if ($is_basic_auth) { @@ -598,7 +598,7 @@ endpoint. It's recommended to use [authelia-authrequest.conf](#authelia-authrequ {{< details "/config/nginx/snippets/authelia-authrequest-detect.conf" >}} ```nginx ## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource. -auth_request /authelia; +auth_request /internal/authelia/authz; ## Comment this line if you're using nginx without the http_set_misc module. set_escape_uri $target_url $scheme://$http_host$request_uri; @@ -619,7 +619,7 @@ proxy_set_header Remote-Name $name; proxy_set_header Remote-Email $email; ## If the subreqest returns 200 pass to the backend, if the subrequest returns 401 redirect to the portal. -error_page 401 =302 /authelia-detect?rd=$target_url; +error_page 401 =302 /internal/authelia/authz/detect?rd=$target_url; ``` {{< /details >}} diff --git a/docs/content/en/integration/proxies/support.md b/docs/content/en/integration/proxies/support.md index 01711ce27..6364fde3a 100644 --- a/docs/content/en/integration/proxies/support.md +++ b/docs/content/en/integration/proxies/support.md @@ -15,19 +15,19 @@ aliases: - /docs/home/supported-proxies.html --- -| Proxy | [Implementation] | [Standard](#standard) | [Kubernetes](#kubernetes) | [XHR Redirect](#xhr-redirect) | [Request Method](#request-method) | -|:---------------------:|:----------------:|:------------------------------------------------------------------:|:-------------------------------------------------------------------------------------:|:---------------------------------:|:---------------------------------:| -| [Traefik] | [ForwardAuth] | {{% support support="full" link="traefik.md" %}} | {{% support support="full" link="../../integration/kubernetes/traefik-ingress.md" %}} | {{% support support="full" %}} | {{% support support="full" %}} | -| [Caddy] | [ForwardAuth] | {{% support support="full" link="caddy.md" %}} | {{% support support="unknown" %}} | {{% support support="full" %}} | {{% support support="full" %}} | -| [Envoy] | [ExtAuthz] | {{% support support="full" link="envoy.md" %}} | {{% support support="full" link="../../integration/kubernetes/istio.md" %}} | {{% support support="unknown" %}} | {{% support support="full" %}} | -| [NGINX] | [AuthRequest] | {{% support support="full" link="nginx.md" %}} | {{% support support="full" link="../../integration/kubernetes/nginx-ingress.md" %}} | {{% support %}} | {{% support support="full" %}} | -| [NGINX Proxy Manager] | [AuthRequest] | {{% support support="full" link="nginx-proxy-manager/index.md" %}} | {{% support support="unknown" %}} | {{% support %}} | {{% support support="full" %}} | -| [SWAG] | [AuthRequest] | {{% support support="full" link="swag.md" %}} | {{% support support="unknown" %}} | {{% support %}} | {{% support support="full" %}} | -| [HAProxy] | [AuthRequest] | {{% support support="full" link="haproxy.md" %}} | {{% support support="unknown" %}} | {{% support support="unknown" %}} | {{% support support="full" %}} | -| [Skipper] | [ForwardAuth] | {{% support support="full" link="skipper.md" %}} | {{% support support="unknown" %}} | {{% support support="unknown" %}} | {{% support support="unknown" %}} | -| [Traefik] 1.x | [ForwardAuth] | {{% support support="full" link="traefikv1.md" %}} | {{% support support="unknown" %}} | {{% support support="full" %}} | {{% support support="full" %}} | -| [Apache] | N/A | {{% support link="#apache" %}} | {{% support %}} | {{% support %}} | {{% support %}} | -| [IIS] | N/A | {{% support link="#iis" %}} | {{% support %}} | {{% support %}} | {{% support %}} | +| Proxy | [Implementation] | [Standard](#standard) | [Kubernetes](#kubernetes) | [XHR Redirect](#xhr-redirect) | [Request Method](#request-method) | +|:---------------------------------------:|:----------------:|:---------------------------------------------------:|:-------------------------------------------------------------------------------------:|:---------------------------------:|:---------------------------------:| +| [Traefik] ([guide](/i/traefik)) | [ForwardAuth] | {{% support support="full" link="/i/traefik" %}} | {{% support support="full" link="../../integration/kubernetes/traefik-ingress.md" %}} | {{% support support="full" %}} | {{% support support="full" %}} | +| [Caddy] ([guide](/i/caddy)) | [ForwardAuth] | {{% support support="full" link="/i/caddy" %}} | {{% support support="unknown" %}} | {{% support support="full" %}} | {{% support support="full" %}} | +| [Envoy] ([guide](/i/envoy)) | [ExtAuthz] | {{% support support="full" link="/i/envoy" %}} | {{% support support="full" link="../../integration/kubernetes/istio.md" %}} | {{% support support="unknown" %}} | {{% support support="full" %}} | +| [NGINX] ([guide](/i/nginx)) | [AuthRequest] | {{% support support="full" link="/i/nginx" %}} | {{% support support="full" link="../../integration/kubernetes/nginx-ingress.md" %}} | {{% support %}} | {{% support support="full" %}} | +| [NGINX Proxy Manager] ([guide](/i/npm)) | [AuthRequest] | {{% support support="full" link="/i/npm" %}} | {{% support support="unknown" %}} | {{% support %}} | {{% support support="full" %}} | +| [SWAG] ([guide](/i/swag)) | [AuthRequest] | {{% support support="full" link="/i/swag" %}} | {{% support support="unknown" %}} | {{% support %}} | {{% support support="full" %}} | +| [HAProxy] ([guide](/i/haproxy)) | [AuthRequest] | {{% support support="full" link="/i/haproxy" %}} | {{% support support="unknown" %}} | {{% support support="unknown" %}} | {{% support support="full" %}} | +| [Skipper] ([guide](/i/skipper)) | [ForwardAuth] | {{% support support="full" link="/i/skipper" %}} | {{% support support="unknown" %}} | {{% support support="unknown" %}} | {{% support support="unknown" %}} | +| [Traefik] 1.x ([guide](/i/traefik/v1)) | [ForwardAuth] | {{% support support="full" link="/i/traefik/v1" %}} | {{% support support="unknown" %}} | {{% support support="full" %}} | {{% support support="full" %}} | +| [Apache] | N/A | {{% support link="#apache" %}} | {{% support %}} | {{% support %}} | {{% support %}} | +| [IIS] | N/A | {{% support link="#iis" %}} | {{% support %}} | {{% support %}} | {{% support %}} | [ForwardAuth]: ../../reference/guides/proxy-authorization.md#forwardauth [AuthRequest]: ../../reference/guides/proxy-authorization.md#authrequest diff --git a/docs/content/en/integration/proxies/swag.md b/docs/content/en/integration/proxies/swag.md index 27bf138f8..242b3b6e1 100644 --- a/docs/content/en/integration/proxies/swag.md +++ b/docs/content/en/integration/proxies/swag.md @@ -57,7 +57,7 @@ In addition this represents a bad user experience in some instances such as: - Users sometimes visit the `https://app.example.com/authelia` URL which doesn't automatically redirect the user to `https://app.example.com` (if they visit `https://app.example.com` then they'll be redirected to authenticate then - redirected back to their original URL). + redirected back to their original URL) - Administrators may wish to setup [OpenID Connect 1.0](../../configuration/identity-providers/open-id-connect.md) in which case it also doesn't represent a good user experience as the `issuer` will be `https://app.example.com/authelia` for example @@ -147,8 +147,8 @@ services: - '443:443' volumes: - ${PWD}/data/swag:/config + ## Uncomment the line below if you want to use the Authelia configuration snippets. #- ${PWD}/data/nginx/snippets:/snippets:ro - ## Uncomment the above line if you want to use the Authelia configuration snippets. environment: PUID: '1000' PGID: '1000' diff --git a/docs/content/en/integration/proxies/traefikv1.md b/docs/content/en/integration/proxies/traefikv1.md index 7f0e0f598..41bd52201 100644 --- a/docs/content/en/integration/proxies/traefikv1.md +++ b/docs/content/en/integration/proxies/traefikv1.md @@ -11,6 +11,7 @@ menu: weight: 371 toc: true aliases: + - /i/traefik/v1 - /docs/deployment/supported-proxies/traefik1.x.html --- diff --git a/docs/content/en/overview/prologue/supported-proxies.md b/docs/content/en/overview/prologue/supported-proxies.md index d834d6973..dfb960f2c 100644 --- a/docs/content/en/overview/prologue/supported-proxies.md +++ b/docs/content/en/overview/prologue/supported-proxies.md @@ -14,19 +14,19 @@ toc: false The following table is a support matrix for Authelia features and specific reverse proxies. -| Proxy | Standard | Kubernetes | XHR Redirect | Request Method | -|:---------------------:|:--------------------------------------------------------------------------------------------:|:-------------------------------------------------------------------------------------:|:---------------------------------:|:---------------------------------:| -| [Traefik] | {{% support support="full" link="../../integration/proxies/traefik.md" %}} | {{% support support="full" link="../../integration/kubernetes/traefik-ingress.md" %}} | {{% support support="full" %}} | {{% support support="full" %}} | -| [Caddy] | {{% support support="full" link="../../integration/proxies/caddy.md" %}} | {{% support support="unknown" %}} | {{% support support="full" %}} | {{% support support="full" %}} | -| [Envoy] | {{% support support="full" link="../../integration/proxies/envoy.md" %}} | {{% support support="full" link="../../integration/kubernetes/istio.md" %}} | {{% support support="unknown" %}} | {{% support support="full" %}} | -| [NGINX] | {{% support support="full" link="../../integration/proxies/nginx.md" %}} | {{% support support="full" link="../../integration/kubernetes/nginx-ingress.md" %}} | {{% support %}} | {{% support support="full" %}} | -| [NGINX Proxy Manager] | {{% support support="full" link="../../integration/proxies/nginx-proxy-manager/index.md" %}} | {{% support %}} | {{% support %}} | {{% support support="full" %}} | -| [SWAG] | {{% support support="full" link="../../integration/proxies/swag.md" %}} | {{% support %}} | {{% support %}} | {{% support support="full" %}} | -| [HAProxy] | {{% support support="full" link="../../integration/proxies/haproxy.md" %}} | {{% support support="unknown" %}} | {{% support support="unknown" %}} | {{% support support="full" %}} | -| [Traefik] 1.x | {{% support support="full" link="../../integration/proxies/traefikv1.md" %}} | {{% support support="unknown" %}} | {{% support support="full" %}} | {{% support support="full" %}} | -| [Skipper] | {{% support support="full" link="../../integration/proxies/skipper.md" %}} | {{% support %}} | {{% support support="unknown" %}} | {{% support support="unknown" %}} | -| [Apache] | {{% support %}} | {{% support %}} | {{% support %}} | {{% support %}} | -| [IIS] | {{% support %}} | {{% support %}} | {{% support %}} | {{% support %}} | +| Proxy | Standard | Kubernetes | XHR Redirect | Request Method | +|:---------------------------------------:|:-------------------------------------------------------------------------------------------:|:-------------------------------------------------------------------------------------:|:---------------------------------:|:---------------------------------:| +| [Traefik] ([guide](/i/traefik)) | {{% support support="full" link="/i/traefik" %}} | {{% support support="full" link="../../integration/kubernetes/traefik-ingress.md" %}} | {{% support support="full" %}} | {{% support support="full" %}} | +| [Caddy] ([guide](/i/caddy)) | {{% support support="full" link="/i/caddy" %}} | {{% support support="unknown" %}} | {{% support support="full" %}} | {{% support support="full" %}} | +| [Envoy] ([guide](/i/envoy)) | {{% support support="full" link="/i/envoy" %}} | {{% support support="full" link="../../integration/kubernetes/istio.md" %}} | {{% support support="unknown" %}} | {{% support support="full" %}} | +| [NGINX] ([guide](/i/nginx)) | {{% support support="full" link="/i/nginx" %}} | {{% support support="full" link="../../integration/kubernetes/nginx-ingress.md" %}} | {{% support %}} | {{% support support="full" %}} | +| [NGINX Proxy Manager] ([guide](/i/npm)) | {{% support support="full" link="/i/npm" %}} | {{% support support="unknown" %}} | {{% support %}} | {{% support support="full" %}} | +| [SWAG] ([guide](/i/swag)) | {{% support support="full" link="/i/swag" %}} | {{% support support="unknown" %}} | {{% support %}} | {{% support support="full" %}} | +| [HAProxy] ([guide](/i/haproxy)) | {{% support support="full" link="/i/haproxy" %}} | {{% support support="unknown" %}} | {{% support support="unknown" %}} | {{% support support="full" %}} | +| [Skipper] ([guide](/i/skipper)) | {{% support support="full" link="/i/skipper" %}} | {{% support support="unknown" %}} | {{% support support="unknown" %}} | {{% support support="unknown" %}} | +| [Traefik] 1.x ([guide](/i/traefik/v1)) | {{% support support="full" link="/i/traefik/v1" %}} | {{% support support="unknown" %}} | {{% support support="full" %}} | {{% support support="full" %}} | +| [Apache] | {{% support %}} | {{% support %}} | {{% support %}} | {{% support %}} | +| [IIS] | {{% support %}} | {{% support %}} | {{% support %}} | {{% support %}} | Legend: diff --git a/internal/suites/example/compose/nginx/portal/nginx.conf b/internal/suites/example/compose/nginx/portal/nginx.conf index a6986fe06..d7260426c 100644 --- a/internal/suites/example/compose/nginx/portal/nginx.conf +++ b/internal/suites/example/compose/nginx/portal/nginx.conf @@ -164,7 +164,7 @@ http { # to the virtual endpoint introduced by nginx and declared in the next block. location / { ## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource. - auth_request /authelia; + auth_request /internal/authelia/authz; ## Set the $target_url variable based on the original request. set $target_url $scheme://$http_host$request_uri; @@ -209,7 +209,7 @@ http { } # Virtual endpoint forwarding requests to Authelia server. - location /authelia { + location /internal/authelia/authz { ## Essential Proxy Configuration internal; proxy_pass $upstream_authelia; @@ -250,7 +250,7 @@ http { # Used by suites to test the forwarded users and groups headers produced by Authelia. location /headers { ## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource. - auth_request /authelia; + auth_request /internal/authelia/authz; ## Set the $target_url variable based on the original request. set $target_url $scheme://$http_host$request_uri; @@ -307,7 +307,7 @@ http { # to the virtual endpoint introduced by nginx and declared in the next block. location / { ## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource. - auth_request /authelia; + auth_request /internal/authelia/authz; ## Set the $target_url variable based on the original request. set $target_url $scheme://$http_host$request_uri; @@ -346,7 +346,7 @@ http { } # Virtual endpoint forwarding requests to Authelia server. - location /authelia { + location /internal/authelia/authz { ## Essential Proxy Configuration internal; proxy_pass $upstream_authelia; @@ -356,7 +356,6 @@ http { # Those headers will be used by Authelia to deduce the target url of the user. # # X-Forwarded-Proto is mandatory since Authelia uses the "trust proxy" option. - # See https://expressjs.com/en/guide/behind-proxies.html proxy_set_header X-Original-Method $request_method; proxy_set_header X-Original-URL $scheme://$http_host$request_uri; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;