Need some help with Authelia plz

Amviewer · 19 May 2020 19:26

Thanks that would be very helpful. I’m very close to making it work but every time I put the Duo proxy in between the LetsEncrypt and the LDAP server it fails.
I’ll create a separate topic as this is not relevant to this topic.

nightah · 21 May 2020 07:13

The path changes have been released under v4.19.0, docs here.
You can run it with any of the following tags:

master (you probably don’t want this unless you want to be running bleeding edge).
4.19.0
4.19
4

aptalca · 22 May 2020 17:33

@nightah I’m driving myself crazy over here with the subfolder

I have it partially working, just can’t go all the way.

The one concerning thing I noticed is that, if the auth request server is not set up correctly (wrong address, no connection, etc.), nginx just lets the user in. I would expect nginx to block by default if auth request is not successful. I’ll look into it more later.

With authelia subfolder, my assumption is that all pages are served under the subfolder, including the login page and all api call addresses?

If so, I set it up so that auth request is set to /authelia/api/verify, which is proxied to https://authelia:9091/authelia/api/verify with a ^~ for exact match, and that part seems to work.
The error page 401 is set to redirect to /authelia/?rd=$target_url; and location block /authelia proxies http://authelia:9091

That part semi works, because although it redirects to the login page, the ?rd=$target_url gets stripped, so after successful auth, it redirects to the naked domain rather than the original requested subdomain.

I keep getting different results with trailing slashes in different places and it’s driving me nuts.

Here are the confs I’m currently using:
authelia-server.conf:

# Virtual endpoint created by nginx to forward auth requests.

location /authelia {
    include /config/nginx/proxy.conf;
    resolver 127.0.0.11;
    set $upstream_authelia authelia;
    proxy_pass http://$upstream_authelia:9091;
}

location ^~ /authelia/api/verify {
    internal;
    resolver 127.0.0.11;
    set $upstream_authelia authelia;
    proxy_pass_request_body off;
    proxy_pass http://$upstream_authelia:9091;
    proxy_set_header Content-Length "";

    # Timeout if the real server is dead
    proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;

    # [REQUIRED] Needed by Authelia to check authorizations of the resource.
    # Provide either X-Original-URL and X-Forwarded-Proto or
    # X-Forwarded-Proto, X-Forwarded-Host and X-Forwarded-Uri or both.
    # Those headers will be used by Authelia to deduce the target url of the user.
    # Basic Proxy Config
    client_body_buffer_size 128k;
    proxy_set_header Host $host;
    proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $remote_addr; 
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Host $http_host;
    proxy_set_header X-Forwarded-Uri $request_uri;
    proxy_set_header X-Forwarded-Ssl on;
    proxy_redirect  http://  $scheme://;
    proxy_http_version 1.1;
    proxy_set_header Connection "";
    proxy_cache_bypass $cookie_session;
    proxy_no_cache $cookie_session;
    proxy_buffers 4 32k;

    # Advanced Proxy Config
    send_timeout 5m;
    proxy_read_timeout 240;
    proxy_send_timeout 240;
    proxy_connect_timeout 240;
}

authelia-location.conf:

auth_request /authelia/api/verify;
auth_request_set $target_url $scheme://$http_host$request_uri;
auth_request_set $user $upstream_http_remote_user;
auth_request_set $groups $upstream_http_remote_groups;
proxy_set_header Remote-User $user;
proxy_set_header Remote-Groups $groups;
error_page 401 =302 /authelia/?rd=$target_url;

heimdall proxy conf:

# make sure that your dns has a cname set for heimdall

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name heimdall.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    include /config/nginx/authelia-server.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /login;

        # enable the next line for authelia
        include /config/nginx/authelia-location.conf;        

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app heimdall;
        set $upstream_port 443;
        set $upstream_proto https;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }
}

Amviewer · 22 May 2020 22:13

Been trying to get this running with the lite config but keeps coming back its missing parts in the configuration.yml.
JWT secret…what do I do with that…? The documentation isn’t very clear on what to put there or how to generate it. If I put file notifiers in there it still wants smtp or filesystem.

I’m I using the wrong tag for the docker with latest?

nightah · 23 May 2020 05:58

@aptalca was close, the redirect seems to be stripped because there’s no server notation, your authelia-server.conf is fine just a small change for the config that you provided to adapt the authelia-location.conf:

authelia-location.conf

auth_request /authelia/api/verify;
auth_request_set $target_url $scheme://$http_host$request_uri;
auth_request_set $user $upstream_http_remote_user;
auth_request_set $groups $upstream_http_remote_groups;
proxy_set_header Remote-User $user;
proxy_set_header Remote-Groups $groups;
error_page 401 =302 https://$server_name/authelia/?rd=$target_url;

nightah · 23 May 2020 06:12

@Amviewer step 4 in the Lite docs tells you to update your configuration.yml and docker-compose.yml with your respective domains and secrets.

There’s a note in the example config for all the respective secrets.

aptalca · 23 May 2020 16:31

yup, that fixed it. Thanks. I ended up using $scheme://$http_host/authelia/?rd=$target_url for consistency

I just noticed that the reset password email includes a reset link without the subfolder

nightah · 23 May 2020 16:39

Good spot, thanks for that I’ll fix that up.

Also $scheme:// makes sense for consistency but just be aware it won’t work if it happens to land on a http:// entrypoint.

Amviewer · 23 May 2020 18:52

I didn’t use docker compose.
Just portainer and pulled the :latest and did a bind for the etc/authelia and put the configuration.yml there.
Don’t really like the stacks which happens when you use compose. I like to control which network its in etc…which you can do…I know.
Will try again later and use the 4.19 tags and see if it works.

aptalca · 24 May 2020 01:06

@nightah
Here are the PRs ready for testing:

nightah · 24 May 2020 01:22

Nice work @aptalca, we’ve also released a patch release v4.19.1 for the incorrect hyperlink if running with path specified.

Amviewer · 24 May 2020 16:51

Finally got Authelia to work and put in all the bits for Nginx but I get this error in the LetsEncrypt container.

nginx: [emerg] unknown “upstream_authelia_external” variable

It seems to hang on this part in the subfolder

enable the next four lines for Authelia

auth_request /authelia;
proxy_set_header Remote-User $user;
proxy_set_header Remote-Groups $groups;
error_page 401 =302 $upstream_authelia_external/?rd=$target_url;