-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Single Authelia Server for Multiple Endpoints #2874
Comments
You need to ensure that the X-Forwarded-* headers are correct. If the proxy handling The two options are to directly expose the raw port and only allow known proxies to connect, or to add a separate location directive that doesn't override any of these values. |
You mean I should configure the Reverse Proxy on Server1 (hosting the authelia docker container) for X-Forwarded-* headers ?
I guess just need to change the |
The issue you're most likely facing with the limited information provided is that when you make a request to https://app1.mydomain.com on server2, and it does the auth_requst to https://authelia.mydomain.com/api/verify, it sets X-Forwarded-* headers which the /api/verify endpoint relies on. But what's occurring is sever1 is changing those headers. For example X-Forwarded-Host is being changed from app1.mydomain.com t authelia.mydomain.com. You need to ensure that on server1 that endpoint is accessible in a way that doesn't cause this to happen via the proxy_set_header directives. There are multiple ways to solve this which I described some of the ways above. For example you'd add a location block similar to this: location /api/verify {
proxy_pass http://authelia:9091;
} |
Did you manage to solve this? |
Extremely sorry, I was busy with my university exams so didn't have the time to handle this. This is the current setup I have for NGINx that handles Authelia:
From your reply I could discern that I should add the following :
that is, remove all |
Yes that's correct, all of the X-Forwarded-* headers are set during the |
When I add the above block to the NGINX server handling Authelia, I can access Authelia and all services running on the same server. However on a different server, this is the config I have added :
I get a 500 error. If I change |
Nothing, it has to be over |
Sorry, had a typo there
|
Also, as I just checked, So this is only working if I directly expose authelia on port 9091 to the internet, and send auth requests to it. |
I would personally try with just the following. Maybe provide some more context on what logs occur on which server. location /api/verify {
set $upstream_authelia http://10.0.0.252:9091;
proxy_pass $upstream_authelia;
} |
I cannot use $upstream_authelia to be 10.0.0.252:9091, as the servers are located on different subnets. I need to use the proper FQDN so that NGINX correctly routes the request to the authelia server. |
Logs on Server 2 (not hosting authelia, hosting app to be protected) :
|
Then this part of your config is wrong: location / {
set $upstream_authelia http://10.0.0.252:9091;
proxy_pass $upstream_authelia;
client_body_buffer_size 128k;
#Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; These sections MUST be identical excluding the path i.e. |
Okay, now this is the config on Authelia :
and this is the config on the end point (On a separate server, located in a different data centre) :
|
|
Internal just means it's only accessible to nginx, not external clients. |
This doesn't work either, I am still getting error 500. |
So something changed, we're going to need new logs, there should be nginx errors on either both or one instance. I'd suggest using the examples instead of using your own configs, it makes it easier to debug. |
This is the error log generated on protected endpoint :
NGINX proxying authelia doesn't show any errors at such What examples should I reference ? |
The include-based example: https://www.authelia.com/docs/deployment/supported-proxies/nginx.html |
Ahh remove the |
@james-d-elliott Thanks a ton, man are you awesome !! Everything is working fine now ? As a last step may I ask why |
For anyone stumbling across this, this is my set up with NGINX Proxy Manager : On the server hosting Authelia :
On the endpoint you're trying to protect :
|
Because the auth_request was being sent to a foreign nginx server which wouldn't have that host. The header actually accomplishes nothing in any instance. It is an error in our docs, basically if you're requesting app.example.com, the host header will be set to app.example.com instead of auth.example.com so nginx matches the request incorrectly. |
So that means, proxy_set_header Host changes the name the upstream webserver needs to be accesed by ? That is, if the upstream server cannot be accessed with |
@drtech981 sorry it's been a while, but I have the exact same issue that you had. In the config you posted in the end, there's still the |
Hi, I am attempting a similar setup. I followed this thread and the configs but I am experiencing the same 500 issues. Is there an example / doc for this type of setup? Thanks |
The key element in making sure the The issues section is for discussion of bugs and feature requests, this is neither so I'd suggest opening a discussion instead if this isn't clear enough. |
Hi, just wanted to quickly reply in case someone else is intending to do the same setup. The default setup as documented in the official docs works. I just didn't have SNI configured on the server not with authelia but making a proxied request to the authelia server. I required a |
I have my authelia setup in a docker container behind an NGINx proxy on Server 1.
I can successfully use
set $upstream_authelia http://[host_ip]:9091/api/verify;
to use authelia to protect endpoints on Server 1.However, say on Server 2 I have other endpoints I want to protect. If I use
set $upstream_authelia https://authelia.mydomain.com/api/verify;
the redirect fails and I get a 500 error.
How can I use authelia on remote endpoints securely ?
The text was updated successfully, but these errors were encountered: