-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Authentication from a *remote* Nginx? #183
Comments
Hello @n4kre , thank you for the report. For your information the setup you propose is indeed not tested yet. I have only tested with nginx serving both Authelia and the app to be protected so far. It might be good to replace the original setup with yours since it is more generic. It is simple to reproduce with docker-compose btw. Thank you, |
This is similar to my (working) setup. The only difference is that I've got an added portal server in front of both Authelia and my service So requests follow this flow:
The only difference between your setup and mine (if I'm understanding your explanation correctly) is that on successful authentication your machine A handles requests directly rather then forwarding them to another machine. Here is my current nginx configuration for a 2fa protected service:
Authelia:
|
Hello @masau, very interesting setup! Amazing! @masau , @n4kre , you have both made an amazing work so far! I will definitely reuse your documentation to bootstrap a concrete complex highly available setup with terraform and ansible. |
Got it! See #178 for a complete setup, from A to Z, and with Fail2Ban. Lots of comments are provided. :) |
Awesome! I will add the tutorial to the wiki I've just created when I have some time. |
I added the tutorial to the wiki: https://github.com/clems4ever/authelia/wiki. I can now close the issue. |
Hi,
I fail to use Authelia in case the Nginx reverse proxy serving “protected” resources is not on the same machine than Authelia, i.e. when the authentication subrequest is not made to
http://127.0.0.1:xxx/verify
but tohttps://login.example.com/verify
—assuming the latter point to a remote (different machine) Nginx reverse proxy that is configured “like in your examples”—the latter runs on the same machine than Authelia.Here is the setup:
On the Nginx instance serving https://private.example.com (meant to be protected by an Authelia instance running on another machine; with its own Nginx reverse proxy), I have naively tried to use the Nginx configuration you provide in your examples to add Authelia's protection. I simply have replaced
proxy_pass http://127.0.0.1:xxx;
—in the block pointed by theauth_request
directive—withproxy_pass https://login.example.com/verify; proxy_ssl_server_name on;
.Looking at the requests received by Authelia's backend, the
X-Original-URI
HTTP header is set to/verify
, which is not what we want—it is set in this way because ofproxy_set_header X-Original-URI $request_uri;
in the Nginx configuration serving https://login.example.com —, butHost
is not rewritten—still the original (sub)domain, which is good. ForX-Forwarded-Proto
, it is rewritten in the same way tohttps
—but it does not mean the client has connected over HTTPS: it is the connection that is made between the two Nginx.Therefore, from Authelia point of view, the client asked for https://private.example.com/verify. That is inconsistent: only
private.example.com
is actually what has been requested by the client. The scheme and URI are the ones from theproxy_pass
I was talking about earlier.Then, even though Authelia answers with an HTTP status code 401—again, not for good reasons: Authelia did not get the input we want—, the Nginx server that serves https://login.example.com replies with HTTP status code 200 to the original Nginx server—serving https://private.example.com. Therefore, the authentication subrequest succeeds and grant the user the permission to access the resource. Nothing has run the way I wanted…
Note: I have made these observations via a packet capture on Authelia's machine. (
tcpdump -i lo -w capture.pcap 'tcp port xxx'
, after what I opencapture.pcap
with WireShark and apply a basichttp
filter.)My guess is that it is somehow related to Nginx configurations, but I cannot figure out how to change them so that it works. Any idea?
It would be nice to have an API (over HTTPS) to provide authentication through a centralized instance of Authelia. The idea is to still have https://login.example.com to access Authelia's web UI—where the user provides its credentials/TOTP/U2F—, and to have something like https://auth.example.com to be used “under the hood” by any Nginx (remote) server which serves resources meant to be protected by this single, centralized instance of Authelia.
The text was updated successfully, but these errors were encountered: