Redirection Not Working

[n4kre]

Hi @clems4ever,

Coming from early versions of Authelia, I'm glad to experiment version 3.15.0! It looks really cool – thanks for your effort. :)

However, I can't get the redirection working anymore, although I updated my Nginx configuration based on the documented example.

When I visit https://private.example.com/ (unauthenticated), I get redirected to https://login.example.com/#/?rd=https://private.example.com/ (note that I have /#/?rd= and not /?rd=), but then the redirection does not occur upon successful authentication.

Any clue on what could go wrong?

For your reference, I am using the following Nginx configuration.

Content of /etc/nginx/sites-enabled/login.example.com – assuming Authelia runs at http://127.0.0.1:4221:

server {
    listen 80;
    server_name login.example.com;

    access_log /var/log/nginx/login.example.com/access.log;
    error_log /var/log/nginx/login.example.com/error.log;

    # Enforce HTTPS
    location / {
        include default_headers;
        return 301 https://$server_name$request_uri;
    }
}

server {
    listen 443 ssl http2;
    server_name login.example.com;
    include ssl_login.example.com_params;

    access_log /var/log/nginx/login.example.com/access.log;
    error_log /var/log/nginx/login.example.com/error.log;

    # No supposed to be called by end-users
    location = /api/verify {
        include default_headers;
        deny all;
    }

    # We don't want the user web browser to cache this
    # because it may contain sensitive data
    location /api/ {
        include default_headers_no-cache;
        include proxy_params;
        proxy_pass http://127.0.0.1:4221;
        proxy_intercept_errors on;
    }

    location / {
        include default_headers;
        include proxy_params;
        proxy_pass http://127.0.0.1:4221;
        proxy_intercept_errors on;
    }
}

Content of /etc/nginx/sites-enabled/private.example.com – assuming protected backend runs at http://127.0.0.1:8000:

server {
    listen 80;
    server_name private.example.com;

    access_log /var/log/nginx/private.example.com/access.log;
    error_log /var/log/nginx/private.example.com/error.log;

    # Enforce HTTPS
    location / {
        include default_headers;
        return 301 https://$server_name$request_uri;
    }
}

server {
    listen 443 ssl http2;
    server_name private.example.com;
    include ssl_private.example.com_params;

    access_log /var/log/nginx/private.example.com/access.log;
    error_log /var/log/nginx/private.example.com/error.log;

    # Authelia
    include authelia_check-auth_block_internal_api;

    location / {
        include default_headers;
        include authelia_sso_params;
        include proxy_params;
        proxy_pass http://127.0.0.1:8000;
    }
}

Content of /etc/nginx/authelia_check-auth_block_internal_api:

location = /.check-auth {
    internal;

    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Original-URL $scheme://$http_host$request_uri;

    proxy_set_header Content-Length "";
    proxy_pass_request_body off;

    proxy_pass http://127.0.0.1:4221/api/verify;
}

Content of /etc/nginx/authelia_sso_params:

auth_request /.check-auth;

#auth_request_set $user $upstream_http_remote_user;
#auth_request_set $groups $upstream_http_remote_groups;
#proxy_set_header X-Forwarded-User $user;
#proxy_set_header X-Forwarded-Groups $groups;

auth_request_set $target_url $scheme://$http_host$request_uri;
error_page 401 =302 https://login.example.com/#/?rd=$target_url;

# Hide Authelia's session cookie from the protected backend servers
set $new_cookie $http_cookie;
if ($http_cookie ~ "(.*)(?:^|;)\s*authelia\.session\.id=[^;]+(.*)") {
    set $new_cookie $1$2;
}
proxy_set_header Cookie $new_cookie;

Content of /etc/nginx/default_headers:

proxy_hide_header Strict-Transport-Security;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

proxy_hide_header X-Content-Type-Options;
add_header X-Content-Type-Options "nosniff" always;

proxy_hide_header X-Frame-Options;
add_header X-Frame-Options "sameorigin" always;

proxy_hide_header X-XSS-Protection;
add_header X-XSS-Protection "1; mode=block" always;

proxy_hide_header X-Robots-Tag;
add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive" always;

proxy_hide_header Referrer-Policy;
add_header Referrer-Policy "same-origin" always;

Content of /etc/nginx/default_headers_no-cache is the same as /etc/nginx/default_headers, with the following extra lines:

proxy_hide_header Cache-Control;
add_header Cache-Control "no-store" always;

proxy_hide_header Pragma;
add_header Pragma "no-cache" always;

Content of /etc/nginx/proxy_params:

proxy_set_header Host $host;

proxy_set_header X-Real-IP $remote_addr;
#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-For $remote_addr;

proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Uri $request_uri;

proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_http_version 1.1;
proxy_cache_bypass $http_upgrade;

[clems4ever]

Hello @n4kre , long time no see :). There is nothing obvious that I can spot in the config. Can I see some logs?

[clems4ever]

The /#/?rd= is expected by the way. It's because the portal is a web app that uses a hash router to support older versions of browsers and make the configuration of reverse proxies easier compared to browser routers.

[clems4ever]

Don't hesitate to contribute in the documentation with all security related headers that you're using. That could really be helpful to others.

[n4kre]

When I'll be sure that my Nginx configuration is not at fault, I will. :)

For the redirection, there is unfortunately not much to see on server side, since the URL fragment (the URL part starting with #) is, by design, only living on client-side.

Here is an excerpt of Authelia's logs:

May 09 11:14:03 mymachine index.js[2417]: info: date='Thu May 09 2019 11:14:03 GMT+0200 (CEST)' message='Starting Authelia...'
May 09 11:14:03 mymachine index.js[2417]: info: date='Thu May 09 2019 11:14:03 GMT+0200 (CEST)' message='Listening on port 4221...'
May 09 11:14:35 mymachine index.js[2417]: debug: date='Thu May 09 2019 11:14:35 GMT+0200 (CEST)' method='POST', path='/api/firstfactor' requestId='e87e92b7-0f3f-4230-94d2-e4808cfb09de' sessionId='Xm3eOdP_45vxtO5BcjrNuWuys41uDzL0' ip='10.10.10.42' message='Headers = {"host":"login.example.com","x-real-ip":"10.10.10.42","x-forwarded-for":"10.10.10.42","x-forwarded-proto":"https","connection":"upgrade","content-length":"75","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:66.0) Gecko/20100101 Firefox/66.0","accept":"application/json","accept-language":"fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3","accept-encoding":"gzip, deflate, br","referer":"https://login.example.com/","content-type":"application/json","origin":"https://login.example.com","dnt":"1","cookie":"authelia.session.id=s%3AXm3eOdP_45vxtO5BcjrNuWuys41uDzL0.lKWGebxSJFckJoNdsaBFOciw5k6H5gzwPO%2B6XvBbDWE"}'
May 09 11:14:35 mymachine index.js[2417]: info: date='Thu May 09 2019 11:14:35 GMT+0200 (CEST)' method='POST', path='/api/firstfactor' requestId='e87e92b7-0f3f-4230-94d2-e4808cfb09de' sessionId='Xm3eOdP_45vxtO5BcjrNuWuys41uDzL0' ip='10.10.10.42' message='Starting authentication of user "foobar"'
May 09 11:14:35 mymachine index.js[2417]: info: date='Thu May 09 2019 11:14:35 GMT+0200 (CEST)' method='POST', path='/api/firstfactor' requestId='e87e92b7-0f3f-4230-94d2-e4808cfb09de' sessionId='Xm3eOdP_45vxtO5BcjrNuWuys41uDzL0' ip='10.10.10.42' message='No regulation applied.'
May 09 11:14:35 mymachine index.js[2417]: debug: LDAP: Bind user 'cn=admin,dc=example,dc=com'
May 09 11:14:35 mymachine index.js[2417]: debug: Computed users filter is cn=foobar
May 09 11:14:35 mymachine index.js[2417]: debug: LDAP: searching for user dn of foobar
May 09 11:14:35 mymachine index.js[2417]: debug: LDAP: retrieved user dn is cn=foobar,ou=users,dc=example,dc=com
May 09 11:14:35 mymachine index.js[2417]: debug: LDAP: Bind user 'cn=foobar,ou=users,dc=example,dc=com'
May 09 11:14:36 mymachine index.js[2417]: debug: LDAP: Unbind user 'cn=foobar,ou=users,dc=example,dc=com'
May 09 11:14:36 mymachine index.js[2417]: debug: Computed users filter is cn=foobar
May 09 11:14:36 mymachine index.js[2417]: debug: LDAP: searching for user dn of foobar
May 09 11:14:36 mymachine index.js[2417]: debug: Computed users filter is cn=foobar
May 09 11:14:36 mymachine index.js[2417]: debug: LDAP: searching for user dn of foobar
May 09 11:14:36 mymachine index.js[2417]: debug: LDAP: retrieved user dn is cn=foobar,ou=users,dc=example,dc=com
May 09 11:14:36 mymachine index.js[2417]: debug: LDAP: retrieved user dn is cn=foobar,ou=users,dc=example,dc=com
May 09 11:14:36 mymachine index.js[2417]: debug: Computed groups filter is (&(member=cn=foobar,ou=users,dc=example,dc=com)(objectclass=groupOfNames))
May 09 11:14:36 mymachine index.js[2417]: debug: LDAP: emails of user 'foobar' are foobar@example.com
May 09 11:14:36 mymachine index.js[2417]: debug: LDAP: groups of user foobar are [admin]
May 09 11:14:36 mymachine index.js[2417]: debug: LDAP: Unbind user 'cn=admin,dc=example,dc=com'
May 09 11:14:36 mymachine index.js[2417]: info: date='Thu May 09 2019 11:14:36 GMT+0200 (CEST)' method='POST', path='/api/firstfactor' requestId='e87e92b7-0f3f-4230-94d2-e4808cfb09de' sessionId='Xm3eOdP_45vxtO5BcjrNuWuys41uDzL0' ip='10.10.10.42' message='LDAP binding successful. Retrieved information about user are {"groups":["admin"],"emails":["antoinefavre.af@gmail.com"]}'
May 09 11:14:36 mymachine index.js[2417]: debug: date='Thu May 09 2019 11:14:36 GMT+0200 (CEST)' method='POST', path='/api/firstfactor' requestId='e87e92b7-0f3f-4230-94d2-e4808cfb09de' sessionId='Xm3eOdP_45vxtO5BcjrNuWuys41uDzL0' ip='10.10.10.42' message='Mark successful authentication to regulator.'
May 09 11:14:36 mymachine index.js[2417]: debug: date='Thu May 09 2019 11:14:36 GMT+0200 (CEST)' method='GET', path='/api/state' requestId='cd3e5328-ebbb-47ad-bf37-4596b83a57ee' sessionId='Xm3eOdP_45vxtO5BcjrNuWuys41uDzL0' ip='10.10.10.42' message='Headers = {"host":"login.example.com","x-real-ip":"10.10.10.42","x-forwarded-for":"10.10.10.42","x-forwarded-proto":"https","connection":"upgrade","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:66.0) Gecko/20100101 Firefox/66.0","accept":"*/*","accept-language":"fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3","accept-encoding":"gzip, deflate, br","referer":"https://login.example.com/","dnt":"1","cookie":"authelia.session.id=s%3AXm3eOdP_45vxtO5BcjrNuWuys41uDzL0.lKWGebxSJFckJoNdsaBFOciw5k6H5gzwPO%2B6XvBbDWE"}'
May 09 11:14:36 mymachine index.js[2417]: debug: date='Thu May 09 2019 11:14:36 GMT+0200 (CEST)' method='GET', path='/api/u2f/sign_request' requestId='e39d468f-706e-4f44-a110-4d783e63b07d' sessionId='Xm3eOdP_45vxtO5BcjrNuWuys41uDzL0' ip='10.10.10.42' message='Headers = {"host":"login.example.com","x-real-ip":"10.10.10.42","x-forwarded-for":"10.10.10.42","x-forwarded-proto":"https","connection":"upgrade","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:66.0) Gecko/20100101 Firefox/66.0","accept":"*/*","accept-language":"fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3","accept-encoding":"gzip, deflate, br","referer":"https://login.example.com/","dnt":"1","cookie":"authelia.session.id=s%3AXm3eOdP_45vxtO5BcjrNuWuys41uDzL0.lKWGebxSJFckJoNdsaBFOciw5k6H5gzwPO%2B6XvBbDWE"}'
May 09 11:14:36 mymachine index.js[2417]: error: date='Thu May 09 2019 11:14:36 GMT+0200 (CEST)' method='GET', path='/api/u2f/sign_request' requestId='e39d468f-706e-4f44-a110-4d783e63b07d' sessionId='Xm3eOdP_45vxtO5BcjrNuWuys41uDzL0' ip='10.10.10.42' message='Reply with error 200: No U2F registration document found.'
May 09 11:14:36 mymachine index.js[2417]: debug: date='Thu May 09 2019 11:14:36 GMT+0200 (CEST)' method='GET', path='/api/u2f/sign_request' requestId='e39d468f-706e-4f44-a110-4d783e63b07d' sessionId='Xm3eOdP_45vxtO5BcjrNuWuys41uDzL0' ip='10.10.10.42' message='AccessDeniedError: No U2F registration document found.
May 09 11:14:36 mymachine index.js[2417]:     at /opt/authelia-master/dist/server/src/lib/routes/secondfactor/u2f/sign_request/get.js:22:47
May 09 11:14:36 mymachine index.js[2417]:     at tryCatcher (/opt/authelia-master/node_modules/bluebird/js/release/util.js:16:23)
May 09 11:14:36 mymachine index.js[2417]:     at Promise._settlePromiseFromHandler (/opt/authelia-master/node_modules/bluebird/js/release/promise.js:512:31)
May 09 11:14:36 mymachine index.js[2417]:     at Promise._settlePromise (/opt/authelia-master/node_modules/bluebird/js/release/promise.js:569:18)
May 09 11:14:36 mymachine index.js[2417]:     at Promise._settlePromise0 (/opt/authelia-master/node_modules/bluebird/js/release/promise.js:614:10)
May 09 11:14:36 mymachine index.js[2417]:     at Promise._settlePromises (/opt/authelia-master/node_modules/bluebird/js/release/promise.js:693:18)
May 09 11:14:36 mymachine index.js[2417]:     at Async._drainQueue (/opt/authelia-master/node_modules/bluebird/js/release/async.js:133:16)
May 09 11:14:36 mymachine index.js[2417]:     at Async._drainQueues (/opt/authelia-master/node_modules/bluebird/js/release/async.js:143:10)
May 09 11:14:36 mymachine index.js[2417]:     at Immediate.Async.drainQueues [as _onImmediate] (/opt/authelia-master/node_modules/bluebird/js/release/async.js:17:14)
May 09 11:14:36 mymachine index.js[2417]:     at runCallback (timers.js:763:18)
May 09 11:14:36 mymachine index.js[2417]:     at tryOnImmediate (timers.js:734:5)
May 09 11:14:36 mymachine index.js[2417]:     at processImmediate (timers.js:716:5)'
May 09 11:14:45 mymachine index.js[2417]: debug: date='Thu May 09 2019 11:14:45 GMT+0200 (CEST)' method='POST', path='/api/totp' requestId='725fad93-fe58-43d3-bd80-d91b1ca85bce' sessionId='Xm3eOdP_45vxtO5BcjrNuWuys41uDzL0' ip='10.10.10.42' message='Headers = {"host":"login.example.com","x-real-ip":"10.10.10.42","x-forwarded-for":"10.10.10.42","x-forwarded-proto":"https","connection":"upgrade","content-length":"18","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:66.0) Gecko/20100101 Firefox/66.0","accept":"application/json","accept-language":"fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3","accept-encoding":"gzip, deflate, br","referer":"https://login.example.com/","content-type":"application/json","origin":"https://login.example.com","dnt":"1","cookie":"authelia.session.id=s%3AXm3eOdP_45vxtO5BcjrNuWuys41uDzL0.lKWGebxSJFckJoNdsaBFOciw5k6H5gzwPO%2B6XvBbDWE"}'
May 09 11:14:45 mymachine index.js[2417]: info: date='Thu May 09 2019 11:14:45 GMT+0200 (CEST)' method='POST', path='/api/totp' requestId='725fad93-fe58-43d3-bd80-d91b1ca85bce' sessionId='Xm3eOdP_45vxtO5BcjrNuWuys41uDzL0' ip='10.10.10.42' message='Initiate TOTP validation for user "foobar".'
May 09 11:14:45 mymachine index.js[2417]: debug: date='Thu May 09 2019 11:14:45 GMT+0200 (CEST)' method='POST', path='/api/totp' requestId='725fad93-fe58-43d3-bd80-d91b1ca85bce' sessionId='Xm3eOdP_45vxtO5BcjrNuWuys41uDzL0' ip='10.10.10.42' message='TOTP validation succeeded.'
May 09 11:14:45 mymachine index.js[2417]: debug: date='Thu May 09 2019 11:14:45 GMT+0200 (CEST)' method='POST', path='/api/totp' requestId='725fad93-fe58-43d3-bd80-d91b1ca85bce' sessionId='Xm3eOdP_45vxtO5BcjrNuWuys41uDzL0' ip='10.10.10.42' message='Request redirection to "/".'
May 09 11:14:45 mymachine index.js[2417]: debug: date='Thu May 09 2019 11:14:45 GMT+0200 (CEST)' method='GET', path='/api/state' requestId='86fb32c8-49bb-4b0d-beb3-29cced926ea4' sessionId='Xm3eOdP_45vxtO5BcjrNuWuys41uDzL0' ip='10.10.10.42' message='Headers = {"host":"login.example.com","x-real-ip":"10.10.10.42","x-forwarded-for":"10.10.10.42","x-forwarded-proto":"https","connection":"upgrade","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:66.0) Gecko/20100101 Firefox/66.0","accept":"*/*","accept-language":"fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3","accept-encoding":"gzip, deflate, br","referer":"https://login.example.com/","dnt":"1","cookie":"authelia.session.id=s%3AXm3eOdP_45vxtO5BcjrNuWuys41uDzL0.lKWGebxSJFckJoNdsaBFOciw5k6H5gzwPO%2B6XvBbDWE"}'

Meanwhile, this is where I'm stuck (and I can't see any error in the web browser console):

[n4kre]

As suggested by line

May 09 11:14:45 mymachine index.js[2417]: debug: date='Thu May 09 2019 11:14:45 GMT+0200 (CEST)' method='POST', path='/api/totp' requestId='725fad93-fe58-43d3-bd80-d91b1ca85bce' sessionId='Xm3eOdP_45vxtO5BcjrNuWuys41uDzL0' ip='10.10.10.42' message='Request redirection to "/".'

I don't see any request to the server so that the latter knows where to redirect the user:

(It's only GET requests, so the redirection parameter should be visible in requested URLs, if any.)

[miberecz]

I got stucked like this as well.
Upon accessing my "landing" page, I get redirected to authelia to authenticate. After a succesfull authentication, its just stay like there, not forwarding to the "protected" page. If I open a new tab and call the landing page again, it does.

Any suggestion, how to debug?

[SilverBut]

This issue seems no longer suitable for latest version, since the redirection parameter is changed to domain/?rd=URL

[SilverBut]

@clems4ever Seems this issue is no longer valid since the configuration changed a few times, and this issue is stalled. Maybe you can consider to close this one?

[nightah]

@mqmq0's issue was related to his nginx config.
@n4kre could you try this again with v4 and if you have issues either post to re-open this issue or open another one please.