Proxy Hosts don't redirect to Authelia

[mytikasol]

Hello,

I'm stumped on getting the Authelia page before my intended destination page.

After editing the Protected Endpoint.conf to my personal settings for Sonarr, I paste it in the Advanced tab of my Sonarr site in NPM, and save it. But after, when clicking on my proxy host link, it sends me straight to my Sonarr instead of Authelia.

I rewatched this section of your tutorial on youtube multiple times thinking I'd missed something, but if I have, I can't figure out what it is since it only seems to need 3 edits.

I'll post my endpoint config below (with my real domain edited out as MYDOMAIN for privacy):

location /authelia {
internal;
set $upstream_authelia http://192.168.4.111:9091/api/verify;
proxy_pass_request_body off;
proxy_pass $upstream_authelia;    
proxy_set_header Content-Length "";

# Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
client_body_buffer_size 128k;
proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr; 
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Forwarded-Ssl on;
proxy_redirect  http://  $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 4 32k;

send_timeout 5m;
proxy_read_timeout 240;
proxy_send_timeout 240;
proxy_connect_timeout 240;
}

location / {
    set $upstream_sonarr $forward_scheme://$server:$port;
    proxy_pass $upstream_sonarr;
	
	auth_request /authelia;
	auth_request_set $target_url $scheme://$http_host$request_uri;
	auth_request_set $user $upstream_http_remote_user;
	auth_request_set $groups $upstream_http_remote_groups;
	proxy_set_header Remote-User $user;
	proxy_set_header Remote-Groups $groups;
	error_page 401 =302 https://id.MYDOMAIN.net/?rd=$target_url;
	
	client_body_buffer_size 128k;

	proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;

	send_timeout 5m;
	proxy_read_timeout 360;
	proxy_send_timeout 360;
	proxy_connect_timeout 360;

	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto $scheme;
	proxy_set_header X-Forwarded-Host $http_host;
	proxy_set_header X-Forwarded-Uri $request_uri;
	proxy_set_header X-Forwarded-Ssl on;
	proxy_redirect  http://  $scheme://;
	proxy_http_version 1.1;
	proxy_set_header Connection "";
	proxy_cache_bypass $cookie_session;
	proxy_no_cache $cookie_session;
	proxy_buffers 64 256k;

	set_real_ip_from 192.168.1.0/16;
	real_ip_header X-Forwarded-For;
	real_ip_recursive on;

Here's my ACL entry in the configuration.yml:

 access_control:

  default_policy: deny

  rules:
    
     - domain: sonarr.MYDOMAIN.net
       policy: two_factor

[ibracorp]

@mytikasol Silly question here but have you also put the Authelia conf on your host for Authelia in NPM?

[mytikasol]

@mytikasol Silly question here but have you also put the Authelia conf on your host for Authelia in NPM?

Yes sir. I should've included that as well. Here's my Authelia portal.conf for id.MYDOMAIN.net:

location / {
set $upstream_authelia http://192.168.4.111:9091;
proxy_pass $upstream_authelia;
client_body_buffer_size 128k;

	#Timeout if the real server is dead
	proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;

	# Advanced Proxy Config
	send_timeout 5m;
	proxy_read_timeout 360;
	proxy_send_timeout 360;
	proxy_connect_timeout 360;

	# Basic Proxy Config
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto $scheme;
	proxy_set_header X-Forwarded-Host $http_host;
	proxy_set_header X-Forwarded-Uri $request_uri;
	proxy_set_header X-Forwarded-Ssl on;
	proxy_redirect  http://  $scheme://;
	proxy_http_version 1.1;
	proxy_set_header Connection "";
	proxy_cache_bypass $cookie_session;
	proxy_no_cache $cookie_session;
	proxy_buffers 64 256k;

	# If behind reverse proxy, forwards the correct IP
	set_real_ip_from 10.0.0.0/8;
	set_real_ip_from 172.0.0.0/8;
	set_real_ip_from 192.168.0.0/16;
	set_real_ip_from fc00::/7;
	real_ip_header X-Forwarded-For;
	real_ip_recursive on;
}

[ibracorp]

Ok thanks for that.
I apologise if you know your stuff here but just work with the basics, have you tried in a incognito session to be sure no cookie has already been saved?

I'm about to go on the computer to check everything out better

[mytikasol]

Oh no worries! I totally get checking the basics first. I did try incognito mode, as well as on my iPhone with LTE in case my local IP was bypassing Authelia somehow. I'm able to successfully authenticate with id.MYDOMAIN.net, including with google authenticator, so I feel like I'm just overlooking something between the Authelia Portal conf and the Endpoint conf.

I dug through the Unraid support forum and authelia.com docs for hours trying to tweak it, but I admit that web security isn't my strongsuit.

[ibracorp]

Ok so I tried to use your protected conf and it just wasn't right. Can you use the following and modify it for your setup? I changed them except the container name and domain.

location /authelia {
internal;
set $upstream_authelia http://192.168.4.111:9091/api/verify;
proxy_pass_request_body off;
proxy_pass $upstream_authelia;    
proxy_set_header Content-Length "";

# Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
client_body_buffer_size 128k;
proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr; 
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Forwarded-Ssl on;
proxy_redirect  http://  $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 4 32k;

send_timeout 5m;
proxy_read_timeout 240;
proxy_send_timeout 240;
proxy_connect_timeout 240;
}

location / {
set $upstream_CONTAINERNAME $forward_scheme://$server:$port;
proxy_pass $upstream_CONTAINERNAME;

auth_request /authelia;
auth_request_set $target_url https://$http_host$request_uri;
auth_request_set $user $upstream_http_remote_user;
auth_request_set $groups $upstream_http_remote_groups;
proxy_set_header Remote-User $user;
proxy_set_header Remote-Groups $groups;
error_page 401 =302 https://id.YOURDOMAIN.net/?rd=$target_url;

client_body_buffer_size 128k;

proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;

send_timeout 5m;
proxy_read_timeout 360;
proxy_send_timeout 360;
proxy_connect_timeout 360;

proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Forwarded-Ssl on;
proxy_redirect  http://  $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 64 256k;

set_real_ip_from 192.168.1.0/16;
real_ip_header X-Forwarded-For;
real_ip_recursive on;

}

[mytikasol]

Unfortunately, I'm still getting the same result. I made sure to change my domain and container names. I tried different containers as well. I also made sure they are all on the same "bridge" connection, in case that matters.

[ibracorp]

That's really odd.

So if I understand correctly, you can hit the page with Authelia externally directly fine?

And you can hit the Sonarr page externally fine?

But at no point is it redirecting to from Sonarr to Authelia?

Confusing, in theory it would be the protected endpoint part that needs to redirect.

I'll keep thinking

[mytikasol]

It really is!

Yeah, I can access and authenticate my authelia and sonarr domains successfully outside the local network. It's like NPM is just ignoring the redirect to Authelia for some reason. Definitely weird because I've even found other people's npm confs (based off yours) on reddit and such, thinking they might be different, but no luck. It's about 1AM here in the US so I'll give it a go again tomorrow. I'll let you know if I get it resolved, or try the SWAG method to see if that works. NPM just makes everything so much easier.

I really appreciate your quick responses and help so far!

[ibracorp]

No worries mate get some sleep. If anything comes to me I'll update, cheers.

And I agree NPM is nice and easy and it's worked so far so must be something small to fix this (I hope)

[mikedm139]

As reported here, I am experiencing the same issue. If it's helpful, I can upload my configs or other info for troubleshooting.

[Muwahhidun]

This is because SCHEME is replaced by HTTPS. With this replacement, we fixed one bug, but after came the second and third, there is no redirect and do not work the rules.
here change https = $scheme
error_page 401 =302 https://id.YOURDOMAIN.net/?rd=$target_url;

[Muwahhidun]

Here are the right advance settings for authelia and endpoint
https://github.com/Muwahhidun/authelia/tree/main

[mikedm139]

Here are the right advance settings for authelia and endpoint
https://github.com/Muwahhidun/authelia/tree/main

I just tried replacing the authelia advanced config and endpoint advanced config (ApacheaGuacamole for first test). I updated the files with my SERVERIP, CONTAINERNAME, and YOURDOMAIN as required. When testing via a private browser window, the Authelia verification is still bypassed completely. What can I provide for further troubleshooting?

[Muwahhidun]

Here are the right advance settings for authelia and endpoint
https://github.com/Muwahhidun/authelia/tree/main

I just tried replacing the authelia advanced config and endpoint advanced config (ApacheaGuacamole for first test). I updated the files with my SERVERIP, CONTAINERNAME, and YOURDOMAIN as required. When testing via a private browser window, the Authelia verification is still bypassed completely. What can I provide for further troubleshooting?

Show your config file, and the user file.

[Muwahhidun]

Here are the right advance settings for authelia and endpoint
https://github.com/Muwahhidun/authelia/tree/main

I just tried replacing the authelia advanced config and endpoint advanced config (ApacheaGuacamole for first test). I updated the files with my SERVERIP, CONTAINERNAME, and YOURDOMAIN as required. When testing via a private browser window, the Authelia verification is still bypassed completely. What can I provide for further troubleshooting?

You can turn on the translator, and try to make this guide. Everything has to work properly.
https://myunraid.ru/install-authelia/

[mikedm139]

What can I provide for further troubleshooting?

Show your config file, and the user file.

Here is my authelia config and my authelia users file. For the record, this installation of Authelia was working fine with the reverse proxy via LetsEncrypt/SWAG docker. I didn't change anything on the Authelia end of things when migrating over to NPM.

[Muwahhidun]

What can I provide for further troubleshooting?

Show your config file, and the user file.

Here is my authelia config and my authelia users file. For the record, this installation of Authelia was working fine with the reverse proxy via LetsEncrypt/SWAG docker. I didn't change anything on the Authelia end of things when migrating over to NPM.

You have an error in the 20th line. "", not"authelia"

[Muwahhidun]

What can I provide for further troubleshooting?

Show your config file, and the user file.

Here is my authelia config and my authelia users file. For the record, this installation of Authelia was working fine with the reverse proxy via LetsEncrypt/SWAG docker. I didn't change anything on the Authelia end of things when migrating over to NPM.

This is apparently a feature of NPM. In SWAG there is written "authelia" but with NPM+authelia, there is a mistake, I do not know why. But if you clear, you're going to do that, "" in 20 line, everything will work perfectly.

[Muwahhidun]

sorry for my English, I use a translator)))

[ibracorp]

Thanks for your help here Muwahid really appreciate your time

[mikedm139]

This is apparently a feature of NPM. In SWAG there is written "authelia" but with NPM+authelia, there is a mistake, I do not know why. But if you clear, you're going to do that, "" in 20 line, everything will work perfectly.

Success! You were correct. Replacing "authelia" with "" on line 20 of the authelia config fixed it. Thanks so much for your help!

[ibracorp]

Great work guys