[Support] IBRACORP - All images and files


Recommended Posts

35 minutes ago, obi-WAN-kenobi said:

Authelia log says: Access to https://APPNAME.DOMAIN.COM/(method GET) is not authorized to user <anonymous>, responding with status code 302 with location redirect to https://authelia.domain.com/?rd=https%3A%2F%2FAPPNAME&DOMAIN.COM%2F&rm=GET" method=GET path=/api/verify remote_ip=172.18.0.1 

Any solution for this?

Do you have a rule in Authelia that allows this access?

Link to comment
6 hours ago, Sycotix said:

Do you have a rule in Authelia that allows this access?

I should have had.. however I managed somehow to fix it :) but thank you for the fast reply. (Saying somehow because I`m newb with unraid ~4months so I cant explain sh!t xD, its all just magic)

Edited by obi-WAN-kenobi
Link to comment

I  have Authelia working and had no problem installing it. I followed the 2021 guide and it was pretty easy.

Currently, I am finetuning some part.

 

The NGINX Config - Endpoint shows 

set_real_ip_from 172.18.0.0/16;

set_real_ip_from 172.19.0.0/16;

 

The NGINX Config - Authelia shows

# If behind a reverse proxy, forwards the correct IP, assumes you're using Cloudflare. Adjust IP for your Docker network.

set_real_ip_from 172.19.0.0/16;

 

In other guides, different IP ranges are postet. A few even post 3 or 4 ranges.

My understanding is, that only the docker network has to be postet and both files should have the same network. In my case, authelia is running in bridge mode

"bridge 172.17.0.20:9091/TCP192.168.1.64:9091" so I would enter 172.17.0.0/16 and 192.168.1.0/16 does not have to be posted anywhere.

Is my understanding right?

Thx

 

 

 

 

Link to comment
  • 3 weeks later...

Hi Sycotix, great tutorials mate!

I followed your Authelia tutorial but I cannot get it to start, i keep getting this error:

Quote

 

time="2022-02-26T16:26:36-05:00" level=info msg="Authelia v4.33.2 is starting"
time="2022-02-26T16:26:36-05:00" level=info msg="Log severity set to debug"
time="2022-02-26T16:26:36-05:00" level=fatal msg="Redis connection error: dial tcp 192.168.20.55:6379: connect: network is unreachable" stack="github.com/authelia/authelia/v4/internal/commands/helpers.go:67 getProviders\ngithub.com/authelia/authelia/v4/internal/commands/root.go:62 cmdRootRun\ngithub.com/spf13/cobra@v1.3.0/command.go:860 (*Command).execute\ngithub.com/spf13/cobra@v1.3.0/command.go:974 (*Command).ExecuteC\ngithub.com/spf13/cobra@v1.3.0/command.go:902 (*Command).Execute\ngithub.com/authelia/authelia/v4/cmd/authelia/main.go:10 main\nruntime/proc.go:255 main\nruntime/asm_amd64.s:1581 goexit"

This is my Authelia config:

Quote

---
###############################################################################
#                           Authelia Configuration                            #
###############################################################################

theme: dark
jwt_secret: "WnZr4-J"
default_redirection_url: https://xxx.xyz/

server:
  host: 0.0.0.0
  port: 9091
  path: ""
  read_buffer_size: 4096
  write_buffer_size: 4096
  enable_pprof: false
  enable_expvars: false
  disable_healthcheck: false
  tls:
    key: ""
    certificate: ""

log:
  level: debug

totp:
  issuer: xxx.xyz
  period: 30
  skew: 1

authentication_backend:
  disable_reset_password: false
  refresh_interval: 5m
  file:
    path: /config/users_database.yml
    password:
      algorithm: argon2id
      iterations: 1
      key_length: 32
      salt_length: 16
      memory: 1024
      parallelism: 8

access_control:
  default_policy: one_factor #deny
  rules:
    ## bypass rule
    - domain: 
        - "id.xxx.xyz"
      policy: bypass
#     ## bypass api / triggers
#     - domain: "*.xxx.xyz"
#       resources:
#         - "^/api([/?].*)?$"
#         - "^/identity.*$"
#         - "^/triggers.*$"
#         - "^/meshagents.*$"
#         - "^/meshsettings.*$"
#         - "^/agent.*$"
#         - "^/control.*$"
#         - "^/meshrelay.*$"
#         - "^/wl.*$"
#       policy: bypass
#     ## block admin
#     - domain: "bitwarden.xxx.xyz"
#       resources:
#         - "^*/admin.*$"
#       policy: one_factor
#     ## bypass rule
#     - domain:
#         - "bitwarden.xxx.xyz"
#       policy: bypass
#     ## two factor login - admin
#     - domain: 
#         - "proxy.xxx.xyz"
#         - "ipa.xxx.xyz"
#         - "opn.xxx.xyz"
#       subject: 
#         - "group:admins"
#       policy: two_factor
#     ## one factor login - moderators
#     - domain:
#         - "sonarr.xxx.xyz"
#         - "radarr.xxx.xyz"
#         - "nzbhydra.xxx.xyz"
#         - "sabnzbd.xxx.xyz"
#         - "torrent.xxx.xyz"
#         - "xxx.xyz"
#       subject: 
#         - "group:moderators"
#         - "group:admins"
#       policy: one_factor
#     ## one factor login - requesters
#     - domain:
#         - "petio.xxx.xyz"
#         - "overseerr.xxx.xyz"
#       subject: 
#         - "group:requesters"
#         - "group:admins"
#       policy: one_factor
#     ## one factor login - catch all 
#     - domain: "*.xxx.xyz"
#       subject: 
#         - "group:admins"
#       policy: one_factor

session:
  name: authelia_session
  domain: xxx.xyz
  same_site: lax
  secret: "8x/A?SgV"
  expiration: 1h
  inactivity: 5m
  remember_me_duration: 2M
  redis:
    host: 192.168.20.55
    port: 6379
    password: "2^*ofs!%gyzh$brv4%z%s"
    database_index: 0
    maximum_active_connections: 20
    minimum_idle_connections: 2

regulation:
  max_retries: 3
  find_time: 10m
  ban_time: 12h

storage:
  encryption_key: "87hZRfxfxu9Aq7LPjmsWfPCtPnwkyn2UpB5Jdh9u6rZcV59WEMZ78MFV3FCAucGv"
  mysql:
    host: mariadb
    port: 3306
    database: authelia
    username: authelia
    password: "A8r99cZ%P@"
  
notifier:
  disable_startup_check: false
  smtp:
    username: web@hotmail.com
    password: vnucz
    host: smtp-mail.outlook.com
    port: 587
    sender: web@hotmail.com
    identifier: localhost
    subject: "[Authelia] {title}"
    startup_check_address: test@authelia.com
    disable_require_tls: false
    disable_html_emails: false
    tls:
      skip_verify: false
      minimum_version: TLS1.2
...

I tried changing the redis host to 'redis' and also to the unraid host ip, the .20.55 is a fixed IP I set on redis on my customer docker network.

Any idea what I'm doing wrong? why can't the Authelia container see the redis container?

Redis container is up and running on default port.

Authelia container is set to custom docker network as well.

Thanks!

 

EDIT: If I change the host to 'redis', this is what I get in the Authelia log:

Quote

time="2022-02-26T16:49:28-05:00" level=fatal msg="Redis connection error: dial tcp: lookup redis on 192.168.1.254:53: dial udp 192.168.1.254:53: connect: network is unreachable" stack="github.com/authelia/authelia/v4/internal/commands/helpers.go:67 getProviders\ngithub.com/authelia/authelia/v4/internal/commands/root.go:62 cmdRootRun\ngithub.com/spf13/cobra@v1.3.0/command.go:860 (*Command).execute\ngithub.com/spf13/cobra@v1.3.0/command.go:974 (*Command).ExecuteC\ngithub.com/spf13/cobra@v1.3.0/command.go:902 (*Command).Execute\ngithub.com/authelia/authelia/v4/cmd/authelia/main.go:10 main\nruntime/proc.go:255 main\nruntime/asm_amd64.s:1581 goexit"

192.168.1.254 is my modem/default gateway, no idea how it got resolved to this IP.

When I go to other containers and I try to ping 'redis', I get the correct custom network IP of redis .20.55.

Edited by shpitz461
Link to comment

Anyone have issues installing freeIPA at all? I'm trying to get that set up with Fedora 35 so I can use that with authelia. Followed all the steps on Ibracorp's video but when I try to access the ipa.domain.com it just goes to a blank page on the first load. 

 

No errors show up in the browser dev tools and I can't see any errors in Fedora for the last steps of the FreeIPA install, says it installed successfully.

EDIT: Figured out it was a NGINX config issue

Edited by chanrc
Link to comment

I got Authelia and two factor working for logins, but I'm having issues when setting a new password from the password reset email that Authelia sends out The email that authelia sends out for the password reset link seem and goes to the right reset page, but clicking to execute the password change  I get a couple of errors when authelia tries to set a new password with the LDAP server in the logs: 

 

time="2022-03-03T18:38:59-07:00" level=error msg="Token is not in DB, it might have already been used" method=POST path=/api/reset-password/identity/finish remote_ip=ip stack="github.com/authelia/authelia/v4/internal/middlewares/authelia_context.go:61 (*AutheliaCtx).Error\ngithub.com/authelia/authelia/v4/internal/middlewares/identity_verification.go:188 IdentityVerificationFinish.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/authelia_context.go:52 AutheliaMiddleware.func1.1\ngithub.com/fasthttp/router@v1.4.5/router.go:414 (*Router).Handler\ngithub.com/authelia/authelia/v4/internal/middlewares/log_request.go:14 LogRequestMiddleware.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/strip_path.go:21 StripPathMiddleware.func1\ngithub.com/valyala/fasthttp@v1.32.0/server.go:2298 (*Server).serveConn\ngithub.com/valyala/fasthttp@v1.32.0/workerpool.go:223 (*workerPool).workerFunc\ngithub.com/valyala/fasthttp@v1.32.0/workerpool.go:195 (*workerPool).getCh.func1\nruntime/asm_amd64.s:1581 goexit"

time="2022-03-03T18:39:02-07:00" level=error msg="unable to update password. Cause: LDAP Result Code 13 \"Confidentiality Required\": Operation requires a secure connection.\n" method=POST path=/api/reset-password remote_ip=ip stack="github.com/authelia/authelia/v4/internal/middlewares/authelia_context.go:61 (*AutheliaCtx).Error\ngithub.com/authelia/authelia/v4/internal/handlers/handler_reset_password_step2.go:38 ResetPasswordPost\ngithub.com/authelia/authelia/v4/internal/middlewares/authelia_context.go:52 AutheliaMiddleware.func1.1\ngithub.com/fasthttp/router@v1.4.5/router.go:414 (*Router).Handler\ngithub.com/authelia/authelia/v4/internal/middlewares/log_request.go:14 LogRequestMiddleware.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/strip_path.go:21 StripPathMiddleware.func1\ngithub.com/valyala/fasthttp@v1.32.0/server.go:2298 (*Server).serveConn\ngithub.com/valyala/fasthttp@v1.32.0/workerpool.go:223 (*workerPool).workerFunc\ngithub.com/valyala/fasthttp@v1.32.0/workerpool.go:195 (*workerPool).getCh.func1\nruntime/asm_amd64.s:1581 goexit"

 

It seems like LDAP is requiring some kind of secure connection for the password reset from Authelia, but in the configuration.yml, I specified an ldap:// and not ldaps://. Is this cuz of the tls section in the ibracorp template? I just used the templated and change the domain and added a password. Other than that I am using the default linuxserver.io authelia-location/authelia-server.conf which seems to line up with Ibracorps settings aside from the rules for email. Do I need to use ldaps instead? My nextcloud uses ldap password reset without ldaps and its working correctly there.

server:
  host: 0.0.0.0
  port: 9091
  path: "authelia"
  read_buffer_size: 4096
  write_buffer_size: 4096
  enable_pprof: false
  enable_expvars: false
  disable_healthcheck: false
  tls:
    key: ""
    certificate: ""

log:
  level: info

authentication_backend:
  disable_reset_password: false
  refresh_interval: 5m
  ldap:
    implementation: custom
    url: ldap://192.168.1.180
    start_tls: false
    tls:
      skip_verify: false
      minimum_version: TLS1.2
    base_dn: dc=domain,dc=com
    username_attribute: uid
    additional_users_dn: cn=users,cn=accounts
    users_filter: (&({username_attribute}={input})(objectClass=person))
    additional_groups_dn: cn=groups,cn=accounts
    groups_filter: (&(member=uid={input},cn=users,cn=accounts,dc=domain,dc=com)(objectclass=groupofnames))
    group_name_attribute: cn
    mail_attribute: mail
    display_name_attribute: givenName
    user: uid=admin,cn=users,cn=accounts,dc=domain,dc=com
    password: "password"

 

EDIT: Defining a /certificates_directory in my configuration.yaml which had my LDAP servers self-signed cert and changing to use LDAPS solved my issues. LDAP only allows edits to passwords securely. 

Edited by chanrc
Link to comment
  • 2 weeks later...

Has anyone ever seen this before? It has stumped me for a couple days now:

 

image.thumb.png.1f9e8ec31135e21723939197db430ed4.png

 

time="2022-03-13T09:26:36-07:00" level=error msg="Scheme of target URL //synoscgi.sock/socket.io/?SynoToken=undefined&UserType=guest&EIO=3&transport=polling&t=N-46b_W must be secure since cookies are only transported over a secure connection for security reasons" method=HEAD path=/api/verify remote_ip=147.185.124.196 stack="github.com/authelia/authelia/v4/internal/handlers/handler_verify.go:459 VerifyGet.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/authelia_context.go:52 AutheliaMiddleware.func1.1\ngithub.com/fasthttp/router@v1.4.6/router.go:414 (*Router).Handler\ngithub.com/authelia/authelia/v4/internal/middlewares/log_request.go:14 LogRequestMiddleware.func1\ngithub.com/valyala/fasthttp@v1.34.0/server.go:2341 (*Server).serveConn\ngithub.com/valyala/fasthttp@v1.34.0/workerpool.go:224 (*workerPool).workerFunc\ngithub.com/valyala/fasthttp@v1.34.0/workerpool.go:196 (*workerPool).getCh.func1\nruntime/asm_amd64.s:1581 goexit"

 

I know it is a configuration type of thing and not the actual docker, but I was hoping for any kind of additional clues at all :)

Link to comment

I have haproxy on pfsense and am trying to setup Authelia. It is a real bear to get to work.

 

I've been following this: https://github.com/authelia/authelia/issues/2696

 

I know I'm extremely close to having it work. I attempted this about a year or more ago and couldn't get it. I came across the above post a few days ago and thought I would give it another "whack"

Edited by live4soccer7
Link to comment

Wierd one.. my brain cant fix

 

Setup is authelia/NPM/cloudflared combo

 

I can access subdomains through authelia within my network but if I attempt to access a subdomain remotely I will hit the authelia login page no problem

 

 time="2022-03-13T20:16:23-07:00" level=info msg="Authelia v4.34.4 is starting"
time="2022-03-13T20:16:23-07:00" level=info msg="Log severity set to info"
time="2022-03-13T20:16:23-07:00" level=info msg="Storage schema is being checked for updates"
time="2022-03-13T20:16:23-07:00" level=info msg="Storage schema is already up to date"
time="2022-03-13T20:16:27-07:00" level=info msg="Listening for non-TLS connections on '0.0.0.0:9091' path '/'"
time="2022-03-13T20:17:39-07:00" level=info msg="Access to https://ibracorp.givesmewood.com/ (method unknown) is not authorized to user <anonymous>, responding with status code 401" method=GET path=/api/verify remote_ip=insert ip here

 

and when i attempt login deets it throws a invalid creds error on the authelia login page. Same deets work internally

 

time="2022-03-13T20:26:14-07:00" level=error msg="Unsuccessful 1FA authentication attempt by user 'munted ': user not found" method=POST path=/api/firstfactor remote_ip=insert IP here stack="github.com/authelia/authelia/v4/internal/handlers/response.go:177 markAuthenticationAttempt\ngithub.com/authelia/authelia/v4/internal/handlers/handler_firstfactor.go:52 FirstFactorPost.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/authelia_context.go:52 AutheliaMiddleware.func1.1\ngithub.com/fasthttp/router@v1.4.6/router.go:414 (*Router).Handler\ngithub.com/authelia/authelia/v4/internal/middlewares/log_request.go:14 LogRequestMiddleware.func1\ngithub.com/valyala/fasthttp@v1.34.0/server.go:2341 (*Server).serveConn\ngithub.com/valyala/fasthttp@v1.34.0/workerpool.go:224 (*workerPool).workerFunc\ngithub.com/valyala/fasthttp@v1.34.0/workerpool.go:196 (*workerPool).getCh.func1\nruntime/asm_amd64.s:1581 goexit"

 

Any ideas what part of my config I sould be looking at? Im stumped

cheers


EDIT- Fixed it.  In my situation, the wildcard subdomain in the authelia config as per guide was giving me a bunch of user errors.

## catch-all

- domain: "*.givesmewood.com"

subject:

- "group:admins"

policy: one_factor

 

I swapped out the wildcard and manually added subdomains and all is workinhg great.

Edited by grudge
Link to comment
  • 4 weeks later...

Hello, I have Authelia and Freeipa working nicely, the only thing I can't seem to work out is what would be the best way to handle password resets? Most of my users will be outside the network so will have to come through authelia to authenticate, but although the forgot password option on authelia seems to send out a reset request to their email address the logs show this then a reset is tried:

 

Quote

time="2022-04-08T12:06:44+01:00" level=error msg="unable to update password. Cause: LDAP Result Code 13 \"Confidentiality Required\": Operation requires a secure connection.\n" method=POST path=/api/reset-password remote_ip=172.16.99.1 stack="github.com/authelia/authelia/v4/internal/middlewares/authelia_context.go:81 (*AutheliaCtx).Error\ngithub.com/authelia/authelia/v4/internal/handlers/handler_reset_password_step2.go:38 ResetPasswordPost\ngithub.com/authelia/authelia/v4/internal/middlewares/authelia_context.go:53 AutheliaMiddleware.func1.1\ngithub.com/fasthttp/router@v1.4.7/router.go:414 (*Router).Handler\ngithub.com/valyala/fasthttp@v1.34.0/http.go:153 (*Response).StatusCode\ngithub.com/valyala/fasthttp@v1.34.0/server.go:2341 (*Server).serveConn\ngithub.com/valyala/fasthttp@v1.34.0/workerpool.go:224 (*workerPool).workerFunc\ngithub.com/valyala/fasthttp@v1.34.0/workerpool.go:196 (*workerPool).getCh.func1\nruntime/asm_amd64.s:1571 goexit"

 
Is it possible to reset an LDAP password through Authelia?

 

EDIT: Ignore that, had to change from ldap to ldaps in the configuration.yml

Edited by Camnomis
Link to comment
  • 1 month later...

Hi All - great content and video! I am having an issue after authenticating with authelia for my app that says 403 forbidden.

 

Also, if I try to go to IP:9091 I get a Cloudflare Error 502 at my domain name (Host error, the web server reported a bad gateway error)

 

Here is the error in the logs (removed domain name)

time="2022-06-02T11:41:41-04:00" level=info msg="Access to https://photoprism.domain.com/ is forbidden to user Magic" method=GET path=/api/verify remote_ip=172.17.0.1

 

Here is my access control policy:

access_control:
  default_policy: deny
  rules:
    ## bypass rule
    - domain: 
        - "auth.domain.com"
      policy: bypass
    ## catch-all
    - domain: "*.domain.com"
      subject: 
        - "group:admins"
      policy: one_factor

 

Here is my user config (removed sensitive information):

users:
  Magic:
    displayname: "Magic"
    password: ""
    email: ""
    groups:
      - admins
      - user

 

 

As I mentioned, I can click the photoprism.domain.com link in NGINX proxy manager and it does redirect me to authelia in which I can authenticate/login and upon redirecting me to the photoprism.domain.com is when I get 403 forbidden and the above error in the log file.

 

Any help is much appreciated!

Link to comment
  • 2 weeks later...

Hello, 

 

I succeeded in the Authelia configuration thanks to the Ibracorp guide.

There is one thing I don't understand.

 

When I call my.domain.com from my local network, everything is ok I can enter my Authelia login password.

1. If I try the same thing from a network outside my Lan, then the user password is refused and banned.

 

2. Then I notice that Authelia bans the user but there is no known way that I know of to unban.

 

Can someone help me if only for point 1 ?

Link to comment

Has anyone successfully configured crowdsec with their reverse proxy to parse through nextcloud logs and block suspicious nextcloud login attempts.

 

I've followed these guides to setup crowdsec for swag(nginx) to work with authelia and vaultwarden:

 

However, I'd like to also have the crowdsec agent and my nginx swag bouncer block malicious nextcloud logins. The current IBRACORP solution doesn't seem clear to me. I'd rather know which logs to parse from the nextcloud appdata folder and which collections to use in crowdsec. Or is nextcloud in of itself it's own nginx and I just need to parse the nextcloud internal nginx logs?

 

 

Edited by bigbangus
Link to comment
  • 3 weeks later...

Looks like a recent update has broke something in the configuration.yml, when I try to start Authelia I get the following error message

 

Quote

level=warning msg="Configuration: configuration key 'authentication_backend.disable_reset_password' is deprecated in 4.36.0 and has been replaced by 'authentication_backend.password_reset.disable': this has been automatically mapped for you but you will need to adjust your configuration to remove this message"

 

Has anyone else looked at this yet, or do I need to dive into the change logs

Link to comment
  • 1 month later...

I have been trying to setup Authentik following the video posted by Ibracorp:

 

However I am getting the following issues using this config (nginx_advanced) where I replaced the proxy_pass on ~line 30 with my serverIP:9000 and replaced ~line 53 with my auth.domain.com... url.
Once setup, my app.domain.com gets the advanced config, and ends up resolving to the wrong port. Meaning it ends up at app.domain.com:4443 which is my nginxproxymanger internal docker port. Nowhere is Authentik setup to re-direct to that port. Else, deviations from this setup, or replacing proxy_pass at ~line 9 creates server error 500.

NPM_Docker.jpg.87ace8e53fb6f1bbc0c63e931a64ff6a.jpg

authentik_docker.jpg.db79e093cd2911f1766e47985e7f08b1.jpg

URL.jpg.5604c784286aae35d76577e299e35ca5.jpg

 

Unsure if related, Authentik shows my Outpost integration as unhealthy, even though I am pointing it to unix:///var/run/docker.sock as noted in the environment variable and documentation. Would this be causing my bad re-direct?

718428231_outpostintegration.thumb.jpg.430fc1cdb134a7a9993262465fc200b5.jpg

 

 

Anyone willing to help me set this up?

 

Also why was npm added to npm in the video?

Applicatrions.jpg

Authentik_Docker_ENv.jpg

NPM.jpg

Outpost.jpg

Providers.jpg

nginx_advanced.txt

Link to comment

i dont know if you figured out the answer yet, but for me it was just to add this before location in the advanced config in NPM

 

port_in_redirect off;

 

It will look like this 

 

# Increase buffer size for large headers

# This is needed only if you get 'upstream sent too big header while reading response

# header from upstream' error when trying to access an application protected by goauthentik

proxy_buffers 8 16k;

proxy_buffer_size 32k;

port_in_redirect off;

location / {

# Put your proxy_pass to your application here

proxy_pass $forward_scheme://$server:$port;

# authentik-specific config

auth_request /outpost.goauthentik.io/auth/nginx;

error_page 401 = @goauthentik_proxy_signin;

auth_request_set $auth_cookie $upstream_http_set_cookie;

add_header Set-Cookie $auth_cookie;

# translate headers from the outposts back to the actual upstream

auth_request_set $authentik_username $upstream_http_x_authentik_username;

auth_request_set $authentik_groups $upstream_http_x_authentik_groups;

auth_request_set $authentik_email $upstream_http_x_authentik_email;

auth_request_set $authentik_name $upstream_http_x_authentik_name;

auth_request_set $authentik_uid $upstream_http_x_authentik_uid;

proxy_set_header X-authentik-username $authentik_username;

proxy_set_header X-authentik-groups $authentik_groups;

proxy_set_header X-authentik-email $authentik_email;

proxy_set_header X-authentik-name $authentik_name;

proxy_set_header X-authentik-uid $authentik_uid;

}

# all requests to /outpost.goauthentik.io must be accessible without authentication

location /outpost.goauthentik.io {

proxy_pass http://outpost.company:9000/outpost.goauthentik.io;

# ensure the host of this vserver matches your external URL you've configured

# in authentik

proxy_set_header Host $host;

proxy_set_header X-Original-URL $scheme://$http_host$request_uri;

add_header Set-Cookie $auth_cookie;

auth_request_set $auth_cookie $upstream_http_set_cookie;

# required for POST requests to work

proxy_pass_request_body off;

proxy_set_header Content-Length "";

}

# Special location for when the /auth endpoint returns a 401,

# redirect to the /start URL which initiates SSO

location @goauthentik_proxy_signin {

internal;

add_header Set-Cookie $auth_cookie;

return 302 /outpost.goauthentik.io/start?rd=$request_uri;

# For domain level, use the below error_page to redirect to your authentik server with the full redirect path

# return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;

}

 

Link to comment
  • 3 weeks later...
On 2/26/2022 at 2:34 PM, shpitz461 said:

Hi Sycotix, great tutorials mate!

I followed your Authelia tutorial but I cannot get it to start, i keep getting this error:

This is my Authelia config:

I tried changing the redis host to 'redis' and also to the unraid host ip, the .20.55 is a fixed IP I set on redis on my customer docker network.

Any idea what I'm doing wrong? why can't the Authelia container see the redis container?

Redis container is up and running on default port.

Authelia container is set to custom docker network as well.

Thanks!

 

EDIT: If I change the host to 'redis', this is what I get in the Authelia log:

192.168.1.254 is my modem/default gateway, no idea how it got resolved to this IP.

When I go to other containers and I try to ping 'redis', I get the correct custom network IP of redis .20.55.

Did you figure out the issue here? Mine is doing the same thing.

Link to comment
On 8/16/2022 at 4:19 PM, Rabbithacker921 said:

i dont know if you figured out the answer yet, but for me it was just to add this before location in the advanced config in NPM

 

port_in_redirect off;

 

It will look like this 

 

# Increase buffer size for large headers

# This is needed only if you get 'upstream sent too big header while reading response

# header from upstream' error when trying to access an application protected by goauthentik

proxy_buffers 8 16k;

proxy_buffer_size 32k;

port_in_redirect off;

location / {

# Put your proxy_pass to your application here

proxy_pass $forward_scheme://$server:$port;

# authentik-specific config

auth_request /outpost.goauthentik.io/auth/nginx;

error_page 401 = @goauthentik_proxy_signin;

auth_request_set $auth_cookie $upstream_http_set_cookie;

add_header Set-Cookie $auth_cookie;

# translate headers from the outposts back to the actual upstream

auth_request_set $authentik_username $upstream_http_x_authentik_username;

auth_request_set $authentik_groups $upstream_http_x_authentik_groups;

auth_request_set $authentik_email $upstream_http_x_authentik_email;

auth_request_set $authentik_name $upstream_http_x_authentik_name;

auth_request_set $authentik_uid $upstream_http_x_authentik_uid;

proxy_set_header X-authentik-username $authentik_username;

proxy_set_header X-authentik-groups $authentik_groups;

proxy_set_header X-authentik-email $authentik_email;

proxy_set_header X-authentik-name $authentik_name;

proxy_set_header X-authentik-uid $authentik_uid;

}

# all requests to /outpost.goauthentik.io must be accessible without authentication

location /outpost.goauthentik.io {

proxy_pass http://outpost.company:9000/outpost.goauthentik.io;

# ensure the host of this vserver matches your external URL you've configured

# in authentik

proxy_set_header Host $host;

proxy_set_header X-Original-URL $scheme://$http_host$request_uri;

add_header Set-Cookie $auth_cookie;

auth_request_set $auth_cookie $upstream_http_set_cookie;

# required for POST requests to work

proxy_pass_request_body off;

proxy_set_header Content-Length "";

}

# Special location for when the /auth endpoint returns a 401,

# redirect to the /start URL which initiates SSO

location @goauthentik_proxy_signin {

internal;

add_header Set-Cookie $auth_cookie;

return 302 /outpost.goauthentik.io/start?rd=$request_uri;

# For domain level, use the below error_page to redirect to your authentik server with the full redirect path

# return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;

}

 

You sir, deserve a medal.

Link to comment
  • 2 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.