obi-WAN-kenobi Posted February 7, 2022 Share Posted February 7, 2022 Authelia log says: Access to https://APPNAME.DOMAIN.COM/(method GET) is not authorized to user <anonymous>, responding with status code 302 with location redirect to https://authelia.domain.com/?rd=https%3A%2F%2FAPPNAME&DOMAIN.COM%2F&rm=GET" method=GET path=/api/verify remote_ip=172.18.0.1 Any solution for this? Quote Link to comment
Sycotix Posted February 7, 2022 Author Share Posted February 7, 2022 35 minutes ago, obi-WAN-kenobi said: Authelia log says: Access to https://APPNAME.DOMAIN.COM/(method GET) is not authorized to user <anonymous>, responding with status code 302 with location redirect to https://authelia.domain.com/?rd=https%3A%2F%2FAPPNAME&DOMAIN.COM%2F&rm=GET" method=GET path=/api/verify remote_ip=172.18.0.1 Any solution for this? Do you have a rule in Authelia that allows this access? Quote Link to comment
obi-WAN-kenobi Posted February 7, 2022 Share Posted February 7, 2022 (edited) 6 hours ago, Sycotix said: Do you have a rule in Authelia that allows this access? I should have had.. however I managed somehow to fix it but thank you for the fast reply. (Saying somehow because I`m newb with unraid ~4months so I cant explain sh!t xD, its all just magic) Edited February 7, 2022 by obi-WAN-kenobi Quote Link to comment
sylus Posted February 10, 2022 Share Posted February 10, 2022 I have Authelia working and had no problem installing it. I followed the 2021 guide and it was pretty easy. Currently, I am finetuning some part. The NGINX Config - Endpoint shows set_real_ip_from 172.18.0.0/16; set_real_ip_from 172.19.0.0/16; The NGINX Config - Authelia shows # If behind a reverse proxy, forwards the correct IP, assumes you're using Cloudflare. Adjust IP for your Docker network. set_real_ip_from 172.19.0.0/16; In other guides, different IP ranges are postet. A few even post 3 or 4 ranges. My understanding is, that only the docker network has to be postet and both files should have the same network. In my case, authelia is running in bridge mode "bridge 172.17.0.20:9091/TCP192.168.1.64:9091" so I would enter 172.17.0.0/16 and 192.168.1.0/16 does not have to be posted anywhere. Is my understanding right? Thx Quote Link to comment
shpitz461 Posted February 26, 2022 Share Posted February 26, 2022 (edited) Hi Sycotix, great tutorials mate! I followed your Authelia tutorial but I cannot get it to start, i keep getting this error: Quote time="2022-02-26T16:26:36-05:00" level=info msg="Authelia v4.33.2 is starting" time="2022-02-26T16:26:36-05:00" level=info msg="Log severity set to debug" time="2022-02-26T16:26:36-05:00" level=fatal msg="Redis connection error: dial tcp 192.168.20.55:6379: connect: network is unreachable" stack="github.com/authelia/authelia/v4/internal/commands/helpers.go:67 getProviders\ngithub.com/authelia/authelia/v4/internal/commands/root.go:62 cmdRootRun\ngithub.com/spf13/[email protected]/command.go:860 (*Command).execute\ngithub.com/spf13/[email protected]/command.go:974 (*Command).ExecuteC\ngithub.com/spf13/[email protected]/command.go:902 (*Command).Execute\ngithub.com/authelia/authelia/v4/cmd/authelia/main.go:10 main\nruntime/proc.go:255 main\nruntime/asm_amd64.s:1581 goexit" This is my Authelia config: Quote --- ############################################################################### # Authelia Configuration # ############################################################################### theme: dark jwt_secret: "WnZr4-J" default_redirection_url: https://xxx.xyz/ server: host: 0.0.0.0 port: 9091 path: "" read_buffer_size: 4096 write_buffer_size: 4096 enable_pprof: false enable_expvars: false disable_healthcheck: false tls: key: "" certificate: "" log: level: debug totp: issuer: xxx.xyz period: 30 skew: 1 authentication_backend: disable_reset_password: false refresh_interval: 5m file: path: /config/users_database.yml password: algorithm: argon2id iterations: 1 key_length: 32 salt_length: 16 memory: 1024 parallelism: 8 access_control: default_policy: one_factor #deny rules: ## bypass rule - domain: - "id.xxx.xyz" policy: bypass # ## bypass api / triggers # - domain: "*.xxx.xyz" # resources: # - "^/api([/?].*)?$" # - "^/identity.*$" # - "^/triggers.*$" # - "^/meshagents.*$" # - "^/meshsettings.*$" # - "^/agent.*$" # - "^/control.*$" # - "^/meshrelay.*$" # - "^/wl.*$" # policy: bypass # ## block admin # - domain: "bitwarden.xxx.xyz" # resources: # - "^*/admin.*$" # policy: one_factor # ## bypass rule # - domain: # - "bitwarden.xxx.xyz" # policy: bypass # ## two factor login - admin # - domain: # - "proxy.xxx.xyz" # - "ipa.xxx.xyz" # - "opn.xxx.xyz" # subject: # - "group:admins" # policy: two_factor # ## one factor login - moderators # - domain: # - "sonarr.xxx.xyz" # - "radarr.xxx.xyz" # - "nzbhydra.xxx.xyz" # - "sabnzbd.xxx.xyz" # - "torrent.xxx.xyz" # - "xxx.xyz" # subject: # - "group:moderators" # - "group:admins" # policy: one_factor # ## one factor login - requesters # - domain: # - "petio.xxx.xyz" # - "overseerr.xxx.xyz" # subject: # - "group:requesters" # - "group:admins" # policy: one_factor # ## one factor login - catch all # - domain: "*.xxx.xyz" # subject: # - "group:admins" # policy: one_factor session: name: authelia_session domain: xxx.xyz same_site: lax secret: "8x/A?SgV" expiration: 1h inactivity: 5m remember_me_duration: 2M redis: host: 192.168.20.55 port: 6379 password: "2^*ofs!%gyzh$brv4%z%s" database_index: 0 maximum_active_connections: 20 minimum_idle_connections: 2 regulation: max_retries: 3 find_time: 10m ban_time: 12h storage: encryption_key: "87hZRfxfxu9Aq7LPjmsWfPCtPnwkyn2UpB5Jdh9u6rZcV59WEMZ78MFV3FCAucGv" mysql: host: mariadb port: 3306 database: authelia username: authelia password: "A8r99cZ%[email protected]" notifier: disable_startup_check: false smtp: username: [email protected] password: vnucz host: smtp-mail.outlook.com port: 587 sender: [email protected] identifier: localhost subject: "[Authelia] {title}" startup_check_address: [email protected] disable_require_tls: false disable_html_emails: false tls: skip_verify: false minimum_version: TLS1.2 ... I tried changing the redis host to 'redis' and also to the unraid host ip, the .20.55 is a fixed IP I set on redis on my customer docker network. Any idea what I'm doing wrong? why can't the Authelia container see the redis container? Redis container is up and running on default port. Authelia container is set to custom docker network as well. Thanks! EDIT: If I change the host to 'redis', this is what I get in the Authelia log: Quote time="2022-02-26T16:49:28-05:00" level=fatal msg="Redis connection error: dial tcp: lookup redis on 192.168.1.254:53: dial udp 192.168.1.254:53: connect: network is unreachable" stack="github.com/authelia/authelia/v4/internal/commands/helpers.go:67 getProviders\ngithub.com/authelia/authelia/v4/internal/commands/root.go:62 cmdRootRun\ngithub.com/spf13/[email protected]/command.go:860 (*Command).execute\ngithub.com/spf13/[email protected]/command.go:974 (*Command).ExecuteC\ngithub.com/spf13/[email protected]/command.go:902 (*Command).Execute\ngithub.com/authelia/authelia/v4/cmd/authelia/main.go:10 main\nruntime/proc.go:255 main\nruntime/asm_amd64.s:1581 goexit" 192.168.1.254 is my modem/default gateway, no idea how it got resolved to this IP. When I go to other containers and I try to ping 'redis', I get the correct custom network IP of redis .20.55. Edited February 26, 2022 by shpitz461 Quote Link to comment
chanrc Posted March 1, 2022 Share Posted March 1, 2022 (edited) Anyone have issues installing freeIPA at all? I'm trying to get that set up with Fedora 35 so I can use that with authelia. Followed all the steps on Ibracorp's video but when I try to access the ipa.domain.com it just goes to a blank page on the first load. No errors show up in the browser dev tools and I can't see any errors in Fedora for the last steps of the FreeIPA install, says it installed successfully. EDIT: Figured out it was a NGINX config issue Edited March 2, 2022 by chanrc Quote Link to comment
chanrc Posted March 4, 2022 Share Posted March 4, 2022 (edited) I got Authelia and two factor working for logins, but I'm having issues when setting a new password from the password reset email that Authelia sends out The email that authelia sends out for the password reset link seem and goes to the right reset page, but clicking to execute the password change I get a couple of errors when authelia tries to set a new password with the LDAP server in the logs: time="2022-03-03T18:38:59-07:00" level=error msg="Token is not in DB, it might have already been used" method=POST path=/api/reset-password/identity/finish remote_ip=ip stack="github.com/authelia/authelia/v4/internal/middlewares/authelia_context.go:61 (*AutheliaCtx).Error\ngithub.com/authelia/authelia/v4/internal/middlewares/identity_verification.go:188 IdentityVerificationFinish.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/authelia_context.go:52 AutheliaMiddleware.func1.1\ngithub.com/fasthttp/[email protected]/router.go:414 (*Router).Handler\ngithub.com/authelia/authelia/v4/internal/middlewares/log_request.go:14 LogRequestMiddleware.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/strip_path.go:21 StripPathMiddleware.func1\ngithub.com/valyala/[email protected]/server.go:2298 (*Server).serveConn\ngithub.com/valyala/[email protected]/workerpool.go:223 (*workerPool).workerFunc\ngithub.com/valyala/[email protected]/workerpool.go:195 (*workerPool).getCh.func1\nruntime/asm_amd64.s:1581 goexit" time="2022-03-03T18:39:02-07:00" level=error msg="unable to update password. Cause: LDAP Result Code 13 \"Confidentiality Required\": Operation requires a secure connection.\n" method=POST path=/api/reset-password remote_ip=ip stack="github.com/authelia/authelia/v4/internal/middlewares/authelia_context.go:61 (*AutheliaCtx).Error\ngithub.com/authelia/authelia/v4/internal/handlers/handler_reset_password_step2.go:38 ResetPasswordPost\ngithub.com/authelia/authelia/v4/internal/middlewares/authelia_context.go:52 AutheliaMiddleware.func1.1\ngithub.com/fasthttp/[email protected]/router.go:414 (*Router).Handler\ngithub.com/authelia/authelia/v4/internal/middlewares/log_request.go:14 LogRequestMiddleware.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/strip_path.go:21 StripPathMiddleware.func1\ngithub.com/valyala/[email protected]/server.go:2298 (*Server).serveConn\ngithub.com/valyala/[email protected]/workerpool.go:223 (*workerPool).workerFunc\ngithub.com/valyala/[email protected]/workerpool.go:195 (*workerPool).getCh.func1\nruntime/asm_amd64.s:1581 goexit" It seems like LDAP is requiring some kind of secure connection for the password reset from Authelia, but in the configuration.yml, I specified an ldap:// and not ldaps://. Is this cuz of the tls section in the ibracorp template? I just used the templated and change the domain and added a password. Other than that I am using the default linuxserver.io authelia-location/authelia-server.conf which seems to line up with Ibracorps settings aside from the rules for email. Do I need to use ldaps instead? My nextcloud uses ldap password reset without ldaps and its working correctly there. server: host: 0.0.0.0 port: 9091 path: "authelia" read_buffer_size: 4096 write_buffer_size: 4096 enable_pprof: false enable_expvars: false disable_healthcheck: false tls: key: "" certificate: "" log: level: info authentication_backend: disable_reset_password: false refresh_interval: 5m ldap: implementation: custom url: ldap://192.168.1.180 start_tls: false tls: skip_verify: false minimum_version: TLS1.2 base_dn: dc=domain,dc=com username_attribute: uid additional_users_dn: cn=users,cn=accounts users_filter: (&({username_attribute}={input})(objectClass=person)) additional_groups_dn: cn=groups,cn=accounts groups_filter: (&(member=uid={input},cn=users,cn=accounts,dc=domain,dc=com)(objectclass=groupofnames)) group_name_attribute: cn mail_attribute: mail display_name_attribute: givenName user: uid=admin,cn=users,cn=accounts,dc=domain,dc=com password: "password" EDIT: Defining a /certificates_directory in my configuration.yaml which had my LDAP servers self-signed cert and changing to use LDAPS solved my issues. LDAP only allows edits to passwords securely. Edited March 5, 2022 by chanrc Quote Link to comment
live4soccer7 Posted March 13, 2022 Share Posted March 13, 2022 Has anyone ever seen this before? It has stumped me for a couple days now: time="2022-03-13T09:26:36-07:00" level=error msg="Scheme of target URL //synoscgi.sock/socket.io/?SynoToken=undefined&UserType=guest&EIO=3&transport=polling&t=N-46b_W must be secure since cookies are only transported over a secure connection for security reasons" method=HEAD path=/api/verify remote_ip=147.185.124.196 stack="github.com/authelia/authelia/v4/internal/handlers/handler_verify.go:459 VerifyGet.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/authelia_context.go:52 AutheliaMiddleware.func1.1\ngithub.com/fasthttp/[email protected]/router.go:414 (*Router).Handler\ngithub.com/authelia/authelia/v4/internal/middlewares/log_request.go:14 LogRequestMiddleware.func1\ngithub.com/valyala/[email protected]/server.go:2341 (*Server).serveConn\ngithub.com/valyala/[email protected]/workerpool.go:224 (*workerPool).workerFunc\ngithub.com/valyala/[email protected]/workerpool.go:196 (*workerPool).getCh.func1\nruntime/asm_amd64.s:1581 goexit" I know it is a configuration type of thing and not the actual docker, but I was hoping for any kind of additional clues at all Quote Link to comment
shpitz461 Posted March 13, 2022 Share Posted March 13, 2022 No clue, but if this is something that started recently, try to revert the changes you've done and see if it goes away. Another approach is to revert the config file to its origin and then start adding to it and test each time. Quote Link to comment
live4soccer7 Posted March 13, 2022 Share Posted March 13, 2022 (edited) I have haproxy on pfsense and am trying to setup Authelia. It is a real bear to get to work. I've been following this: https://github.com/authelia/authelia/issues/2696 I know I'm extremely close to having it work. I attempted this about a year or more ago and couldn't get it. I came across the above post a few days ago and thought I would give it another "whack" Edited March 13, 2022 by live4soccer7 Quote Link to comment
grudge Posted March 14, 2022 Share Posted March 14, 2022 (edited) Wierd one.. my brain cant fix Setup is authelia/NPM/cloudflared combo I can access subdomains through authelia within my network but if I attempt to access a subdomain remotely I will hit the authelia login page no problem time="2022-03-13T20:16:23-07:00" level=info msg="Authelia v4.34.4 is starting" time="2022-03-13T20:16:23-07:00" level=info msg="Log severity set to info" time="2022-03-13T20:16:23-07:00" level=info msg="Storage schema is being checked for updates" time="2022-03-13T20:16:23-07:00" level=info msg="Storage schema is already up to date" time="2022-03-13T20:16:27-07:00" level=info msg="Listening for non-TLS connections on '0.0.0.0:9091' path '/'" time="2022-03-13T20:17:39-07:00" level=info msg="Access to https://ibracorp.givesmewood.com/ (method unknown) is not authorized to user <anonymous>, responding with status code 401" method=GET path=/api/verify remote_ip=insert ip here and when i attempt login deets it throws a invalid creds error on the authelia login page. Same deets work internally time="2022-03-13T20:26:14-07:00" level=error msg="Unsuccessful 1FA authentication attempt by user 'munted ': user not found" method=POST path=/api/firstfactor remote_ip=insert IP here stack="github.com/authelia/authelia/v4/internal/handlers/response.go:177 markAuthenticationAttempt\ngithub.com/authelia/authelia/v4/internal/handlers/handler_firstfactor.go:52 FirstFactorPost.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/authelia_context.go:52 AutheliaMiddleware.func1.1\ngithub.com/fasthttp/[email protected]/router.go:414 (*Router).Handler\ngithub.com/authelia/authelia/v4/internal/middlewares/log_request.go:14 LogRequestMiddleware.func1\ngithub.com/valyala/[email protected]/server.go:2341 (*Server).serveConn\ngithub.com/valyala/[email protected]/workerpool.go:224 (*workerPool).workerFunc\ngithub.com/valyala/[email protected]/workerpool.go:196 (*workerPool).getCh.func1\nruntime/asm_amd64.s:1581 goexit" Any ideas what part of my config I sould be looking at? Im stumped cheers EDIT- Fixed it. In my situation, the wildcard subdomain in the authelia config as per guide was giving me a bunch of user errors. ## catch-all - domain: "*.givesmewood.com" subject: - "group:admins" policy: one_factor I swapped out the wildcard and manually added subdomains and all is workinhg great. Edited March 17, 2022 by grudge Quote Link to comment
Camnomis Posted April 8, 2022 Share Posted April 8, 2022 (edited) Hello, I have Authelia and Freeipa working nicely, the only thing I can't seem to work out is what would be the best way to handle password resets? Most of my users will be outside the network so will have to come through authelia to authenticate, but although the forgot password option on authelia seems to send out a reset request to their email address the logs show this then a reset is tried: Quote time="2022-04-08T12:06:44+01:00" level=error msg="unable to update password. Cause: LDAP Result Code 13 \"Confidentiality Required\": Operation requires a secure connection.\n" method=POST path=/api/reset-password remote_ip=172.16.99.1 stack="github.com/authelia/authelia/v4/internal/middlewares/authelia_context.go:81 (*AutheliaCtx).Error\ngithub.com/authelia/authelia/v4/internal/handlers/handler_reset_password_step2.go:38 ResetPasswordPost\ngithub.com/authelia/authelia/v4/internal/middlewares/authelia_context.go:53 AutheliaMiddleware.func1.1\ngithub.com/fasthttp/[email protected]/router.go:414 (*Router).Handler\ngithub.com/valyala/[email protected]/http.go:153 (*Response).StatusCode\ngithub.com/valyala/[email protected]/server.go:2341 (*Server).serveConn\ngithub.com/valyala/[email protected]/workerpool.go:224 (*workerPool).workerFunc\ngithub.com/valyala/[email protected]/workerpool.go:196 (*workerPool).getCh.func1\nruntime/asm_amd64.s:1571 goexit" Is it possible to reset an LDAP password through Authelia? EDIT: Ignore that, had to change from ldap to ldaps in the configuration.yml Edited April 8, 2022 by Camnomis Quote Link to comment
mag1c Posted June 2, 2022 Share Posted June 2, 2022 Hi All - great content and video! I am having an issue after authenticating with authelia for my app that says 403 forbidden. Also, if I try to go to IP:9091 I get a Cloudflare Error 502 at my domain name (Host error, the web server reported a bad gateway error) Here is the error in the logs (removed domain name) time="2022-06-02T11:41:41-04:00" level=info msg="Access to https://photoprism.domain.com/ is forbidden to user Magic" method=GET path=/api/verify remote_ip=172.17.0.1 Here is my access control policy: access_control: default_policy: deny rules: ## bypass rule - domain: - "auth.domain.com" policy: bypass ## catch-all - domain: "*.domain.com" subject: - "group:admins" policy: one_factor Here is my user config (removed sensitive information): users: Magic: displayname: "Magic" password: "" email: "" groups: - admins - user As I mentioned, I can click the photoprism.domain.com link in NGINX proxy manager and it does redirect me to authelia in which I can authenticate/login and upon redirecting me to the photoprism.domain.com is when I get 403 forbidden and the above error in the log file. Any help is much appreciated! Quote Link to comment
Casadream_1 Posted June 13, 2022 Share Posted June 13, 2022 Hello, I succeeded in the Authelia configuration thanks to the Ibracorp guide. There is one thing I don't understand. When I call my.domain.com from my local network, everything is ok I can enter my Authelia login password. 1. If I try the same thing from a network outside my Lan, then the user password is refused and banned. 2. Then I notice that Authelia bans the user but there is no known way that I know of to unban. Can someone help me if only for point 1 ? Quote Link to comment
bigbangus Posted June 15, 2022 Share Posted June 15, 2022 (edited) Has anyone successfully configured crowdsec with their reverse proxy to parse through nextcloud logs and block suspicious nextcloud login attempts. I've followed these guides to setup crowdsec for swag(nginx) to work with authelia and vaultwarden: https://www.linuxserver.io/blog/blocking-malicious-connections-with-crowdsec-and-swag https://docs.ibracorp.io/crowdsec/crowdsec/unraid/traefik-bouncer/authelia-collection https://docs.ibracorp.io/crowdsec/crowdsec/unraid/traefik-bouncer/vaultwarden-collection https://github.com/ergin/nginx-cloudflare-real-ip (important if you're using cloudflare) However, I'd like to also have the crowdsec agent and my nginx swag bouncer block malicious nextcloud logins. The current IBRACORP solution doesn't seem clear to me. I'd rather know which logs to parse from the nextcloud appdata folder and which collections to use in crowdsec. Or is nextcloud in of itself it's own nginx and I just need to parse the nextcloud internal nginx logs? Edited June 15, 2022 by bigbangus Quote Link to comment
Camnomis Posted July 2, 2022 Share Posted July 2, 2022 Looks like a recent update has broke something in the configuration.yml, when I try to start Authelia I get the following error message Quote level=warning msg="Configuration: configuration key 'authentication_backend.disable_reset_password' is deprecated in 4.36.0 and has been replaced by 'authentication_backend.password_reset.disable': this has been automatically mapped for you but you will need to adjust your configuration to remove this message" Has anyone else looked at this yet, or do I need to dive into the change logs Quote Link to comment
Camnomis Posted July 2, 2022 Share Posted July 2, 2022 (edited) Scrap that, looks like it was a bug that has been fixed in 4.36.1 https://github.com/authelia/authelia/issues/3621 Guess I will have to wait until the image is updated Edited July 2, 2022 by Camnomis Quote Link to comment
Waddoo Posted August 13, 2022 Share Posted August 13, 2022 I have been trying to setup Authentik following the video posted by Ibracorp: However I am getting the following issues using this config (nginx_advanced) where I replaced the proxy_pass on ~line 30 with my serverIP:9000 and replaced ~line 53 with my auth.domain.com... url. Once setup, my app.domain.com gets the advanced config, and ends up resolving to the wrong port. Meaning it ends up at app.domain.com:4443 which is my nginxproxymanger internal docker port. Nowhere is Authentik setup to re-direct to that port. Else, deviations from this setup, or replacing proxy_pass at ~line 9 creates server error 500. Unsure if related, Authentik shows my Outpost integration as unhealthy, even though I am pointing it to unix:///var/run/docker.sock as noted in the environment variable and documentation. Would this be causing my bad re-direct? Anyone willing to help me set this up? Also why was npm added to npm in the video? nginx_advanced.txt Quote Link to comment
Rabbithacker921 Posted August 16, 2022 Share Posted August 16, 2022 i dont know if you figured out the answer yet, but for me it was just to add this before location in the advanced config in NPM port_in_redirect off; It will look like this # Increase buffer size for large headers # This is needed only if you get 'upstream sent too big header while reading response # header from upstream' error when trying to access an application protected by goauthentik proxy_buffers 8 16k; proxy_buffer_size 32k; port_in_redirect off; location / { # Put your proxy_pass to your application here proxy_pass $forward_scheme://$server:$port; # authentik-specific config auth_request /outpost.goauthentik.io/auth/nginx; error_page 401 = @goauthentik_proxy_signin; auth_request_set $auth_cookie $upstream_http_set_cookie; add_header Set-Cookie $auth_cookie; # translate headers from the outposts back to the actual upstream auth_request_set $authentik_username $upstream_http_x_authentik_username; auth_request_set $authentik_groups $upstream_http_x_authentik_groups; auth_request_set $authentik_email $upstream_http_x_authentik_email; auth_request_set $authentik_name $upstream_http_x_authentik_name; auth_request_set $authentik_uid $upstream_http_x_authentik_uid; proxy_set_header X-authentik-username $authentik_username; proxy_set_header X-authentik-groups $authentik_groups; proxy_set_header X-authentik-email $authentik_email; proxy_set_header X-authentik-name $authentik_name; proxy_set_header X-authentik-uid $authentik_uid; } # all requests to /outpost.goauthentik.io must be accessible without authentication location /outpost.goauthentik.io { proxy_pass http://outpost.company:9000/outpost.goauthentik.io; # ensure the host of this vserver matches your external URL you've configured # in authentik proxy_set_header Host $host; proxy_set_header X-Original-URL $scheme://$http_host$request_uri; add_header Set-Cookie $auth_cookie; auth_request_set $auth_cookie $upstream_http_set_cookie; # required for POST requests to work proxy_pass_request_body off; proxy_set_header Content-Length ""; } # Special location for when the /auth endpoint returns a 401, # redirect to the /start URL which initiates SSO location @goauthentik_proxy_signin { internal; add_header Set-Cookie $auth_cookie; return 302 /outpost.goauthentik.io/start?rd=$request_uri; # For domain level, use the below error_page to redirect to your authentik server with the full redirect path # return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri; } Quote Link to comment
dallen33 Posted September 6, 2022 Share Posted September 6, 2022 On 2/26/2022 at 2:34 PM, shpitz461 said: Hi Sycotix, great tutorials mate! I followed your Authelia tutorial but I cannot get it to start, i keep getting this error: This is my Authelia config: I tried changing the redis host to 'redis' and also to the unraid host ip, the .20.55 is a fixed IP I set on redis on my customer docker network. Any idea what I'm doing wrong? why can't the Authelia container see the redis container? Redis container is up and running on default port. Authelia container is set to custom docker network as well. Thanks! EDIT: If I change the host to 'redis', this is what I get in the Authelia log: 192.168.1.254 is my modem/default gateway, no idea how it got resolved to this IP. When I go to other containers and I try to ping 'redis', I get the correct custom network IP of redis .20.55. Did you figure out the issue here? Mine is doing the same thing. Quote Link to comment
Bruceflix Posted September 7, 2022 Share Posted September 7, 2022 On 8/16/2022 at 4:19 PM, Rabbithacker921 said: i dont know if you figured out the answer yet, but for me it was just to add this before location in the advanced config in NPM port_in_redirect off; It will look like this # Increase buffer size for large headers # This is needed only if you get 'upstream sent too big header while reading response # header from upstream' error when trying to access an application protected by goauthentik proxy_buffers 8 16k; proxy_buffer_size 32k; port_in_redirect off; location / { # Put your proxy_pass to your application here proxy_pass $forward_scheme://$server:$port; # authentik-specific config auth_request /outpost.goauthentik.io/auth/nginx; error_page 401 = @goauthentik_proxy_signin; auth_request_set $auth_cookie $upstream_http_set_cookie; add_header Set-Cookie $auth_cookie; # translate headers from the outposts back to the actual upstream auth_request_set $authentik_username $upstream_http_x_authentik_username; auth_request_set $authentik_groups $upstream_http_x_authentik_groups; auth_request_set $authentik_email $upstream_http_x_authentik_email; auth_request_set $authentik_name $upstream_http_x_authentik_name; auth_request_set $authentik_uid $upstream_http_x_authentik_uid; proxy_set_header X-authentik-username $authentik_username; proxy_set_header X-authentik-groups $authentik_groups; proxy_set_header X-authentik-email $authentik_email; proxy_set_header X-authentik-name $authentik_name; proxy_set_header X-authentik-uid $authentik_uid; } # all requests to /outpost.goauthentik.io must be accessible without authentication location /outpost.goauthentik.io { proxy_pass http://outpost.company:9000/outpost.goauthentik.io; # ensure the host of this vserver matches your external URL you've configured # in authentik proxy_set_header Host $host; proxy_set_header X-Original-URL $scheme://$http_host$request_uri; add_header Set-Cookie $auth_cookie; auth_request_set $auth_cookie $upstream_http_set_cookie; # required for POST requests to work proxy_pass_request_body off; proxy_set_header Content-Length ""; } # Special location for when the /auth endpoint returns a 401, # redirect to the /start URL which initiates SSO location @goauthentik_proxy_signin { internal; add_header Set-Cookie $auth_cookie; return 302 /outpost.goauthentik.io/start?rd=$request_uri; # For domain level, use the below error_page to redirect to your authentik server with the full redirect path # return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri; } You sir, deserve a medal. Quote Link to comment
Liqwid_Kirk Posted September 16, 2022 Share Posted September 16, 2022 (edited) Just have a quick question, anyone else have the issue of NGINX proxy host for authelia go offline as soon as they save the advanced config? If so, how did you fix it? **Fixed** Edited September 19, 2022 by Liqwid_Kirk Quote Link to comment
FreakLikeMe Posted September 30, 2022 Share Posted September 30, 2022 having trouble setting up ghost with the ibracorp template. the container keeps getting an error "could not connect to the database" all users and paswords are correct i checkd a million times. do i need to do somethng to get it working>? Quote Link to comment
Tweak91 Posted October 16, 2022 Share Posted October 16, 2022 Could you make a YouTube video how to fully setup matrix on unraid Quote Link to comment
irishjd Posted October 17, 2022 Share Posted October 17, 2022 Can anyone tell me how to utilize plugins in adminer? I see it mentioned in several Ibracorp videos, but I see no mention off how to enable/use the plugins. Quote Link to comment
.thumb.gif.5d861dd0756439d64dc193f9ff2c72c5.gif)
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.