Documentation on Reverse Proxy Auth

TandoorRecipes / recipes

Application for managing recipes, planning meals, building shopping lists and much much more!

https://docs.tandoor.dev

Other

5.61k stars 597 forks source link

Documentation on Reverse Proxy Auth #391

Open jakobwenzel opened 3 years ago

jakobwenzel commented 3 years ago

The documentation on Reverse Proxy Auth includes an example on how to configure the nginx container to perform the necessary communication with Authelia. However, it is quite common to share multiple services behind a single reverse proxy. This single reverse proxy sits in front of nginx and already handles authentication.

The recipes-specific nginx then only needs to forward the auth header like this:

server {
  listen 80;
  server_name localhost;

  client_max_body_size 16M;

  # serve media files
  location /media/ {
    alias /media/;
  }
  # pass requests for dynamic content to gunicorn
  location / {
    proxy_set_header Host $host;
    proxy_pass http://recipes_web:8080;

    proxy_set_header REMOTE-USER $http_remote_user;
  }
}

Clarifying the use case outlined in the documentation and maybe adding the case described here would be helpful.

dougmaitelli commented 3 years ago

I faced the same scenario, I have my authelia and traefik in front of the setup and for it to work I did not require any of these changes on the nginx container, just the .env setting to enable proxy auth.

The only problem I am having with that is that it gets me authenticated with no admin permissions, so I am basically stuck with access to the application but no admin access.

vabene1111 commented 3 years ago

yes that is something i need to add to the docs, someone on discord or reddit had the same issue. The problem is that you need to create the admin before enabling remote proxy auth (which i unintuitive). I will add a section to the docs detailing this and also put up some instructions on how to create the admin account if you by accident create the unpriveledged user before first creating a superuser.

Easiest for you for now would be just delete the DB, create an admin trough the setup menu and then enable proxy auth. Sorry for the inconvenience

dougmaitelli commented 3 years ago

yes that is something i need to add to the docs, someone on discord or reddit had the same issue. The problem is that you need to create the admin before enabling remote proxy auth (which i unintuitive). I will add a section to the docs detailing this and also put up some instructions on how to create the admin account if you by accident create the unpriveledged user before first creating a superuser.

Easiest for you for now would be just delete the DB, create an admin trough the setup menu and then enable proxy auth. Sorry for the inconvenience

I am the one from Reddit actually.

In the end what I ended up doing was:

enable proxy auth
start the applicatioN (WITHOUT OPENING IT YET)
then I used the venv manage.py to create a super user with my username
then I logged in from my proxy

Boom, everything working perfectly