search

authelia / authelia

The Single Sign-On Multi-Factor portal for web apps
https://www.authelia.com
Apache License 2.0
21.5k stars 1.12k forks source link

OTP registration link #532

Closed miberecz closed 4 years ago

miberecz commented 4 years ago

I'm trying to setup Authelia, and I'm stucked with the OTP registration email. I was able to send it, but in the email, the link looks like this: https:///one-time-password/register?token=LONGRANDOMTOKEN Which obviously not gonna work. How do I set this to point my authelia instance? Or, by any means make it work?

nightah commented 4 years ago

Are you using nginx or Traefik? Typically with nginx this occurs due to missing headers on the authelia portal.

466 includes examples for nginx.

miberecz commented 4 years ago

Nginx. Following that config, I managed to solve the email issue. I did not used that entirely, it gave me Error 500 (Internal server error) first, so I combined with some other thing I found here. Now I'm stucked, where others: redirection after successful authentication does not happen, its just stays there with the green Authenticated! sign. The title bar shows: https://authelia.mydomain.com/2fa/one-time-password?rd=https://myapp.mydomain.com/

I include the config I'm using right now, maybe you can spot the problem. To be honest, I do not understand like 80% of this, its just trial-and-error compilation of what I can found here:

Authelia nginx :

server {
    server_name authelia.mydomain.com;
    listen 80;
    return 301 https://$server_name$request_uri;
}

server {
    server_name authelia.mydomain.com;
    listen 4545 ssl http2;
    #OpenVPN runs on 443 with port-share to 4545

    ssl_certificate /etc/letsencrypt/live/authelia.mydomain.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/authelia.mydomain.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    location / {
        set $upstream_authelia http://LANIP_not_localhost:9091;
        proxy_pass $upstream_authelia;
        include proxy.conf;
    }
}

MyApp nginx:

server {
    server_name myapp.mydomain.com;
    listen 80;
    return 301 https://$server_name$request_uri;
}

server {
    server_name myapp.mydomain.com;
    listen 4545 ssl http2;
    #OpenVPN runs on 443 with port-share to 4545

    ssl_certificate /etc/letsencrypt/live/myapp.mydomain.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/myapp.mydomain.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    include authelia_check-auth_block_external_api;

    location / {
        set $upstream_myapp http://LANIP_not_localhost:8443;
        proxy_pass $upstream_myapp;
        include auth.conf;
        include proxy.conf;
    }
}

Content of authelia_check-auth_block_external_api

location = /.check-auth {
        internal;

        proxy_set_header X-Forwarded-Host $host;

        proxy_set_header X-Original-URI $request_uri;

        proxy_set_header X-Original-URL $scheme://$host$request_uri;

        proxy_set_header X-Forwarded-For $remote_addr;

        proxy_set_header X-Forwarded-Proto $scheme;

        proxy_set_header Content-Length "";
        proxy_pass_request_body off;

        proxy_ssl_protocols TLSv1.2;
        proxy_ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

        proxy_ssl_verify on;
        proxy_ssl_trusted_certificate "/etc/ssl/certs/DST_Root_CA_X3.pem";
        proxy_ssl_verify_depth 2;

        proxy_ssl_server_name on;

        resolver 8.8.8.8 8.8.4.4 valid=300s ipv6=off;
        resolver_timeout 10s;
        proxy_pass https://authelia.mydomain.com/api/verify;
    }

auth.conf

# Basic Authelia Config
auth_request /authelia;
auth_request_set $target_url $scheme://$http_host$request_uri;
auth_request_set $user $upstream_http_remote_user;
auth_request_set $groups $upstream_http_remote_groups;
proxy_set_header X-Forwarded-User $user;
proxy_set_header X-Forwarded-Groups $groups;
error_page 401 =302 https://authelia.mydomain.com/?rd=$target_url;

proxy.conf

client_body_buffer_size 128k;

#Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;

# Advanced Proxy Config
send_timeout 5m;
proxy_read_timeout 360;
proxy_send_timeout 360;
proxy_connect_timeout 360;

# Basic Proxy Config
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Forwarded-Ssl on
proxy_redirect  http://  $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 64 256k;

# If behind reverse proxy, forwards the correct IP
set_real_ip_from 10.0.0.0/8;
set_real_ip_from 172.0.0.0/8;
set_real_ip_from 192.168.0.0/24;
set_real_ip_from fc00::/7;
real_ip_header X-Forwarded-For;
real_ip_recursive on;

Authelia config.yml

port: 9091

logs_level: debug
ion.
jwt_secret: some_secret

default_redirection_url: https://myapp.mydomain.com/

totp:
  issuer: authelia.mydomain.com

duo_api:
  hostname: asd.duosecurity.com
  integration_key: asdasd
  secret_key: asdasdad

authentication_backend:

   file:
     path: /etc/authelia/users.yml

access_control:

  default_policy: two_factor

session:
  name: authelia_session
  secret: unsecure_session_secret
  expiration: 3600 # 1 hour

  inactivity: 300 # 5 minutes

  domain: 3dora.eu

regulation:

  max_retries: 3

  find_time: 120

  ban_time: 300

storage:

   local:
    path: /etc/authelia/db.sqlite3

notifier:

   smtp:
    username: myemail@gmail.com
    password: mypass
    host: smtp.gmail.com
    port: 587
    sender: myemail@gmail.com
    secure: false
    #minor thing: 465, secure:true does not work
nightah commented 4 years ago

Change the first line of your authelia_check-auth_block_external_api from: location = /.check-auth { to: location = /authelia {

The authelia_check-auth_block_external_api and auth.conf work together and that location needs to match.

I also recommend changing the proxy_pass in your authelia-check-auth-_block_external_api from the reverse proxied location to the actual internal authelia location, based on your other configuration this will likely be http://LANIP_not_localhost:9091/api/verify

miberecz commented 4 years ago

Whao man, you rock.

Both the redirect and the OTP link works now. Thanks.

nightah commented 4 years ago

Glad we could sort out your issue.