Closed miberecz closed 4 years ago
Are you using nginx or Traefik? Typically with nginx this occurs due to missing headers on the authelia portal.
Nginx.
Following that config, I managed to solve the email issue.
I did not used that entirely, it gave me Error 500 (Internal server error) first, so I combined with some other thing I found here.
Now I'm stucked, where others: redirection after successful authentication does not happen, its just stays there with the green Authenticated! sign.
The title bar shows:
https://authelia.mydomain.com/2fa/one-time-password?rd=https://myapp.mydomain.com/
I include the config I'm using right now, maybe you can spot the problem. To be honest, I do not understand like 80% of this, its just trial-and-error compilation of what I can found here:
Authelia nginx :
server {
server_name authelia.mydomain.com;
listen 80;
return 301 https://$server_name$request_uri;
}
server {
server_name authelia.mydomain.com;
listen 4545 ssl http2;
#OpenVPN runs on 443 with port-share to 4545
ssl_certificate /etc/letsencrypt/live/authelia.mydomain.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/authelia.mydomain.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
location / {
set $upstream_authelia http://LANIP_not_localhost:9091;
proxy_pass $upstream_authelia;
include proxy.conf;
}
}
MyApp nginx:
server {
server_name myapp.mydomain.com;
listen 80;
return 301 https://$server_name$request_uri;
}
server {
server_name myapp.mydomain.com;
listen 4545 ssl http2;
#OpenVPN runs on 443 with port-share to 4545
ssl_certificate /etc/letsencrypt/live/myapp.mydomain.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/myapp.mydomain.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
include authelia_check-auth_block_external_api;
location / {
set $upstream_myapp http://LANIP_not_localhost:8443;
proxy_pass $upstream_myapp;
include auth.conf;
include proxy.conf;
}
}
Content of authelia_check-auth_block_external_api
location = /.check-auth {
internal;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Original-URI $request_uri;
proxy_set_header X-Original-URL $scheme://$host$request_uri;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Content-Length "";
proxy_pass_request_body off;
proxy_ssl_protocols TLSv1.2;
proxy_ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
proxy_ssl_verify on;
proxy_ssl_trusted_certificate "/etc/ssl/certs/DST_Root_CA_X3.pem";
proxy_ssl_verify_depth 2;
proxy_ssl_server_name on;
resolver 8.8.8.8 8.8.4.4 valid=300s ipv6=off;
resolver_timeout 10s;
proxy_pass https://authelia.mydomain.com/api/verify;
}
auth.conf
# Basic Authelia Config
auth_request /authelia;
auth_request_set $target_url $scheme://$http_host$request_uri;
auth_request_set $user $upstream_http_remote_user;
auth_request_set $groups $upstream_http_remote_groups;
proxy_set_header X-Forwarded-User $user;
proxy_set_header X-Forwarded-Groups $groups;
error_page 401 =302 https://authelia.mydomain.com/?rd=$target_url;
proxy.conf
client_body_buffer_size 128k;
#Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
# Advanced Proxy Config
send_timeout 5m;
proxy_read_timeout 360;
proxy_send_timeout 360;
proxy_connect_timeout 360;
# Basic Proxy Config
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Forwarded-Ssl on
proxy_redirect http:// $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 64 256k;
# If behind reverse proxy, forwards the correct IP
set_real_ip_from 10.0.0.0/8;
set_real_ip_from 172.0.0.0/8;
set_real_ip_from 192.168.0.0/24;
set_real_ip_from fc00::/7;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
Authelia config.yml
port: 9091
logs_level: debug
ion.
jwt_secret: some_secret
default_redirection_url: https://myapp.mydomain.com/
totp:
issuer: authelia.mydomain.com
duo_api:
hostname: asd.duosecurity.com
integration_key: asdasd
secret_key: asdasdad
authentication_backend:
file:
path: /etc/authelia/users.yml
access_control:
default_policy: two_factor
session:
name: authelia_session
secret: unsecure_session_secret
expiration: 3600 # 1 hour
inactivity: 300 # 5 minutes
domain: 3dora.eu
regulation:
max_retries: 3
find_time: 120
ban_time: 300
storage:
local:
path: /etc/authelia/db.sqlite3
notifier:
smtp:
username: myemail@gmail.com
password: mypass
host: smtp.gmail.com
port: 587
sender: myemail@gmail.com
secure: false
#minor thing: 465, secure:true does not work
Change the first line of your authelia_check-auth_block_external_api
from: location = /.check-auth {
to: location = /authelia {
The authelia_check-auth_block_external_api
and auth.conf
work together and that location needs to match.
I also recommend changing the proxy_pass in your authelia-check-auth-_block_external_api
from the reverse proxied location to the actual internal authelia location, based on your other configuration this will likely be http://LANIP_not_localhost:9091/api/verify
Whao man, you rock.
Both the redirect and the OTP link works now. Thanks.
Glad we could sort out your issue.
I'm trying to setup Authelia, and I'm stucked with the OTP registration email. I was able to send it, but in the email, the link looks like this: https:///one-time-password/register?token=LONGRANDOMTOKEN Which obviously not gonna work. How do I set this to point my authelia instance? Or, by any means make it work?