Closed dohsimpson closed 7 months ago
Thank you for your feedback. In fact, using the following configuration should work properly.
## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource.
auth_request /authelia;
## Set the $target_url variable based on the original request.
## Comment this line if you're using nginx without the http_set_misc module.
set_escape_uri $target_url $scheme://$http_host$request_uri;
## Uncomment this line if you're using NGINX without the http_set_misc module.
# set $target_url $scheme://$http_host$request_uri;
## Save the upstream response headers from Authelia to variables.
auth_request_set $email $upstream_http_remote_email;
## Inject the response headers from the variables into the request made to the backend.
proxy_set_header X-Email $email;
## If the subreqest returns 200 pass to the backend, if the subrequest returns 401 redirect to the portal.
error_page 401 =302 https://auth.example.com/?rd=$target_url;
Different from the examples in Authelia's documentation,
it uses proxy_set_header X-Email $email;
instead of proxy_set_header Remote-Email $email;
.
https://www.authelia.com/integration/proxies/nginx/#authelia-authrequestconf
This would be an elegant solution for Nginx reverse proxy user, thanks for sharing!
My use case is a bit different, I'm using Kubernetes + nginx ingress controller, which has a more convoluted syntax and less documentation on this topic.
In case it helps someone, here's how to configure nginx ingress annotations to pass X-Email in addition to Remote-Email:
nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email
nginx.ingress.kubernetes.io/auth-snippet: |
proxy_set_header X-Forwarded-Method $request_method;
nginx.ingress.kubernetes.io/configuration-snippet: |
auth_request_set $email $upstream_http_remote_email;
proxy_set_header X-Email $email;
@BobDu would you consider accepting a PR to make the auth header configurable, I feel that this could be beneficial for people with different proxy setups.
Amazing project! I'm very thrilled to be trying out the new SSO Auth Header feature.
I noticed a small hiccup when integrating with Athelia:
Athelia uses the
Remote-User
andRemote-Email
instead ofX-Email
as auth header returned to reverse proxy: https://www.authelia.com/integration/trusted-header-sso/introduction/#response-headersThis means that the SSO won't work out of the box with Authelia.
Adding a new env parameter for header name would provide this flexibility.