goauthentik / authentik

The authentication glue you need.
https://goauthentik.io
Other
13.69k stars 917 forks source link

HSTS support #8640

Open Mase3206 opened 9 months ago

Mase3206 commented 9 months ago

Is your feature request related to a problem? Please describe. I don't use authentik through reverse proxy, as it adds some extra complication, and it was easier to run it in a VM with its own IP. However, I no longer have control over HTTP vs HTTPS with this method. I would like to enforce HTTPS and disalow unencrypted traffic over standard HTTP, as it is less secure, but I haven't found a way to do so.

Describe the solution you'd like The most user-friendly way could be a toggle in each Tennant/Brand to enforce HSTS. It could also be an environment variable set to True.

Describe alternatives you've considered I could run authentik behind a reverse proxy again, which would allow for HSTS enforcement. However, as mentioned earlier, that requires more configuration than I am willing to do, especially since I use Nginx Proxy Manager instead of raw Nginx config files. Custom parameters are supported, but direct connections are far more simple.

NigelVanHattum commented 8 months ago

Maybe an easy fix here is to just close port 80 on your vm. Not exactly what you are looking for, but why would you want to even enable these connections.

Mase3206 commented 8 months ago

I'm not sure I understand what connections are you talking about. Do you mean HTTP connections or un-proxied connections?

For some reason, I hadn't thought about just closing port 80. I'll do that in the meantime. I would still like a way to force a connection to be "upgraded" to HTTPS.

BeryJu commented 3 months ago

The solution we'd most likely go with for this would be adding the option to set additional Headers for each brand, which would allow HSTS headers to be set. However this depends on the implementation for some other future features (see #9712)