search

gurucomputing / headscale-ui

A web frontend for the headscale Tailscale-compatible coordination server
BSD 3-Clause "New" or "Revised" License
1.59k stars 113 forks source link

Swag + Authentik + Headscale-UI #141

Closed travisboss closed 3 months ago

travisboss commented 3 months ago 
## Version 2023/05/31
# make sure that your <container_name> container is named <container_name>
# make sure that your dns has a cname set for <container_name>

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name [redacted].*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth (requires ldap-location.conf in the location block)
    #include /config/nginx/ldap-server.conf;

    # enable for Authelia (requires authelia-location.conf in the location block)
    #include /config/nginx/authelia-server.conf;

    # enable for Authentik (requires authentik-location.conf in the location block)
    #include /config/nginx/authentik-server.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable for ldap auth (requires ldap-server.conf in the server block)
        #include /config/nginx/ldap-location.conf;

        # enable for Authelia (requires authelia-server.conf in the server block)
        #include /config/nginx/authelia-location.conf;

        # enable for Authentik (requires authentik-server.conf in the server block)
        #include /config/nginx/authentik-location.conf;

        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app headscale;
        set $upstream_port 8080;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }

    location ~ (/headscale)?/web {

        # enable for Authentik (requires authentik-server.conf in the server block)
        include /config/nginx/authentik-location.conf;

        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app headscale-ui;
        set $upstream_port 80;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }
}

I was suggested to ask here from linuxserver people, I am trying to get authentik on the web interface since now it would be accessible outside of my network, but when I do I get a 500 error. Has anyone set this up with swag? When disabled works fine.

Here is what is in the authentik-location.conf file:

## Version 2023/04/27 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/authentik-location.conf.sample
# Make sure that your authentik container is in the same user defined bridge network and is named authentik-server
# Rename /config/nginx/proxy-confs/authentik.subdomain.conf.sample to /config/nginx/proxy-confs/authentik.subdomain.conf

## Send a subrequest to Authentik to verify if the user is authenticated and has permission to access the resource
auth_request /outpost.goauthentik.io/auth/nginx;
## If the subreqest returns 200 pass to the backend, if the subrequest returns 401 redirect to the portal
error_page 401 = @goauthentik_proxy_signin;

## Translate the user information response headers from the auth subrequest into variables
auth_request_set $authentik_email $upstream_http_x_authentik_email;
auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
auth_request_set $authentik_name $upstream_http_x_authentik_name;
auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
auth_request_set $authentik_username $upstream_http_x_authentik_username;

## Inject the user information into the request made to the actual upstream
proxy_set_header X-authentik-email $authentik_email;
proxy_set_header X-authentik-groups $authentik_groups;
proxy_set_header X-authentik-name $authentik_name;
proxy_set_header X-authentik-uid $authentik_uid;
proxy_set_header X-authentik-username $authentik_username;

## Translate the Set-Cookie response header from the auth subrequest into a variable
auth_request_set $set_cookie $upstream_http_set_cookie;
travisboss commented 3 months ago

This does work for other services, I have authentik on it's on domain.

routerino commented 3 months ago

I suggest a read of https://github.com/gurucomputing/headscale-ui/blob/master/SECURITY.md, there is no value in placing the web application behind an authentication proxy. The sensitive information never leaves your browser, you can test this by opening an incognito window and going to the same webpage.

travisboss commented 3 months ago

Thanks @routerino I saw that shortly after I posted this and forgot to close the thread.