authelia: proxy authentication issue

[lippl]

Hi guys,

I am running authelia on a subdomain and was trying to setup authentication for reverse proxies, but always received a pass because it seems like the provided config just forwards the path using the authelia/ subdir and therefore sends the auth request not to api but login form is resolved by this path instead, which comes with a 200 OK. Also a security issue?

I had to change this line: proxy_pass http://$upstream_authelia:9091; to use the following path: http://$upstream_authelia:9091/api/verify

Can this be confirmed?

[aptalca]

The default confs were designed to use with subfolder authelia because that type of configuration requires no edits to authelia-server.conf or authelia-location.conf by the user. They work out of the box.

If you change it, you'll have to modify various things. I'll give it some thought about adding another note.

[lippl]

Yes, there are already some nice notes in the location file about subfolder vs. subdirectory. It sure would be helpful in the server file as well :) I guess the authelia subfolder path could just be removed when running on subdomain.. even though I am not sure if it should also have the path adjustet there too, because without the trailing / it also forwards this path too and on authelia it is running on root directoy but it just redirects anything unknown to the login.

But actually I would think it is independent of this, because it is about the requests from the reverse proxy container towards the authelia container, which has nothing to do on how you access authelia from outside. So the path of proxy_pass, not location or actually the /authelia not being stripped in either way is the issue!?

Either I am getting mixed up by nginy logic how it uses the paths in forwarding, or it is just luck, that it works? I hope I did not bring too much confusion..

[aptalca]

I just looked into it and there a quite a few changes necessary. Nginx acts funny when the reverse proxied address contains a variable, where it appends the location to the end of the address automatically.

I'm gonna remove all notes about subdomain use of authelia so as not to confuse anyone. So if someone wants to use subdomain, they can implement their custom solution themselves. There's plenty of documentation on authelia's docs site about it.

It's going to be too complicated for us to try and support both methods especially when one method works out of the box with no user customization.

[lippl]

Well, that might be better for simplicity. Could it be a way, that there is just some info in the reverse proxy conf for subdomain of authelia, that when people are trying to activate it there, they get a hint to rework authelia server and location file after checking official authelia documentation. Then it would be clean for all out of the box subdir users and just a small hint for the others without confusion?

Thanks for your efforts on this!

[aptalca]

yeah, that's a good idea. Thanks

[aptalca]

updated in https://github.com/linuxserver/reverse-proxy-confs/pull/172