search

linuxserver / docker-swag

Nginx webserver and reverse proxy with php support and a built-in Certbot (Let's Encrypt) client. It also contains fail2ban for intrusion prevention.
https://docs.linuxserver.io/general/swag
GNU General Public License v3.0
2.89k stars 246 forks source link

(dashboard mod) Issue accessing dashboard when authelia is enabled : HTTP 403 #227

Closed GuiPoM closed 1 year ago

GuiPoM commented 2 years ago

Hello,

I am using Swag deployed on my NAS together with Authelia. I am also activating some mods, including the nice Dashboard mod. With this mod comes a proxy configuration, dashboard.subdomain.conf.

If I keep the configuration untouched, i.e. as deployed by the mod, the dashboard is working and can be accessed.

Even if this configuration restricts access to dashboard to internal IPs, I want to control who has access to this page. So I uncomment the classic two lines for enabling Authelia on server and on location sections as I am doing for many of my proxies.

Then I get a 403 when I try to access the same dashboard url.

I must add that Authelia is working well on all my proxies, this includes password as well as Openid connect services. So Authelia is working, and Swag is also working, and Authelia combined with Swag are also working on all my proxies. Dashboard is this only proxy for which I have an issue.

Expected Behavior

When I access to dashboard.domain.com, Authelia prompts me for a login, if needed, then redirect to that page.

Current Behavior

I get a 403.

Steps to Reproduce

Deploy swag and authelia as described in the documentation. For swag, activate the dashboard mod. Then go to swag/config/nginx/proxy-confs/dashboard.subdomain.conf and activate two lines: l71/72

enable for Authelia

include /config/nginx/authelia-server.conf;

l83/84

enable for Authelia

    include /config/nginx/authelia-location.conf;

Environment

OS: Debian 10, OMV 5.6.26-1. CPU architecture: x86_64 (Intel Pentium Gold G6400) How docker service was installed: Installed from OMV UI with OMV-Extras (apt based installation)

Command used to create docker container (run/create/compose/screenshot)

---
version: "2.1"
services:
  swag:
    image: ghcr.io/linuxserver/swag
    container_name: swag
    cap_add:
      - NET_ADMIN
    environment:
      - PUID=998
      - PGID=1000
      - TZ=Europe/Paris
      - EMAIL=XXX
      - URL=XXX
      - SUBDOMAINS=wildcard
      - VALIDATION=dns
      - DNSPLUGIN=XXX
      - DOCKER_MODS=linuxserver/mods:swag-dashboard
    volumes:
      - /srv/dev-disk-by-uuid-XXX/appdata/swag/config:/config
      - /srv/dev-disk-by-uuid-XXX/appdata/nextcloud/data/nextcloud.log:/nextcloud/nextcloud.log:ro
      - /srv/dev-disk-by-uuid-XXX/appdata/jellyfin/log:/jellyfin/log:ro
    ports:
      - 443:443
      #- 8080:80 #optional
    labels:
      - diun.enable=true
    restart: unless-stopped
    networks:
      - portainer
      - nextcloud
      - heimdall
      - duplicati
      - filebrowser
      - jellyfin
      - librespeed
      - vaultwarden

  authelia:
    image: authelia/authelia
    container_name: authelia
    environment:
      - TZ=Europe/Paris
    volumes:
      - /srv/dev-disk-by-uuid-XXX/appdata/authelia/config:/config
    labels:
      - diun.enable=true
    restart: unless-stopped
    networks:
      - portainer
      - nextcloud
      - heimdall
      - duplicati
      - filebrowser
      - jellyfin
      - librespeed
      - vaultwarden

 networks:
  default:
    name: swag

I know how to change nginx log level but I did not manage to identify why the request to dashboard.domain.com is rejected

aptalca commented 2 years ago

If you're enabling Authelia, you can comment out the allow/deny lines. They are responsible for only allowing connections from the lan and denying all else

GuiPoM commented 2 years ago

Here is my current swag/config/nginx/proxy-confs/dashboard.subdomain.conf There is no longer allow/deny there.

I also added a section 

    #include /config/nginx/external.conf;
    include /config/nginx/internal.conf;

That is not the reason for my issue as it also does not work without it, but this is a enhancement I will suggest latest to swag to apply to all proxy files to easily tag a proxy as internal or public facing proxy.

Here is the config:

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name dashboard.*;

    root /dashboard/www;
    index index.php;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    #include /config/nginx/external.conf;
    include /config/nginx/internal.conf;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    # enable for Authelia
    include /config/nginx/authelia-server.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /ldaplogin;

        # enable for Authelia
        include /config/nginx/authelia-location.conf;

        try_files $uri $uri/ /index.php?$args =404;
    }
    location ~ \.php$ {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /ldaplogin;

        # enable for Authelia
        include /config/nginx/authelia-location.conf;

        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_index index.php;
        include /etc/nginx/fastcgi_params;
    }
}
github-actions[bot] commented 2 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

github-actions[bot] commented 1 year ago

This issue is locked due to inactivity