search

linuxserver / docker-swag

Nginx webserver and reverse proxy with php support and a built-in Certbot (Let's Encrypt) client. It also contains fail2ban for intrusion prevention.
https://docs.linuxserver.io/general/swag
GNU General Public License v3.0
2.79k stars 240 forks source link

[BUG] Swag and latest Authelia conf #496

Open maxime1992 opened 1 month ago

maxime1992 commented 1 month ago

Is there an existing issue for this?

Current Behavior

I use SWAG and I have noticed that there's an update on the authelia-location.conf.sample file. So I try to just copy it over instead of mine, and as a result all my services behind authelia end up with a 500.

The only problematic file seems to be authelia-location.conf.

The file that used to work:

## Version 2021/04/21 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/authelia-location.conf
# Make sure that your authelia container is in the same user defined bridge network and is named authelia
# Make sure that the authelia configuration.yml has 'path: "authelia"' defined

auth_request /authelia/api/verify;
auth_request_set $target_url $scheme://$http_host$request_uri;
auth_request_set $user $upstream_http_remote_user;
auth_request_set $groups $upstream_http_remote_groups;
auth_request_set $name $upstream_http_remote_name;
auth_request_set $email $upstream_http_remote_email;
proxy_set_header Remote-User $user;
proxy_set_header Remote-Groups $groups;
proxy_set_header Remote-Name $name;
proxy_set_header Remote-Email $email;
error_page 401 =302 https://$http_host/authelia/?rd=$target_url;

The new one based on the sample file:

## Version 2024/03/14 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/authelia-location.conf.sample
# Make sure that your authelia container is in the same user defined bridge network and is named authelia
# Rename /config/nginx/proxy-confs/authelia.subdomain.conf.sample to /config/nginx/proxy-confs/authelia.subdomain.conf
# For authelia 4.37 and below, make sure that the authelia configuration.yml has 'path: "authelia"' defined
# For authelia 4.38 and above, make sure that the authelia configuration.yml has 'address: "tcp://:9091/authelia"' defined

## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource
## For authelia 4.37 and below, use the following line
# auth_request /authelia/api/verify;
## For authelia 4.38 and above, use the following line
auth_request /authelia/api/authz/auth-request;

## If the subreqest returns 200 pass to the backend, if the subrequest returns 401 redirect to the portal
error_page 401 = @authelia_proxy_signin;

## Translate the user information response headers from the auth subrequest into variables
auth_request_set $email $upstream_http_remote_email;
auth_request_set $groups $upstream_http_remote_groups;
auth_request_set $name $upstream_http_remote_name;
auth_request_set $user $upstream_http_remote_user;

## Inject the user information into the request made to the actual upstream
proxy_set_header Remote-Email $email;
proxy_set_header Remote-Groups $groups;
proxy_set_header Remote-Name $name;
proxy_set_header Remote-User $user;

## Translate the Set-Cookie response header from the auth subrequest into a variable
auth_request_set $set_cookie $upstream_http_set_cookie;

## Translate the Location response header from the auth subrequest into a variable
auth_request_set $signin_url $upstream_http_location;

The logs I get:

time="2024-08-02T17:26:35+02:00" level=error msg="Error getting Target URL and Request Method" error="missing required X-Original-URL header" method=GET path=/api/authz/auth-request path_raw=/authelia/api/authz/auth-request remote_ip=xxx.xxx.xxx.xxx

Expected Behavior

To work.

Steps To Reproduce

Unsure if it'll repro or not but you can give it a shot with the file diff I have provided above.

Environment

`$ docker exec -it authelia authelia build-info`

Last Tag: v4.38.9
State: tagged clean
Branch: v4.38.9
Commit: 2798576ee25a56fd4c14814acd087b6e92f3978b
Build Number: 30034
Build OS: linux
Build Arch: amd64
Build Compiler: gc
Build Date: Sun, 16 Jun 2024 19:47:16 +1000
Extra: 

Go:
    Version: go1.22.2
    Module Path: github.com/authelia/authelia/v4
    Executable Path: github.com/authelia/authelia/v4/cmd/authelia

### CPU architecture

x86-64

### Docker creation

```bash
In docker compose:

  authelia:
    image: ghcr.io/authelia/authelia:latest
    container_name: authelia
    env_file:
      - common.env
    volumes:
      - ~/opt/authelia:/config
    restart: unless-stopped

### Container logs

```bash
Provided above.
github-actions[bot] commented 1 month ago

Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.

j0nnymoe commented 1 month ago

Did you read the notes at the top of the proxy config regarding the different versions and what needs to be set?

maxime1992 commented 1 month ago

Yes, have I missed something obvious?

For the configuration.yml file I've got the following:

server:
  address: "tcp://:9091/authelia"
  read_buffer_size: 4096
  write_buffer_size: 4096

So it seems to be matching the note for 4.38.x?

cpaucar3 commented 1 month ago

The swag blog/docs are outdated for authelia, use the official docs as seen here: https://www.reddit.com/r/selfhosted/comments/1e69kow/banging_my_head_against_swagauthelia/

loukaniko85 commented 3 weeks ago

Authelia has updated their documentation for SWAG integration. This is what I used to get it working again.

https://www.authelia.com/integration/proxies/swag/

Specifically this change was required. The generated authelia-server.conf includes the proxy_pass http://$upstream_authelia:9091; directive in two location blocks, we recommend adjusting these locations so they include the part of the location match after the /authelia part for example in the location = /authelia/api/verify set the directive to proxy_pass http://$upstream_authelia:9091/api/verify; and the location = /authelia/api/authz/auth-request set the directive to proxy_pass http://$upstream_authelia:9091/api/authz/auth-request. Per below.

location for authelia 4.37 and below auth requests

location = /authelia/api/verify { internal;

include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf;
set $upstream_authelia authelia;
proxy_pass http://$upstream_authelia:9091/api/verify;

## Include the Set-Cookie header if present
auth_request_set $set_cookie $upstream_http_set_cookie;
add_header Set-Cookie $set_cookie;

proxy_pass_request_body off;
proxy_set_header Content-Length "";

}

location for authelia 4.38 and above auth requests

location = /authelia/api/authz/auth-request { internal;

include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf;
set $upstream_authelia authelia;
proxy_pass http://$upstream_authelia:9091/api/authz/auth-request;

## Include the Set-Cookie header if present
auth_request_set $set_cookie $upstream_http_set_cookie;
add_header Set-Cookie $set_cookie;

proxy_pass_request_body off;
proxy_set_header Content-Length "";

}