search

opnsense / plugins

OPNsense plugin collection
https://opnsense.org/
BSD 2-Clause "Simplified" License
810 stars 593 forks source link

www/caddy: Add forward_auth functionality, auth provider Authelia added. #4063

Open Monviech opened 5 days ago

Monviech commented 5 days ago

Fixes: https://github.com/opnsense/plugins/issues/4056

This adds a generic and standard approach to forward_auth: https://caddyserver.com/docs/caddyfile/directives/forward_auth.

This implementation generates the default configuration for Authelia based on the documentation: https://caddyserver.com/docs/caddyfile/directives/forward_auth#authelia

Authelia is open source and a partner of Caddy, so this configuration is standardized. https://www.authelia.com/

Users can customize domain, port,tls, and the uri. Only one Auth Provider can be serialized to the config. copy_headers are added automatically as per documentation standard without customization options.

To use it, the Forward Auth Provider has to be configured in "General Settings - Auth Provider". Afterwards, in any handle the tab "Access" has the option Forward Auth. Enabling this checkbox will prepend the forward_auth directive before the reverse_proxy directive.

This should work with both domains, and subdomains.

An example generated config:

# Reverse Proxy Domain: "d5d05c2d-3f3a-4cd7-b6bf-0755cbbeb42b"
abc.example.com {
    handle {
        forward_auth https://authelia:9001 {
            uri /api/verify?rd=https://auth.example.com
            copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
        }
        reverse_proxy 192.168.1.1:81 {
        }
    }
}