From e5d9d21647459c663f7638809fa3e55de1beeda8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Felix=20Schr=C3=B6ter?= <dev@felschr.com> Date: Fri, 6 Jun 2025 17:50:30 +0200 Subject: [PATCH] fix(nginx-authelia): fix authelia integration --- modules/nginx-authelia.nix | 58 +++++++++++++++----------------------- services/authelia.nix | 2 +- 2 files changed, 23 insertions(+), 37 deletions(-) diff --git a/modules/nginx-authelia.nix b/modules/nginx-authelia.nix index c6662dc..a1f6454 100644 --- a/modules/nginx-authelia.nix +++ b/modules/nginx-authelia.nix @@ -9,41 +9,24 @@ let enableAutheliaAuth = lib.mkEnableOption "Enable authelia auth"; }; config = lib.mkIf config.enableAutheliaAuth { - locations."/authelia".extraConfig = '' - set $upstream_authelia http://${cfg.host}:${toString cfg.port}/api/verify; + locations."/authelia" = { + proxyPass = "http://${cfg.host}:${toString cfg.port}/api/verify"; + extraConfig = '' + internal; - ## Essential Proxy Configuration - internal; - proxy_pass $upstream_authelia; - - ## Headers - ## The headers starting with X-* are required. - proxy_set_header X-Original-URL $scheme://$http_host$request_uri; - proxy_set_header X-Original-Method $request_method; - proxy_set_header X-Forwarded-Method $request_method; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $http_host; - proxy_set_header X-Forwarded-Uri $request_uri; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header Content-Length ""; - proxy_set_header Connection ""; - - ## Basic Proxy Configuration - proxy_pass_request_body off; - proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # Timeout if the real server is dead - proxy_redirect http:// $scheme://; - proxy_http_version 1.1; - proxy_cache_bypass $cookie_session; - proxy_no_cache $cookie_session; - proxy_buffers 4 32k; - client_body_buffer_size 128k; - - ## Advanced Proxy Configuration - send_timeout 5m; - proxy_read_timeout 240; - proxy_send_timeout 240; - proxy_connect_timeout 240; - ''; + ## Headers + ## The headers starting with X-* are required. + proxy_set_header X-Original-URL $scheme://$http_host$request_uri; + proxy_set_header X-Original-Method $request_method; + proxy_set_header X-Forwarded-Method $request_method; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header X-Forwarded-Uri $request_uri; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header Content-Length ""; + proxy_set_header Connection ""; + ''; + }; locations."/".extraConfig = '' ## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource. auth_request /authelia; @@ -51,7 +34,7 @@ let ## Set the $target_url variable based on the original request. ## Requires nginx http_set_misc module. - set_escape_uri $target_url $scheme://$http_host$request_uri; + set $target_url $scheme://$http_host$request_uri; ## Save the upstream response headers from Authelia to variables. auth_request_set $user $upstream_http_remote_user; @@ -66,7 +49,7 @@ let proxy_set_header Remote-Email $email; ## If the subreqest returns 200 pass to the backend, if the subrequest returns 401 redirect to the portal. - error_page 401 =302 https://auth.zx.dev/?rd=$target_url; + error_page 401 =302 https://${cfg.domain}/?rd=$target_url; ''; }; }; @@ -121,6 +104,9 @@ in { options = { services.nginx-authelia = { + domain = lib.mkOption { + type = lib.types.str; + }; host = lib.mkOption { type = lib.types.str; default = "localhost"; diff --git a/services/authelia.nix b/services/authelia.nix index 6209d9f..b707199 100644 --- a/services/authelia.nix +++ b/services/authelia.nix @@ -211,7 +211,7 @@ in ]; services.nginx-authelia = { - inherit port; + inherit domain port; }; services.postgresql = {