Skip to content

Instantly share code, notes, and snippets.

@userdocs

userdocs/authelia_nginx.md

Last active April 24, 2024 13:20
Show Gist options
  • Star 11 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save userdocs/7634b8a57e803e378b09c18225edd446 to your computer and use it in GitHub Desktop.
Save userdocs/7634b8a57e803e378b09c18225edd446 to your computer and use it in GitHub Desktop.
Download ZIP
A simplified Authelia nginx reverse proxy configuration
Raw
authelia_nginx.md

Nginx

nginx is a reverse proxy supported by Authelia.

Configuration

We will be working with these files.

/etc/nginx/authelia.conf
/etc/nginx/authelia_auth.conf
/etc/nginx/authelia_proxy.conf

Warning: The default configuration below uses the baseurl of /login but this can be changed according to the notes of each conf.

authelia.conf /etc/nginx/authelia.conf

Note: baseurl specific lines for the /etc/nginx/authelia.conf

set $auth_type "/login/api/verify"; # normal auth - This is the default - uncomment the auth type of chocie.
# set $auth_type "/login/api/verify?auth=basic"; # basic auth - uncomment the auth type of chocie.
location /login {
location /login/api/verify {

Create this file /etc/nginx/authelia.conf and populate with this:

set $upstream_authelia http://127.0.0.1:9091; # set the reused upstream proxypass url
set $auth_type "/login/api/verify"; # normal auth
# set $auth_type "/login/api/verify?auth=basic"; # basic auth

location /login {
    proxy_pass $upstream_authelia;
    include /etc/nginx/authelia_proxy.conf;
}

# Virtual endpoint created by nginx to forward auth requests.
location /login/api/verify {
    internal;
    proxy_pass_request_body off;
    proxy_pass $upstream_authelia$auth_type;
    proxy_set_header Content-Length "";
    # [REQUIRED] Needed by Authelia to check authorizations of the resource.
    # Provide either X-Original-URL and X-Forwarded-Proto or
    # X-Forwarded-Proto, X-Forwarded-Host and X-Forwarded-Uri or both.
    # Those headers will be used by Authelia to deduce the target url of the user.
    #
    # Basic Proxy Config
    proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
    proxy_set_header X-Forwarded-Method $request_method;
    proxy_set_header X-Forwarded-For $remote_addr;
    include /etc/nginx/authelia_proxy.conf;
}

authelia_auth.conf /etc/nginx/authelia_auth.conf

Note: baseurl specific lines for the /etc/nginx/authelia_auth.conf

auth_request /login/api/verify;
error_page 401 =302 https://$http_host/login/?rd=$target_url;

Create this file /etc/nginx/authelia_auth.conf and populate with this:

# Basic Authelia Config
# Send a subsequent request to Authelia to verify if the user is authenticated
# and has the right permissions to access the resource.
auth_request /login/api/verify;
# Set the $(target_url) variable based on the request. It will be used to build the portal
# URL with the correct redirection parameter.
auth_request_set $target_url $scheme://$http_host$request_uri;
# Set the X-Forwarded-User and X-Forwarded-Groups with the headers
# returned by Authelia for the backends which can consume them.
# This is not safe, as the backend must make sure that they come from the
# proxy. In the future, it's gonna be safe to just use OAuth.
auth_request_set $user $upstream_http_remote_user;
auth_request_set $groups $upstream_http_remote_groups;
auth_request_set $name $upstream_http_remote_name;
auth_request_set $email $upstream_http_remote_email;
proxy_set_header Remote-User $user;
proxy_set_header Remote-Groups $groups;
proxy_set_header Remote-Name $name;
proxy_set_header Remote-Email $email;
# If Authelia returns 401, then nginx redirects the user to the login portal.
# If it returns 200, then the request pass through to the backend.
# For other type of errors, nginx will handle them as usual.
error_page 401 =302 https://$http_host/login/?rd=$target_url;

authelia_proxy.conf /etc/nginx/authelia_proxy.conf

Note: There no baseurl specific lines for the /etc/nginx/authelia_proxy.conf

Create this file /etc/nginx/authelia_proxy.conf and populate with this:

client_body_buffer_size 128k;
#Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
# Advanced Proxy Config
send_timeout 5m;
proxy_read_timeout 360;
proxy_send_timeout 360;
proxy_connect_timeout 360;
# Basic Proxy Config
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Forwarded-Ssl on;
proxy_redirect  http://  $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 64 256k;
# If behind reverse proxy, forwards the correct IP
set_real_ip_from 10.0.0.0/8;
set_real_ip_from 172.16.0.0/12;
set_real_ip_from 192.168.0.0/16;
set_real_ip_from fc00::/7;
real_ip_header X-Forwarded-For;
real_ip_recursive on;

Protected Endpoint

location / {
    set $upstream_nextcloud https://nextcloud;
    proxy_pass $upstream_nextcloud;
    include /etc/nginx/authelia_auth.conf; # Activates Authelia for specified route/location, please ensure you have setup the domain in your configuration.yml
}
@RensOliemans
Copy link

Thanks for the gist! How did you install Authelia? I've been struggling this entire day to set it up with my existing nginx configuration. I have the default docker-compose.yml, their lite version, but that doesn't seem to work properly.

@userdocs
Copy link
Author

I don't use docker for this. my nginx is the system debian stable version and i use a binary version of authelia for the host x64_86.

So i cannot say how it applies to to docker but guess that things like set $upstream_authelia http://127.0.0.1:9091; will probably need to be the docker specific and use their internal IP for communication whereas this method configured for the host machine

The rest should be fine to apply in the sense of a template based of their docs (incase anything has been updated)

@RensOliemans
Copy link

Alright makes sense, thanks! I'll figure it out, sometime

@wvxx
Copy link

wvxx commented Dec 4, 2021
edited

@RensOliemans Have you managed to get it running? ;) I have nginx already set up and been thinking about adding authelia without having to set up everything from scratch.

Thanks in advance!

EDIT: Finally got it working, just need to figure out how to integrate my services into it. Thanks for the config @userdocs.

@MrJake222
Copy link

MrJake222 commented Nov 1, 2023
edited

Can't get authelia to work behind /login. It's trying to load some CSS/JS from /. Any suggestions?

FIXED IT
The baseurl bit is important. For any newcomers like me: It means you need to put login into server.path config option in authelia.

@zeusraman
Copy link

Hello All,
I am almost there with my config .. got the auth.domain.com working
but npm.domaind.com and speedtest.domain.com still giving issues

  1. npm.domain.com takes me to npm.domain.com/login but will not log in
  2. speedtest.domain.com takes me to speedtest.domain.com without user/pass
    anyone willing to take a look at config ?

Thanks all

@userdocs
Copy link
Author

userdocs commented Nov 4, 2023

This is probably an Authelia configuration problem. Make sure your config and domains are configured correctly.

https://www.authelia.com/configuration/security/access-control/#domain

Disclaimer: This was not tested with a multi sub domain setup, but I don't think there is much difference. You can always check here https://www.authelia.com/integration/proxies/nginx/ and ask in their support channels.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment