fricloud/server-configs
2
0
Fork 0
Code Issues 4 Pull requests Projects Releases Packages Wiki Activity Actions

authelia.nginx: add auth proxy headers to shared info

Browse source
This commit is contained in:
eyjhb 2025-01-02 17:18:31 +01:00
parent 9fd8d7b900
commit 5c65f7f922
Signed by: eyjhb
GPG key ID: 609F508E3239F920
4 changed files with 29 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

23
machines/gerd/services/authelia/authelia-nginx.nix
View file

@ -51,10 +51,10 @@ let
auth_request_set $email $upstream_http_remote_email;
## Inject the metadata response headers from the variables into the request made to the backend.
proxy_set_header Remote-User $user;
proxy_set_header Remote-Groups $groups;
proxy_set_header Remote-Email $email;
proxy_set_header Remote-Name $name;
proxy_set_header ${config.mine.shared.lib.authelia.protectedHeaders.username} $user;
proxy_set_header ${config.mine.shared.lib.authelia.protectedHeaders.groups} $groups;
proxy_set_header ${config.mine.shared.lib.authelia.protectedHeaders.email} $email;
proxy_set_header ${config.mine.shared.lib.authelia.protectedHeaders.name} $name;
## Configure the redirection when the authz failure occurs. Lines starting with 'Modern Method' and 'Legacy Method'
## should be commented / uncommented as pairs. The modern method uses the session cookies configuration's authelia_url
@ -77,10 +77,10 @@ let
'';
nginxUnsetAuthHeaders = ''
proxy_set_header Remote-User "";
proxy_set_header Remote-Groups "";
proxy_set_header Remote-Email "";
proxy_set_header Remote-Name "";
proxy_set_header ${config.mine.shared.lib.authelia.protectedHeaders.username} "";
proxy_set_header ${config.mine.shared.lib.authelia.protectedHeaders.groups} "";
proxy_set_header ${config.mine.shared.lib.authelia.protectedHeaders.email} "";
proxy_set_header ${config.mine.shared.lib.authelia.protectedHeaders.name} "";
'';
in {
mine.shared.lib.authelia.mkProtectedWebsite = websiteConfig: lib.recursiveUpdate websiteConfig {
@ -91,4 +91,11 @@ in {
mine.shared.lib.authelia.mkProtectedLocation = vhostLocationConfig: lib.recursiveUpdate vhostLocationConfig {
extraConfig = (lib.attrByPath [ "extraConfig" ] "" vhostLocationConfig) + "\n" + "include ${autheliaRequest};";
};
mine.shared.lib.authelia.protectedHeaders = {
username = "Remote-User";
groups = "Remote-Groups"; # comma separated string of groups
email = "Remote-Email";
name = "Remote-Name";
};
}