From 9fd8d7b900326fa00738ba696d72d2ea616e21d4 Mon Sep 17 00:00:00 2001
From: eyjhb <eyjhbb@gmail.com>
Date: Thu, 2 Jan 2025 17:15:18 +0100
Subject: [PATCH] authelia.nginx: unset authelia headers when not used

Prevent someone from impersinating users, by setting the header manually
---
 machines/gerd/services/authelia/authelia-nginx.nix | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/machines/gerd/services/authelia/authelia-nginx.nix b/machines/gerd/services/authelia/authelia-nginx.nix
index b58399a..dce7a9e 100644
--- a/machines/gerd/services/authelia/authelia-nginx.nix
+++ b/machines/gerd/services/authelia/authelia-nginx.nix
@@ -75,9 +75,17 @@ let
     ## URL parameter set to $target_url. This requires users update 'auth.example.com/' with their external authelia URL.
     error_page 401 =302 https://${config.mine.shared.settings.authelia.domain}/?rd=$target_url;
   '';
+
+  nginxUnsetAuthHeaders = ''
+    proxy_set_header Remote-User "";
+    proxy_set_header Remote-Groups "";
+    proxy_set_header Remote-Email "";
+    proxy_set_header Remote-Name "";
+  '';
 in {
   mine.shared.lib.authelia.mkProtectedWebsite = websiteConfig: lib.recursiveUpdate websiteConfig {
-    extraConfig = (lib.attrByPath [ "extraConfig" ] "" websiteConfig) + "\n" + "include ${autheliaLocation};";
+    extraConfig = (websiteConfig.extraConfig or "") + "\n" + "include ${autheliaLocation};";
+    locations = lib.mapAttrs (n: v: v // { extraConfig = nginxUnsetAuthHeaders + (v.extraConfig or ""); }) (websiteConfig.locations or {});
   };
 
   mine.shared.lib.authelia.mkProtectedLocation = vhostLocationConfig: lib.recursiveUpdate vhostLocationConfig {