fricloud/server-configs
2
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions

authelia.nginx: unset authelia headers when not used

Browse source 
Prevent someone from impersinating users, by setting the header manually
This commit is contained in:
eyjhb 2025-01-02 17:15:18 +01:00
parent 02720387a4
commit 9fd8d7b900
No known key found for this signature in database
GPG key ID: 609F508E3239F920
1 changed files with 9 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
machines/gerd/services/authelia/authelia-nginx.nix
View file

@ -75,9 +75,17 @@ let
## URL parameter set to $target_url. This requires users update 'auth.example.com/' with their external authelia URL.
error_page 401 =302 https://${config.mine.shared.settings.authelia.domain}/?rd=$target_url;
'';
nginxUnsetAuthHeaders = ''
proxy_set_header Remote-User "";
proxy_set_header Remote-Groups "";
proxy_set_header Remote-Email "";
proxy_set_header Remote-Name "";
'';
in {
mine.shared.lib.authelia.mkProtectedWebsite = websiteConfig: lib.recursiveUpdate websiteConfig {
extraConfig = (lib.attrByPath [ "extraConfig" ] "" websiteConfig) + "\n" + "include ${autheliaLocation};";
extraConfig = (websiteConfig.extraConfig or "") + "\n" + "include ${autheliaLocation};";
locations = lib.mapAttrs (n: v: v // { extraConfig = nginxUnsetAuthHeaders + (v.extraConfig or ""); }) (websiteConfig.locations or {});
};
mine.shared.lib.authelia.mkProtectedLocation = vhostLocationConfig: lib.recursiveUpdate vhostLocationConfig {