Merge pull request #460 from linuxserver/authelia

Initial support for Authelia

Author: aptalca

README.md

@@ -290,6 +290,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64
 
 ## Versions
 
+* **23.05.20:** - Add support for Authelia.
 * **15.05.20:** - Remove `php7-pecl-imagick` due to upstream issues. Add support for `Geoip2` auto db retrieval.
 * **10.05.20:** - Added support for fail2ban deny statements.
 * **04.05.20:** - Allow for optionally setting propagation time for dns plugins. Add repo version of `whois` to replace the built-in busybox version. Update `jail.local` to change default fail2ban ban action to more widely supported `iptables-allports`.

readme-vars.yml

@@ -126,6 +126,7 @@ app_setup_nginx_reverse_proxy_block: ""
 
 # changelog
 changelogs:
+  - { date: "23.05.20:", desc: "Add support for Authelia." }
   - { date: "15.05.20:", desc: "Remove `php7-pecl-imagick` due to upstream issues. Add support for `Geoip2` auto db retrieval." }
   - { date: "10.05.20:", desc: "Added support for fail2ban deny statements." }
   - { date: "04.05.20:", desc: "Allow for optionally setting propagation time for dns plugins. Add repo version of `whois` to replace the built-in busybox version. Update `jail.local` to change default fail2ban ban action to more widely supported `iptables-allports`." }

root/defaults/authelia-location.conf

@@ -0,0 +1,14 @@
+## Version 2020/05/23 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/authelia-location.conf
+# Make sure that your authelia container is in the same user defined bridge network and is named authelia
+# Make sure that the authelia configuration.yml has 'path: "authelia"' defined
+
+auth_request /authelia/api/verify;
+auth_request_set $target_url $scheme://$http_host$request_uri;
+auth_request_set $user $upstream_http_remote_user;
+auth_request_set $groups $upstream_http_remote_groups;
+proxy_set_header Remote-User $user;
+proxy_set_header Remote-Groups $groups;
+#if your authelia is set up with 'path: "authelia"', you don't need to modify anything
+error_page 401 =302 https://$http_host/authelia/?rd=$target_url;
+#if your authelia is set up without a path, comment the line above, uncomment the line below and adjust as necessary
+#error_page 401 =302 https://authelia.YOURDOMAIN.com/?rd=$target_url;

root/defaults/authelia-server.conf

@@ -0,0 +1,48 @@
+## Version 2020/05/23 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/authelia-server.conf
+# Make sure that your authelia container is in the same user defined bridge network and is named authelia
+
+location /authelia {
+    include /config/nginx/proxy.conf;
+    resolver 127.0.0.11 valid=30s;
+    set $upstream_authelia authelia;
+    proxy_pass http://$upstream_authelia:9091;
+}
+
+location /authelia/api/verify {
+    internal;
+    resolver 127.0.0.11 valid=30s;
+    set $upstream_authelia authelia;
+    proxy_pass_request_body off;
+    proxy_pass http://$upstream_authelia:9091;
+    proxy_set_header Content-Length "";
+
+    # Timeout if the real server is dead
+    proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
+
+    # [REQUIRED] Needed by Authelia to check authorizations of the resource.
+    # Provide either X-Original-URL and X-Forwarded-Proto or
+    # X-Forwarded-Proto, X-Forwarded-Host and X-Forwarded-Uri or both.
+    # Those headers will be used by Authelia to deduce the target url of the user.
+    # Basic Proxy Config
+    client_body_buffer_size 128k;
+    proxy_set_header Host $host;
+    proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $remote_addr; 
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header X-Forwarded-Host $http_host;
+    proxy_set_header X-Forwarded-Uri $request_uri;
+    proxy_set_header X-Forwarded-Ssl on;
+    proxy_redirect  http://  $scheme://;
+    proxy_http_version 1.1;
+    proxy_set_header Connection "";
+    proxy_cache_bypass $cookie_session;
+    proxy_no_cache $cookie_session;
+    proxy_buffers 4 32k;
+
+    # Advanced Proxy Config
+    send_timeout 5m;
+    proxy_read_timeout 240;
+    proxy_send_timeout 240;
+    proxy_connect_timeout 240;
+}

root/defaults/default

@@ -1,4 +1,4 @@
-## Version 2020/03/05 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/default
+## Version 2020/05/23 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/default
 
 # redirect all traffic to https
 server {
@@ -27,6 +27,9 @@ server {
 	# enable for ldap auth
 	#include /config/nginx/ldap.conf;
 
+	# enable for Authelia
+	#include /config/nginx/authelia-server.conf;
+
 	client_max_body_size 0;
 
 	location / {
@@ -107,6 +110,37 @@ server {
 #	}
 #}
 
+# sample reverse proxy config for "heimdall" via subdomain, with Authelia
+# Authelia container has to be running in the same user defined bridge network, with container name "authelia", and with 'path: "authelia"' set in its configuration.yml
+# notice this is a new server block, you need a new server block for each subdomain
+#server {
+#	listen 443 ssl http2;
+#	listen [::]:443 ssl http2;
+#
+#	root /config/www;
+#	index index.html index.htm index.php;
+#
+#	server_name heimdall.*;
+#
+#	include /config/nginx/ssl.conf;
+#
+#	include /config/nginx/authelia-server.conf;
+#
+#	client_max_body_size 0;
+#
+#	location / {
+#		# the next line will enable Authelia along with the included authelia-server.conf in the server block
+#		include /config/nginx/authelia-location.conf;
+#
+#		include /config/nginx/proxy.conf;
+#		resolver 127.0.0.11 valid=30s;
+#		set $upstream_app heimdall;
+#		set $upstream_port 443;
+#		set $upstream_proto https;
+#		proxy_pass $upstream_proto://$upstream_app:$upstream_port;
+#	}
+#}
+
 # enable subdomain method reverse proxy confs
 include /config/nginx/proxy-confs/*.subdomain.conf;
 # enable proxy cache for auth

root/etc/cont-init.d/50-config

@@ -74,6 +74,10 @@ cp /config/fail2ban/jail.local /etc/fail2ban/jail.local
 	cp /defaults/ssl.conf /config/nginx/ssl.conf
 [[ ! -f /config/nginx/ldap.conf ]] && \
 	cp /defaults/ldap.conf /config/nginx/ldap.conf
+[[ ! -f /config/nginx/authelia-server.conf ]] && \
+	cp /defaults/authelia-server.conf /config/nginx/authelia-server.conf
+[[ ! -f /config/nginx/authelia-location.conf ]] && \
+	cp /defaults/authelia-location.conf /config/nginx/authelia-location.conf
 
 # check to make sure DNSPLUGIN is selected if dns validation is used
 [[ "$VALIDATION" = "dns" ]] && [[ ! "$DNSPLUGIN" =~ ^(aliyun|cloudflare|cloudxns|cpanel|digitalocean|dnsimple|dnsmadeeasy|domeneshop|gandi|google|inwx|linode|luadns|nsone|ovh|rfc2136|route53|transip)$ ]] && \