From 95b73daa36b23565a8566f71f9b202d3459b685f Mon Sep 17 00:00:00 2001 From: Sam Chudnick Date: Sun, 25 Jun 2023 09:52:36 -0400 Subject: Initial Commit --- data/authelia/authelia-authrequest.conf | 25 +++ data/authelia/authelia-location.conf | 36 ++++ data/authelia/authelia.conf | 61 +++++++ data/authelia/configuration.yml | 300 ++++++++++++++++++++++++++++++++ data/authelia/proxy.conf | 35 ++++ 5 files changed, 457 insertions(+) create mode 100644 data/authelia/authelia-authrequest.conf create mode 100644 data/authelia/authelia-location.conf create mode 100644 data/authelia/authelia.conf create mode 100644 data/authelia/configuration.yml create mode 100644 data/authelia/proxy.conf (limited to 'data/authelia') diff --git a/data/authelia/authelia-authrequest.conf b/data/authelia/authelia-authrequest.conf new file mode 100644 index 0000000..8d629bf --- /dev/null +++ b/data/authelia/authelia-authrequest.conf @@ -0,0 +1,25 @@ +## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource. +auth_request /authelia; + +## Set the $target_url variable based on the original request. + +## Comment this line if you're using nginx without the http_set_misc module. +#set_escape_uri $target_url $scheme://$http_host$request_uri; + +## Uncomment this line if you're using NGINX without the http_set_misc module. +set $target_url $scheme://$http_host$request_uri; + +## Save the upstream response headers from Authelia to variables. +auth_request_set $user $upstream_http_remote_user; +auth_request_set $groups $upstream_http_remote_groups; +auth_request_set $name $upstream_http_remote_name; +auth_request_set $email $upstream_http_remote_email; + +## Inject the response headers from the variables into the request made to the backend. +proxy_set_header Remote-User $user; +proxy_set_header Remote-Groups $groups; +proxy_set_header Remote-Name $name; +proxy_set_header Remote-Email $email; + +## If the subreqest returns 200 pass to the backend, if the subrequest returns 401 redirect to the portal. +error_page 401 =302 https://auth.chudnick.com/?rd=$target_url; diff --git a/data/authelia/authelia-location.conf b/data/authelia/authelia-location.conf new file mode 100644 index 0000000..43504e9 --- /dev/null +++ b/data/authelia/authelia-location.conf @@ -0,0 +1,36 @@ +set $upstream_authelia http://127.0.0.1:9091/api/verify; + +## Virtual endpoint created by nginx to forward auth requests. +location /authelia { + ## Essential Proxy Configuration + internal; + proxy_pass $upstream_authelia; + + ## Headers + ## The headers starting with X-* are required. + proxy_set_header X-Original-URL $scheme://$http_host$request_uri; + proxy_set_header X-Original-Method $request_method; + proxy_set_header X-Forwarded-Method $request_method; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header X-Forwarded-Uri $request_uri; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header Content-Length ""; + proxy_set_header Connection ""; + + ## Basic Proxy Configuration + proxy_pass_request_body off; + proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # Timeout if the real server is dead + proxy_redirect http:// $scheme://; + proxy_http_version 1.1; + proxy_cache_bypass $cookie_session; + proxy_no_cache $cookie_session; + proxy_buffers 4 32k; + client_body_buffer_size 128k; + + ## Advanced Proxy Configuration + send_timeout 5m; + proxy_read_timeout 240; + proxy_send_timeout 240; + proxy_connect_timeout 240; +} diff --git a/data/authelia/authelia.conf b/data/authelia/authelia.conf new file mode 100644 index 0000000..5f3a573 --- /dev/null +++ b/data/authelia/authelia.conf @@ -0,0 +1,61 @@ +server { + listen 443 ssl; + ssl_certificate /etc/letsencrypt/live/chudnick.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/chudnick.com/privkey.pem; + ssl_stapling on; + ssl_stapling_verify on; + + server_name auth.chudnick.com; + + location / { + ## Headers + proxy_set_header Host $host; + proxy_set_header X-Original-URL $scheme://$http_host$request_uri; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header X-Forwarded-Uri $request_uri; + proxy_set_header X-Forwarded-Ssl on; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Connection ""; + + ## Basic Proxy Configuration + client_body_buffer_size 128k; + proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; + proxy_redirect http:// $scheme://; + proxy_http_version 1.1; + proxy_cache_bypass $cookie_session; + proxy_no_cache $cookie_session; + proxy_buffers 64 256k; + + ## Trusted Proxies Configuration + real_ip_header X-Forwarded-For; + real_ip_recursive on; + + ## Advanced Proxy Configuration + send_timeout 5m; + proxy_read_timeout 360; + proxy_send_timeout 360; + proxy_connect_timeout 360; + proxy_set_header Host $host; + proxy_pass http://127.0.0.1:9091; + } + + location /metrics { + proxy_set_header Host $host; + proxy_pass http://127.0.0.1:9959; + } + + location /api/verify { + proxy_pass http://127.0.0.1:9091; + } + +} + +server { + listen 80; + listen [::]:80; + server_name auth.chudnick.com; + return 301 https://$host$request_uri; +} + diff --git a/data/authelia/configuration.yml b/data/authelia/configuration.yml new file mode 100644 index 0000000..c4fc923 --- /dev/null +++ b/data/authelia/configuration.yml @@ -0,0 +1,300 @@ +theme: dark +default_redirection_url: https://auth.chudnick.com + +server: + host: 0.0.0.0 + port: 9091 + read_buffer_size: 10485760 + +log: + level: info + keep_stdout: true + +authentication_backend: + password_reset: + disable: true + ldap: + implementation: freeipa + url: ldap://192.168.20.20 + timeout: 5s + start_tls: false + base_dn: DC=home,DC=local + user: UID=authelia,CN=users,CN=accounts,DC=home,DC=local + +access_control: + default_policy: deny + rules: + - domain: auth.chudnick.com + policy: bypass + + # bypass subsonic api endpoint + - domain: "music.chudnick.com" + resources: "^/rest/.*$" + policy: bypass + + # bypass metrics endpoint for monitoring server + - domain: "music.chudnick.com" + resources: "^/metrics$" + networks: + - '192.168.20.32' + policy: bypass + + - domain: "music.chudnick.com" + policy: one_factor + + # bypass mobile client api + - domain: "rss.chudnick.com" + resources: "/api/.*$" + policy: bypass + + - domain: "rss.chudnick.com" + resources: + - "/" + - "/i/.*$" + policy: one_factor + + - domain: "invidious.chudnick.com" + policy: one_factor + + # bypass grafana connection to prometheus + - domain: "monitoring.chudnick.com" + resources: "^/prometheus/api.*" + networks: + - '127.0.0.1' + - '192.168.20.32' + policy: bypass + + - domain: "monitoring.chudnick.com" + resources: "^/prometheus.*" + policy: one_factor + + # bypass metrics endpoint for monitoring server + - domain: "cadvisor.chudnick.com" + resources: "/metrics" + networks: + - '192.168.20.32' + policy: bypass + + - domain: "cadvisor.chudnick.com" + policy: one_factor + + - domain: "drawio.chudnick.com" + policy: one_factor + + # bypass grafana connection to loki + - domain: "logs.chudnick.com" + networks: + - '127.0.0.1' + - '192.168.20.32' + policy: bypass + + # bypass loki log push + - domain: "logs.chudnick.com" + resources: "/loki/api/v1/push" + policy: bypass + + - domain: "logs.chudnick.com" + policy: one_factor + + - domain: "dashboard.chudnick.com" + policy: one_factor + + - domain: "photos.chudnick.com" + policy: one_factor + + - domain: "qbittorrent.chudnick.com" + policy: one_factor + + - domain: "sonarr.chudnick.com" + policy: one_factor + + - domain: "radarr.chudnick.com" + policy: one_factor + + - domain: "lidarr.chudnick.com" + policy: one_factor + + - domain: "readarr.chudnick.com" + policy: one_factor + + - domain: "prowlarr.chudnick.com" + policy: one_factor + + - domain: "weather.chudnick.com" + policy: one_factor + + - domain: "gpt.chudnick.com" + policy: one_factor + + - domain: "tasks.chudnick.com" + policy: one_factor + + - domain: "finances.chudnick.com" + policy: one_factor + + - domain: "finimporter.chudnick.com" + policy: one_factor + + - domain: "homeassistant.chudnick.com" + policy: one_factor + + - domain: "vaultwarden.chudnick.com" + resources: "^/admin.*$" + subject: 'group:vaultwarden-admins' + policy: two_factor + +totp: + issuer: auth.chudnick.com + algorithm: sha1 + digits: 6 + period: 30 + skew: 1 + secret_size: 32 + +session: + name: authelia_session + expiration: 3600 + inactivity: 300 + domain: "chudnick.com" + + redis: + host: redis_authelia + port: 6379 + +regulation: + max_retries: 3 + find_time: 120 + ban_time: 300 + +storage: + local: + path: /config/db.sqlite3 + +telemetry: + metrics: + enabled: true + address: "tcp://0.0.0.0:9959" + buffers: + read: 4096 + write: 4096 + timeouts: + read: 2s + write: 2s + idle: 30s + +notifier: + disable_startup_check: false + smtp: + host: mail.chudnick.com + port: 465 + timeout: 5s + username: authelia + sender: "Authelia " + identifier: "auth.chudnick.com" + subject: "[Authelia] {title}" + startup_check_address: "sam@chudnick.com" + +ntp: + address: "netservices.home.local:123" + +identity_providers: + oidc: + clients: + - id: gitea + description: gitea + secret: '$plaintext${{ gitea_client_secret }}' + public: false + authorization_policy: one_factor + redirect_uris: + - https://gitea.chudnick.com/user/oauth2/authelia/callback + scopes: + - openid + - profile + - email + - groups + userinfo_signing_algorithm: none + pre_configured_consent_duration: 4w + grant_types: + - refresh_token + - authorization_code + response_types: + - code + response_modes: + - form_post + - query + - fragment + + - id: grafana + description: grafana + secret: '$plaintext${{ grafana_client_secret }}' + public: false + authorization_policy: one_factor + pre_configured_consent_duration: 4w + redirect_uris: + - https://monitoring.chudnick.com/grafana/login/generic_oauth + scopes: + - openid + - profile + - groups + - email + userinfo_signing_algorithm: none + + - id: nextcloud + description: NextCloud + secret: '$plaintext${{ nextcloud_client_secret }}' + public: false + authorization_policy: one_factor + pre_configured_consent_duration: 4w + redirect_uris: + - https://nextcloud.chudnick.com/apps/oidc_login/oidc + scopes: + - openid + - profile + - email + - groups + userinfo_signing_algorithm: none + + - id: jenkins + description: Jenkins + secret: '$plaintext${{ jenkins_client_secret }}' + public: false + authorization_policy: one_factor + pre_configured_consent_duration: 4w + redirect_uris: + - https://jenkins.chudnick.com/securityRealm/finishLogin + scopes: + - openid + - profile + - email + - groups + - offline_access + userinfo_signing_algorithm: none + + - id: jellyfin + description: jellyfin + secret: '$plaintext${{ jellyfin_client_secret }}' + public: false + authorization_policy: one_factor + pre_configured_consent_duration: 4w + redirect_uris: + - https://jellyfin.chudnick.com/sso/OID/r/authelia + scopes: + - openid + - groups + - profile + userinfo_signing_algorithm: none + + - id: bookstack + description: bookstack + secret: '$plaintext${{ bookstack_client_secret }}' + public: false + authorization_policy: one_factor + pre_configured_consent_duration: 4w + redirect_uris: + - https://wiki.chudnick.com/oidc/callback + scopes: + - openid + - groups + - profile + - email + userinfo_signing_algorithm: none diff --git a/data/authelia/proxy.conf b/data/authelia/proxy.conf new file mode 100644 index 0000000..4098bb2 --- /dev/null +++ b/data/authelia/proxy.conf @@ -0,0 +1,35 @@ +## Headers +proxy_set_header Host $host; +proxy_set_header X-Original-URL $scheme://$http_host$request_uri; +proxy_set_header X-Forwarded-Proto $scheme; +proxy_set_header X-Forwarded-Host $http_host; +proxy_set_header X-Forwarded-Uri $request_uri; +proxy_set_header X-Forwarded-Ssl on; +proxy_set_header X-Forwarded-For $remote_addr; +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header Connection ""; + +## Basic Proxy Configuration +client_body_buffer_size 128k; +proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; ## Timeout if the real server is dead. +proxy_redirect http:// $scheme://; +proxy_http_version 1.1; +proxy_cache_bypass $cookie_session; +proxy_no_cache $cookie_session; +proxy_buffers 64 256k; + +## Trusted Proxies Configuration +## Please read the following documentation before configuring this: +## https://www.authelia.com/integration/proxies/nginx/#trusted-proxies +# set_real_ip_from 10.0.0.0/8; +# set_real_ip_from 172.16.0.0/12; +# set_real_ip_from 192.168.0.0/16; +# set_real_ip_from fc00::/7; +real_ip_header X-Forwarded-For; +real_ip_recursive on; + +## Advanced Proxy Configuration +send_timeout 5m; +proxy_read_timeout 360; +proxy_send_timeout 360; +proxy_connect_timeout 360; -- cgit v1.2.3