mirror of
https://github.com/0rangebananaspy/authelia.git
synced 2024-09-14 22:47:21 +07:00
[DOCS] Clean HAProxy examples (#1338)
Remove headers that are not required and fix a typo.
This commit is contained in:
parent
5b98b4d090
commit
607f829431
|
@ -62,7 +62,7 @@ backend upon successful authentication, for example:
|
||||||
### Secure Authelia with TLS
|
### Secure Authelia with TLS
|
||||||
There is a [known limitation](https://github.com/TimWolla/haproxy-auth-request/issues/12) with haproxy-auth-request with regard to TLS-enabled backends.
|
There is a [known limitation](https://github.com/TimWolla/haproxy-auth-request/issues/12) with haproxy-auth-request with regard to TLS-enabled backends.
|
||||||
If you want to run Authelia TLS enabled the recommended workaround utilises HAProxy itself to proxy the requests.
|
If you want to run Authelia TLS enabled the recommended workaround utilises HAProxy itself to proxy the requests.
|
||||||
This comes at a cost of two additional TCP connections, but allows the full HAProxy configuration flexbility with regard
|
This comes at a cost of two additional TCP connections, but allows the full HAProxy configuration flexibility with regard
|
||||||
to TLS verification as well as header rewriting. An example of this configuration is also be provided below.
|
to TLS verification as well as header rewriting. An example of this configuration is also be provided below.
|
||||||
|
|
||||||
#### Configuration
|
#### Configuration
|
||||||
|
@ -98,7 +98,6 @@ frontend fe_http
|
||||||
http-request set-header X-Real-IP %[src]
|
http-request set-header X-Real-IP %[src]
|
||||||
http-request set-header X-Forwarded-Proto %[var(req.scheme)]
|
http-request set-header X-Forwarded-Proto %[var(req.scheme)]
|
||||||
http-request set-header X-Forwarded-Host %[req.hdr(Host)]
|
http-request set-header X-Forwarded-Host %[req.hdr(Host)]
|
||||||
http-request add-header X-Forwarded-Port %[dst_port]
|
|
||||||
http-request set-header X-Forwarded-Uri %[path]%[var(req.questionmark)]%[query]
|
http-request set-header X-Forwarded-Uri %[path]%[var(req.questionmark)]%[query]
|
||||||
|
|
||||||
# Protect endpoints with haproxy-auth-request and Authelia
|
# Protect endpoints with haproxy-auth-request and Authelia
|
||||||
|
@ -155,7 +154,6 @@ frontend fe_http
|
||||||
http-request set-header X-Real-IP %[src]
|
http-request set-header X-Real-IP %[src]
|
||||||
http-request set-header X-Forwarded-Proto %[var(req.scheme)]
|
http-request set-header X-Forwarded-Proto %[var(req.scheme)]
|
||||||
http-request set-header X-Forwarded-Host %[req.hdr(Host)]
|
http-request set-header X-Forwarded-Host %[req.hdr(Host)]
|
||||||
http-request add-header X-Forwarded-Port %[dst_port]
|
|
||||||
http-request set-header X-Forwarded-Uri %[path]%[var(req.questionmark)]%[query]
|
http-request set-header X-Forwarded-Uri %[path]%[var(req.questionmark)]%[query]
|
||||||
|
|
||||||
# Protect endpoints with haproxy-auth-request and Authelia
|
# Protect endpoints with haproxy-auth-request and Authelia
|
||||||
|
|
|
@ -20,10 +20,10 @@ frontend fe_api
|
||||||
frontend fe_http
|
frontend fe_http
|
||||||
bind *:8080 ssl crt /usr/local/etc/haproxy/haproxy.pem
|
bind *:8080 ssl crt /usr/local/etc/haproxy/haproxy.pem
|
||||||
|
|
||||||
acl host-authelia-portal hdr(host) -i login.example.com:8080
|
|
||||||
acl api-path path_beg -i /api
|
acl api-path path_beg -i /api
|
||||||
|
acl headers-path path -i -m end /headers
|
||||||
|
acl host-authelia-portal hdr(host) -i login.example.com:8080
|
||||||
acl protected-frontends hdr(host) -m reg -i ^(admin|home|public|secure|singlefactor)\.example\.com
|
acl protected-frontends hdr(host) -m reg -i ^(admin|home|public|secure|singlefactor)\.example\.com
|
||||||
acl is_headers path -i -m end /headers
|
|
||||||
|
|
||||||
http-request set-var(req.scheme) str(https) if { ssl_fc }
|
http-request set-var(req.scheme) str(https) if { ssl_fc }
|
||||||
http-request set-var(req.scheme) str(http) if !{ ssl_fc }
|
http-request set-var(req.scheme) str(http) if !{ ssl_fc }
|
||||||
|
@ -32,7 +32,6 @@ frontend fe_http
|
||||||
http-request set-header X-Real-IP %[src]
|
http-request set-header X-Real-IP %[src]
|
||||||
http-request set-header X-Forwarded-Proto %[var(req.scheme)]
|
http-request set-header X-Forwarded-Proto %[var(req.scheme)]
|
||||||
http-request set-header X-Forwarded-Host %[req.hdr(Host)]
|
http-request set-header X-Forwarded-Host %[req.hdr(Host)]
|
||||||
http-request add-header X-Forwarded-Port %[dst_port]
|
|
||||||
http-request set-header X-Forwarded-Uri %[path]%[var(req.questionmark)]%[query]
|
http-request set-header X-Forwarded-Uri %[path]%[var(req.questionmark)]%[query]
|
||||||
|
|
||||||
# be_auth_request is used to make HAProxy do the TLS termination since the Lua script
|
# be_auth_request is used to make HAProxy do the TLS termination since the Lua script
|
||||||
|
@ -43,12 +42,9 @@ frontend fe_http
|
||||||
|
|
||||||
use_backend be_authelia if host-authelia-portal api-path
|
use_backend be_authelia if host-authelia-portal api-path
|
||||||
use_backend fe_authelia if host-authelia-portal !api-path
|
use_backend fe_authelia if host-authelia-portal !api-path
|
||||||
use_backend be_httpbin if protected-frontends is_headers
|
use_backend be_httpbin if protected-frontends headers-path
|
||||||
use_backend be_protected if protected-frontends
|
|
||||||
use_backend be_mail if { hdr(host) -i mail.example.com:8080 }
|
use_backend be_mail if { hdr(host) -i mail.example.com:8080 }
|
||||||
|
use_backend be_protected if protected-frontends
|
||||||
backend be_authelia
|
|
||||||
server authelia-backend authelia-backend:9091 ssl verify none
|
|
||||||
|
|
||||||
backend be_auth_request
|
backend be_auth_request
|
||||||
mode http
|
mode http
|
||||||
|
@ -59,19 +55,22 @@ listen be_auth_request_proxy
|
||||||
bind 127.0.0.1:8085
|
bind 127.0.0.1:8085
|
||||||
server authelia-backend authelia-backend:9091 ssl verify none
|
server authelia-backend authelia-backend:9091 ssl verify none
|
||||||
|
|
||||||
|
backend be_authelia
|
||||||
|
server authelia-backend authelia-backend:9091 ssl verify none
|
||||||
|
|
||||||
backend fe_authelia
|
backend fe_authelia
|
||||||
server authelia-frontend authelia-frontend:3000
|
server authelia-frontend authelia-frontend:3000
|
||||||
|
|
||||||
backend be_mail
|
|
||||||
server smtp-backend smtp:1080
|
|
||||||
|
|
||||||
backend be_protected
|
|
||||||
server nginx-backend nginx-backend:80
|
|
||||||
|
|
||||||
backend be_httpbin
|
backend be_httpbin
|
||||||
acl remote_user_exist var(req.auth_response_header.remote_user) -m found
|
acl remote_user_exist var(req.auth_response_header.remote_user) -m found
|
||||||
acl remote_groups_exist var(req.auth_response_header.remote_groups) -m found
|
acl remote_groups_exist var(req.auth_response_header.remote_groups) -m found
|
||||||
http-request set-header Remote-User %[var(req.auth_response_header.remote_user)] if remote_user_exist
|
http-request set-header Remote-User %[var(req.auth_response_header.remote_user)] if remote_user_exist
|
||||||
http-request set-header Remote-Groups %[var(req.auth_response_header.remote_groups)] if remote_groups_exist
|
http-request set-header Remote-Groups %[var(req.auth_response_header.remote_groups)] if remote_groups_exist
|
||||||
|
|
||||||
server httpbin-backend httpbin:8000
|
server httpbin-backend httpbin:8000
|
||||||
|
|
||||||
|
backend be_mail
|
||||||
|
server smtp-backend smtp:1080
|
||||||
|
|
||||||
|
backend be_protected
|
||||||
|
server nginx-backend nginx-backend:80
|
Loading…
Reference in New Issue
Block a user