Commit Graph

24 Commits

Author SHA1 Message Date
Clement Michaud
6586402114 Support 'redirect' in /api/verify endpoint to support Traefik
Traefik handles auth forwarding but does not manage redirections like Nginx.
Therefore, Authelia must redirect the user and Traefik will forward this
request.

To support both Nginx and Traefik, /api/verify is now configurable with the
'redirect' get parameter. If the verification fails and 'redirect' is not
provided the response will be a 401 error as before.
If the parameter is provided and set to any URL, the response will be a
redirection (302) to this URL.
2017-12-04 22:52:33 +01:00
Clement Michaud
a8974a9d8e Change domain from test.local to example.com
Warning: you will need to update your /etc/hosts to take this change into
account for the example environment to work.
2017-11-03 00:20:10 +01:00
Clement Michaud
bbbffaa3ae Split nginx service into portal, backend and authelia services
This setup is closer to real production infrastructure.
2017-11-03 00:20:10 +01:00
Clement Michaud
009e7c2b78 Add basic authorization support for single-factor protected endpoints
One can now access a service using the basic authorization mechanism. Note the
service must not be protected by 2 factors.

The Remote-User and Remote-Groups are forwarded from Authelia like any browser
authentication.
2017-11-01 19:38:05 +01:00
Clement Michaud
6b78240d39 Fix endpoints redirection on errors
From this commit on, api endpoints reply with a 401 error code and non api
endpoints redirect to /error/40X.

This commit also fixes missing restrictions on /loggedin (the "already logged
in page). This was not a security issue, though.

The change also makes error pages automatically redirect the user after few
seconds based on the referrer or the default_redirection_url if provided in the
configuration.

Warning: The old /verify endpoint of the REST API has moved to /api/verify.
You will need to update your nginx configuration to take this change into
account.
2017-11-01 14:46:23 +01:00
Clement Michaud
22d56b1faa Change basicauth.test.local into single_factor.test.local 2017-10-31 07:27:36 +01:00
Clement Michaud
99b04809a5 Provide information about fake webmail in home page of example 2017-10-31 07:27:23 +01:00
Clement Michaud
056565a968 Add X-Frame-Options header to avoid ability to embed websites in iframes 2017-10-16 20:56:26 +02:00
Clement Michaud
f523e5335f Use HSTS in example 2017-10-16 20:56:26 +02:00
Clement Michaud
92b78f7c15 Enable secure and httpOnly option for sessions
These are 2 measures for improving security of cookies. One is used to
not send the cookie over HTTP (only HTTPS) and the other tells the browser to
disallow client-side code accessing the cookie.
2017-10-16 20:56:26 +02:00
Clement Michaud
8cf58d7b31 Add tests on headers forwarded to backend
Ensure Remote-User and Remote-Groups can be forwarded to the backend app.
2017-10-14 22:11:56 +02:00
Clement Michaud
c061dbfda4 Customize the authentication method to be used by a sub-domain
One can now customize the default authentication method for all sub-domains,
i.e., either 'two_factor' or 'basic_auth' and define specific authentication
method per sub-domain.

For example, one can specify that every sub-domain must be authenticated with
two factor except one sub-domain that must be authenticated with basic auth.
2017-10-08 23:39:29 +02:00
Clement Michaud
4cbf6efa42 Disable second factor for certain subdomain 2017-09-26 23:09:33 +02:00
Clément Michaud
7a2b45a66f Merge pull request #95 from clems4ever/acl-by-resources
Refine access control with per resource ACLs
2017-09-24 21:54:18 +02:00
Clement Michaud
cf16272a73 Refine access control with per resource ACLs
ACLs can now be defined by subdomain AND resource using pattern matching
with regular expressions.
It allows a very fine-grained access control to backend resources.

[Note] For using example environmnent, user must update its /etc/hosts with
new subdomains updated in README.
2017-09-24 21:39:47 +02:00
Clement Michaud
e48b196f38 Add Content-Length header to the forwarded request to Authelia
It seems nginx is closing the connection for some backends if
`proxy_set_header Content-Length "";` is not added to the
verification endpoint.
2017-09-23 18:02:21 +02:00
Clement Michaud
d005b83365 Set headers values Remote-User and Remote-Groups in /verify response 2017-09-22 21:25:15 +02:00
Clement Michaud
7128970a53 Add redirection URL as a query parameter during authentication
Before this fix, the redirection URL was stored in the user session,
but this has a big drawback since user could open several pages in
browser and thus override the redirection URL leading the user to
be incorrectly redirected.
2017-09-22 17:53:18 +02:00
Clement Michaud
928209dc98 Fix redirection after authentication and error page when accessing restricted pages 2017-08-03 00:41:13 +02:00
Clement Michaud
c12a085f8e Replace mocha integration tests by cucumber tests 2017-07-31 22:20:33 +02:00
Clement Michaud
24d4176a39 Secret page contains a link with wrong port to redirect the user to home page 2017-07-19 00:35:55 +02:00
Clement Michaud
6d5fc84693 Add an icon to the webpages of example 2017-07-16 16:19:44 +02:00
Clement Michaud
8f152d2328 Fix example environment 2017-07-14 19:05:42 +02:00
Clement Michaud
e56c2492ed Fix integration test and package Travis scripts 2017-06-29 13:09:08 +02:00