Welcome! Log In Create A New Profile

Advanced

Re: dynamically redirect auth_request

September 19, 2023 05:26PM
figured it out

using lua-resty-http

i created a simple lua script which checks both uris and returns the
correct url for the active one:

local http = require "resty.http"
local httpc = http.new()
local res1, err1 = httpc:request_uri("https://authelia1.domain.net", {
method = "GET",
keepalive_timeout = 60000,
keepalive_pool = 10,
ssl_verify = false
})
if res1.status == 200 then
ngx.var.authelia_uri = 'https://authelia1.domain.net'
else
local res2, err2 = httpc:request_uri("https://authelia2.domain.net", {
method = "GET",
keepalive_timeout = 60000,
keepalive_pool = 10,
ssl_verify = false
})
if res2.status == 200 then
ngx.var.authelia_uri = 'https://authelia2.domain.net'
end
end

then on my nginx config i have:

server {
location / {
set $authelia_uri "";
rewrite_by_lua_file /etc/nginx/health_check.lua;
add_header X-Authelia-Uri "$authelia_uri"; # just for debugging

auth_request /authelia;
error_page 401 =302 $authelia_uri/?rd=$target_url;
}
set upstream_authelia $authelia_uri/api/verify;
}

With this my app is protected with the active authelia server.

Not sure if the best setup but it works.

Thanks

On Tue, Sep 19, 2023 at 11:06 AM Dave Macias <davama@gmail.com> wrote:

> Hello,
>
> Hope you are doing well.
> We currently use Authelia to authenticate users but want to add a
> redundant Authelia server so that users can continue to access the content.
>
> Put simply our current nginx config is:
>
> server {
> location / {
> auth_request /authelia;
> error_page 401 =302 https://authelia1.domain.net/?rd=$target_url
> https://authelia_cluster/?rd=$%7BDOLLAR%7Dtarget_url;
> }
> set upstream_authelia https://authelia1.domain.net/api/verify
> https://authealia1.domain.net/api/verify;
> location /authelia {
> internal;
> proxy_pass $upstream_authelia;
> }
> }
>
> Things I have tried:
>
> With lua-resty-upstream-healthcheck
> https://github.com/openresty/lua-resty-upstream-healthcheck and the
> below upstream:
>
> upstream authelia_cluster {
> least_conn;
> server authelia1.domain.net:443;
> server authelia2.domain:443 backup;
> keepalive 60;
> }
>
> With this I am able to dynamically render content based on the available
> upstream authelia server but cannot translate that to authentication with
> `auth_request`.
>
> location /test {
> proxy_pass https://authelia_cluster/metrics;
> }
>
> My guess as to most simplest solution is to dynamically set the
> upstream_authelia variable and the error_page setting based on
> the available upstream authelia_cluster server but I am not sure how.
>
> Any input is much appreciated!
>
> Best,
> Dave
>
>
>
_______________________________________________
nginx mailing list
nginx@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

dynamically redirect auth_request

davama September 19, 2023 11:08AM

Re: dynamically redirect auth_request

davama September 19, 2023 05:26PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 335
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready