The Single Sign-On Multi-Factor portal for web apps

Overview

Build Go Report Card Docker Tag Docker Size GitHub Release AUR source version AUR binary version AUR development version License Sponsor Discord Matrix

Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for your applications via a web portal. It acts as a companion for reverse proxies like nginx, Traefik or HAProxy to let them know whether requests should either be allowed or redirected to Authelia's portal for authentication.

Documentation is available at https://www.authelia.com/docs.

The following is a simple diagram of the architecture:

Authelia can be installed as a standalone service from the AUR, APT, FreeBSD Ports, or using a Static binary, .deb package, Docker or Kubernetes either manually or via the Helm Chart (beta) leveraging ingress controllers and ingress configurations.

Here is what Authelia's portal looks like:

Features summary

This is a list of the key features of Authelia:

For more details about the features, follow Features.

If you want to know more about the roadmap, follow Roadmap.

Proxy support

Authelia works in combination with nginx, Traefik or HAProxy. It can be deployed on bare metal with Docker or on top of Kubernetes.

Help Wanted: Assistance would be appreciated in getting Authelia working with Caddy and Envoy.

Getting Started

docker-compose

The docker-compose bundles act as a starting point for anyone wanting to see Authelia in action. You will have to customize them to your needs as they come with self-signed certificates.

Local

The Local compose bundle is intended to test Authelia without worrying about configuration. It's meant to be used for scenarios where the server is not be exposed to the internet. Domains will be defined in the local hosts file and self-signed certificates will be utilised.

Lite

The Lite compose bundle is intended for scenarios where the server will be exposed to the internet, domains and DNS will need to be setup accordingly and certificates will be generated through LetsEncrypt. The Lite element refers to minimal external dependencies; File based user storage, SQLite based configuration storage. In this configuration, the service will not scale well.

Full

The Full compose bundle is intended for scenarios where the server will be exposed to the internet, domains and DNS will need to be setup accordingly and certificates will be generated through LetsEncrypt. The Full element refers to a scalable setup which includes external dependencies; LDAP based user storage, Database based configuration storage (MariaDB, MySQL or Postgres).

Deployment

Now that you have tested Authelia and you want to try it out in your own infrastructure, you can learn how to deploy and use it with Deployment. This guide will show you how to deploy it on bare metal as well as on Kubernetes.

Security

Authelia takes security very seriously. If you discover a vulnerability in Authelia, please see our Security Policy.

For more information about security related matters, please read the documentation.

Contact Options

Several contact options exist for our community, the primary one being Matrix. These are in addition to GitHub issues for creating a new issue.

Matrix

Community members are invited to join the Matrix Space which includes both the Support Room and the Contributing Room.

  • The core team members are identified as administrators in the Space and individual Rooms.
  • All channels are linked to Discord.

Discord

Community members are invited to join the Discord Server.

Email

You can contact the core team by email via [email protected]. Please note the
[email protected] is also available but is strictly reserved for security related matters.

Breaking changes

Since Authelia is still under active development, it is subject to breaking changes. It's recommended to pin a version tag instead of using the latest tag and reading the release notes before upgrading. This is where you will find information about breaking changes and what you should do to overcome said changes.

Why Open Source?

You might wonder why Authelia is open source while it adds a great deal of security and user experience to your infrastructure at zero cost. It is open source because we firmly believe that security should be available for all to benefit in the face of the battlefield which is the Internet, with near zero effort.

Additionally, keeping the code open source is a way to leave it auditable by anyone who is willing to contribute. This way, you can be confident that the product remains secure and does not act maliciously.

It's important to keep in mind Authelia is not directly exposed on the Internet (your reverse proxies are) however, it's still the control plane for your internal security so take care of it!

Contribute

If you want to contribute to Authelia, please read our contribution guidelines.

Authelia exists thanks to all the people who contribute so don't be shy, come chat with us on either Matrix or Discord and start contributing too.

Thanks goes to these wonderful people (emoji key):


ClΓ©ment Michaud

πŸ’» πŸ“– πŸ€” 🚧 πŸ’¬ πŸ‘€ ⚠️

Amir Zarrinkafsh

πŸ’» πŸ“– πŸ€” 🚧 πŸ’¬ πŸ‘€ ⚠️

James Elliott

πŸ’» πŸ“– πŸ€” 🚧 πŸ’¬ πŸ‘€ ⚠️

Antoine Favre

πŸ› πŸ€”

BankaiNoJutsu

πŸ’» 🎨

Philipp Rintz

πŸ“–

Callan Bryant

πŸ’» πŸ“–

Ian

πŸ’»

FrozenDragoon

πŸ’»

vdot0x23

πŸ’»

alexw1982

πŸ“–

Sohalt

πŸ’» πŸ“–

Stoica Tedy

πŸ’»

Dylan Smith

πŸ’»

Lukas Klass

πŸ“–

Philipp Staiger

πŸ’» πŸ“– ⚠️

James Hodgkinson

πŸ“–

Chris Smith

πŸ“–

MihΓ‘ly

πŸ“–

Silver Bullet

πŸ“–

Paul Williams

πŸ’» ⚠️

Timo

πŸ“–

Andrew Kliskey

πŸ“–

Kristof Mattei

πŸ“–

ZMiguel Valdiviesso

πŸ“–

akusei

πŸ’» πŸ“–

Daniel Miller

πŸ“–

Dustin Sweigart

πŸ’» πŸ“– ⚠️

Shawn Haggard

πŸ’» ⚠️

Kevyn Bruyere

πŸ“–

Daniel Sutton

πŸ’»

Valentin HΓΆbel

πŸ’»

thehedgefrog

πŸ“–

Victor

πŸ“–

Chris Whisker

πŸ“–

nasatome

πŸ“–

Begley Brothers (Development)

πŸ“–

Mike Kusold

πŸ’»

Dimitris Zervas

πŸ“–

TheCatLady

πŸ€”

Lauri VΓ΅sandi

πŸ€”

Kennard Vermeiren

πŸ€”

ThinkChaos

πŸ’» πŸ“– ⚠️

Hasan

πŸ›‘οΈ

David Chidell

??

Marcel Marquardt

πŸ›

Ian Gallagher

πŸ“–

Wu Han

πŸ“–

lavih

πŸ“–

Jon B.

πŸ›‘οΈ

Alex Gustafsson

πŸ’» πŸ“–

Arsenović Arsen

πŸ’» ⚠️ πŸ›‘οΈ

dakriy

πŸ’»

Dave

πŸ““

Nicolas Reymundo

πŸ“–

polandy

πŸ“–

This project follows the all-contributors specification. Contributions of any kind welcome!

Backers

Thank you to all our backers! πŸ™ Become a backer and help us sustain our community. The money we currently receive is dedicated to bootstrap a bug bounty program to give us as many eyes as we can to detect potential vulnerabilities.

Sponsors

Any company can become a sponsor by donating or providing any benefit to the project or the team helping improve Authelia.

Help Wanted: We are actively looking for sponsorship to obtain either a code security audit, penetration testing, or other audits related to improving the security of Authelia.

Companies contributing to Authelia will have a specical mention below. [Become a sponsor]

Balto

Thank you to Balto Balto for hosting our apt repository.

Digital Ocean

Thank you to Digital Ocean DigitalOcean for contributing on OpenCollective.

JetBrains

Thank you to JetBrains JetBrains for providing us with free licenses to their great tools.

License

Authelia is licensed under the Apache 2.0 license. The terms of the license are detailed in LICENSE.

FOSSA Status

Issues
  • Make Authelia and Traefik play nice

    Make Authelia and Traefik play nice

    Forward auth has been implemented in Traefik, which is supposed to be similar too ngx_http_auth_request_module which Authelia depends on in NGINX. https://github.com/containous/traefik/pull/1972 https://github.com/containous/traefik/pull/2110

    Sample traefik.toml config:

    defaultEntryPoints = ["https"]
    [entryPoints]
      [entryPoints.https]
      address = ":443"
      [entryPoints.https.auth.forward]
      address = "https://auth.domain.tld/verify"
    

    However Traefik stalls indefinitely when this option is enabled in Traefik and sending forward auth to Authelia. I don't know if this is related to https://github.com/containous/traefik/pull/2127, or if it's an different issue. It seem's like whatever Authelia responds isn't parsed properly by Traefik.

    I'm going to use this issue to track the problem. Do you have any ideas @clems4ever?

    Solving this would remove the NGINX dependency entirely in an Traefik environment when using Authelia

    Enhancement P3 
    opened by jkaberg 84
  • Authelia + Caddy v2 Configuration?

    Authelia + Caddy v2 Configuration?

    Hello! I noticed that Caddy v2 doesn't have a proxy integration on Authelia docs: https://www.authelia.com/docs/deployment/supported-proxies/

    Are you planning on adding one?

    P4 Feature Request 
    opened by planecore 43
  • Docker Container Unhealthy in 4.23.1

    Docker Container Unhealthy in 4.23.1

    Hello all and thank you for the great project. I recently updated my container from 4.23.0 to 4.23.1 and when running docker ps, I can see that the authelia container is unhealthy. As a temporary fixed, I've rolled back to 4.23.0 where this isn't an issue. Is this an issue with my configuration and breaking changes or an error within the project?

    Logs when running 4.23.1:

    time="2020-11-14T00:20:01-05:00" level=info msg="Logging severity set to debug"
    time="2020-11-14T00:20:02-05:00" level=debug msg="Storage schema is being checked to verify it is up to date"
    time="2020-11-14T00:20:02-05:00" level=debug msg="Storage schema is up to date"
    time="2020-11-14T00:20:02-05:00" level=debug msg="Notifier SMTP client initializing TLS configuration"
    time="2020-11-14T00:20:02-05:00" level=debug msg="Notifier SMTP client attempting connection to xxx.xxx.xxx:587"
    time="2020-11-14T00:20:04-05:00" level=debug msg="Notifier SMTP client connected successfully"
    time="2020-11-14T00:20:04-05:00" level=debug msg="Notifier SMTP server supports STARTTLS (disableVerifyCert: false, ServerName: xxx.xxx.xxx), attempting"
    time="2020-11-14T00:20:04-05:00" level=debug msg="Notifier SMTP STARTTLS completed without error"
    time="2020-11-14T00:20:04-05:00" level=debug msg="Notifier SMTP server supports authentication with the following mechanisms: PLAIN LOGIN"
    time="2020-11-14T00:20:04-05:00" level=debug msg="Notifier SMTP client attempting AUTH PLAIN with server"
    time="2020-11-14T00:20:04-05:00" level=debug msg="Notifier SMTP client authenticated successfully with the server"
    time="2020-11-14T00:20:04-05:00" level=warning msg="Error reading hosts memory limit: open /sys/fs/cgroup/memory/memory.limit_in_bytes: no such file or directory"
    time="2020-11-14T00:20:04-05:00" level=info msg="Authelia is listening for non-TLS connections on 0.0.0.0:9091"
    

    I'm running authelia/authelia:4.23.1 on arch64/aarch64.

    Image information:

    REPOSITORY                                 TAG                 IMAGE ID            CREATED             SIZE
    authelia/authelia                          latest              8fa2d96139ea        3 days ago          30.1MB
    

    Thank you :smile:

    Bug Ready 
    opened by JeffResc 32
  • Unable to mount configuration.yml

    Unable to mount configuration.yml

    I tried to install authelia with docker-compose but on startup authelia isn't able to find the configuration.yml. Especially it is impossible to mount the "/var/lib/authelia" volumen and on build the container automatically mounts /etc/authelia (where the configuration files are in. But even on changing the PUID or PGID to root or change the configuration-files in the (unexpected) volumen, authelia still goes in panic mode and logs missing configuration.

    I even copied your docker-compose.yml and still the same error. So either I'm doing something stupidly wrong (probably) or there is a bug (unlikely).

    time="2020-05-26T17:25:41+02:00" level=error msg="Provide a JWT secret using \"jwt_secret\" key"
    time="2020-05-26T17:25:41+02:00" level=error msg="Please provide `ldap` or `file` object in `authentication_backend`"
    time="2020-05-26T17:25:41+02:00" level=error msg="Set domain of the session object"
    time="2020-05-26T17:25:41+02:00" level=error msg="A storage configuration must be provided. It could be 'local', 'mysql' or 'postgres'"
    time="2020-05-26T17:25:41+02:00" level=error msg="A notifier configuration must be provided"
    panic: Some errors have been reported
    
    goroutine 1 [running]:
    main.startServer()
    	github.com/authelia/authelia/cmd/authelia/main.go:41 +0xc80
    main.main.func1(0xc00009c000, 0xc000232120, 0x0, 0x2)
    	github.com/authelia/authelia/cmd/authelia/main.go:126 +0x20
    github.com/spf13/cobra.(*Command).execute(0xc00009c000, 0xc000020190, 0x2, 0x2, 0xc00009c000, 0xc000020190)
    	github.com/spf13/[email protected]/command.go:842 +0x29d
    github.com/spf13/cobra.(*Command).ExecuteC(0xc00009c000, 0xc00013df58, 0x4, 0x4)
    	github.com/spf13/[email protected]/command.go:943 +0x317
    github.com/spf13/cobra.(*Command).Execute(...)
    	github.com/spf13/[email protected]/command.go:883
    main.main()
    	github.com/authelia/authelia/cmd/authelia/main.go:143 +0x166
    
    P1 
    opened by dylanh50 32
  • Authelia V4 not working with traefik as it did before

    Authelia V4 not working with traefik as it did before

    I updated to authelia v4 today and everything seemed to work after I renamed my config from config.yml to configuration.yml. However, upon trying to login after browsing to one of my sites, I didn't get re-directed back to the site I came from. This was working before and seems to have been broken in v4. Was there any support removed that used to exist before? I'm happy to run through my config etc to help debug what has broken in the update, would just like to get this issue resolved if possible so i'm not stuck on v3.

    opened by zackpollard 30
  • U2F is not working under Firefox 62

    U2F is not working under Firefox 62

    The U2F key is not working under Firefox 62. When the 2FA page loaded, the hint of asking for U2F key is shown by Firefox, and the key is blinking. However, when touched the key, nothing will happen.

    The following error is found in the console after the page is loaded:

     TypeError: setting getter-only property "u2f" u2f-api.js:17:5
    	<Anonymous> https://login.example.com/js/u2f-api.js:17:5
    
    Bug P3 
    opened by SilverBut 30
  • How do I configure HAProxy on pfsense?

    How do I configure HAProxy on pfsense?

    Hi everyone!

    I'm a noob at HAProxy, but recently got a router and installed pfsense on it. Now, I'm trying to use HAProxy on it, and just fail to understand what to fill and where from https://www.authelia.com/docs/deployment/supported-proxies/haproxy.html

    Can someone please tell me how to do this? I have no problem doing it on Traefik, but pfsense's HAProxy remains a mystery to me.

    Many thanks!

    P4 Integration Issue Help Wanted 
    opened by schklom 27
  • help needed: protecting homeassistant mobile with authelia

    help needed: protecting homeassistant mobile with authelia

    Hello,

    I am using nginx proxy manager and authelia. I would like to protect my home assistant domain with authelia. I am using this endpoint protection code in nginx proxy manager advanced settings:

    https://github.com/ibracorp/authelia/blob/master/Protected%20Endpoint.conf

    This works in web-browsers:

    • brower login to has.mydomain.com
    • redirected for authentication at auth.mydomain.com
    • enter credentials, if successful redirects back to has.mydomain.com

    However in the home assistant companion app (android) what occurs is:

    • open mobile app
    • mobile app launches browser
    • brower login to has.mydomain.com
    • redirected for authentication at auth.mydomain.com
    • enter credentials, if successful redirects back to has.mydomain.com
    • home assistant companion app doesn't authenticate

    https://github.com/home-assistant/android/issues/1438#issuecomment-802956402 maybe related to this: return if (redirectUrl.startsWith(AUTH_CALLBACK) && !code.isNullOrBlank()) {

    I'm a bit out of my element here but hoping for some direction about how to make this work.

    opened by repomanz 27
  • Access to https://traefik.domain.co.nz/ is not authorized to user ,

    Access to https://traefik.domain.co.nz/ is not authorized to user ,

    Good Afternoon all. I have decided to setup Authelia for the first time today and I am having some problems

    Whenever I try to visit traefik.domain.co.nz It immediately takes me to a 404 page (The URLchanges to https://login.domain.co.nz/#/?rd=https%3A%2F%2Ftraefik.domain.co.nz%2F ) I do not get a sign in page at all. When I view the logs of authelia I get the following

    [email protected]    | time="2020-09-29T22:49:53-04:00" level=info msg="Logging severity set to debug"
    [email protected]    | time="2020-09-29T22:49:53-04:00" level=debug msg="Storage schema is being checked to verify it is up to date"
    [email protected]    | time="2020-09-29T22:49:53-04:00" level=debug msg="Storage schema is up to date"
    [email protected]    | time="2020-09-29T22:49:53-04:00" level=info msg="Authelia is listening for non-TLS connections on 0.0.0.0:9091"
    [email protected]    | time="2020-09-29T22:50:48-04:00" level=info msg="Access to https://traefik.domain.co.nz/ is not authorized to user , redirecting to https://login.domain.co.nz/#/?rd=https%3A%2F%2Ftraefik.domain.co.nz%2F" method=GET path=/api/verify remote_ip=10.0.0.28
    

    Here are my configs

    traefik.yml

    version: "3.8"
    
    secrets:
      AUTHELIA_JWT_SECRET:
        file: "/var/data/config/secrets/authelia_jwt_secret.secret"
      AUTHELIA_SESSION_SECRET:
        file: "/var/data/config/secrets/authelia_session_secret.secret"
    
    services:
      traefik:
        image: traefik:latest
        ports:
          - "80:80"
          - "8080:8080" # traefik dashboard
          - "443:443"
        volumes:
          - /var/run/docker.sock:/var/run/docker.sock
          - /var/data/config/traefikv2:/etc/traefik
        networks:
          - traefik_public
        deploy:
          labels:
            - "traefik.docker.network=traefik_public"
            - "traefik.http.routers.api.rule=Host(`traefik.domain.co.nz`)"
            - "[email protected]"
            - "traefik.http.services.api.loadbalancer.server.port=9999"
            - "[email protected]"
    
      authelia:
        image: authelia/authelia
        secrets:
          - AUTHELIA_JWT_SECRET
          - AUTHELIA_SESSION_SECRET
        environment:
          - TZ=America/New_York
        networks:
          - traefik_public
        ports:
          - 9091:9091
        volumes:
          - /var/data/config/authelia:/config
        labels:
          - "traefik.enable=true"
          - "traefik.http.routers.authelia.entrypoints=https"
          - "traefik.http.routers.authelia.rule=Host(`login.domain.co.nz`)"
          - "traefik.http.services.authelia.loadbalancer.server.port=9091"
          - "traefik.http.routers.authelia.tls=true"
    
    
    networks:
      traefik_public:
        external: true
    

    My middleware

      middlewares:
        forward-auth:
          forwardAuth:
            address: "http://authelia:9091/api/verify?rd=https://login.domain.co.nz/"
            trustForwardHeader: true
            authResponseHeaders:
              - "Remote-User"
              - "Remote-Groups"
    

    Authelia configuration

    host: 0.0.0.0
    port: 9091
    log_level: debug
    jwt_secret: xxx
    
    totp:
      issuer: authelia.com
      period: 30
      skew: 1
    
    
    authentication_backend:
      file:
        path: /config/users_database.yml
    
    access_control:
      default_policy: two_factor
      rules:
        - domain: "login.domain.co.nz"
          policy: bypass
    
    #    - domain: "*.domain.co.nz"
    #      policy: bypass
    #      networks:
    #      - 10.0.0.28
    
        - domain: "*.domain.co.nz"
          policy: two_factor
    
    
    session:
      name: authelia_session
      secret: xxx
      expiration: 3600
      inactivity: 300
      domain: domain.co.nz
    
    regulation:
      max_retries: 3
      find_time: 120
      ban_time: 300
    
    storage:
      local:
        path: /config/db.sqlite3
    
    notifier:
      filesystem:
        filename: /config/notification.txt
    

    If I uncomment the network bypass im able to visit the site normally. Does anyone know why it wont let me connect to the login page?

    Thanks

    Question P2 Integration Issue 
    opened by Bencey 26
  • [FEATURE] Container privilege de-escalation

    [FEATURE] Container privilege de-escalation

    This will allow authelia to run as a non-root user. It uses su-exec to step-down privileges from root to the user and group provided by PUID and PGID environment variables. There's also a /log volume in case you'd like to direct your logs to a different location on the host; you'd have to change your configuration.yml to point logs to /logs/authelia.log.

    Default user and group are still root and the entrypoint supports running root commands, including /bin/sh through docker run. I wasn't able to test this on all architectures so some additional testing on this would be appreciated.

    opened by akusei 25
  • Resetting password using AD shows error message:

    Resetting password using AD shows error message: "There was an issue resetting the password"

    After successfully config Authelia with Active Directory and using it for several testing sites. We're trying to reset password through it, but after use the link send to the user's email, only shows the next error message: ""There was an issue resetting the password" and the password isn't reset.

    In the Authelia logs find this:

    level=error msg="Unable to update password: Unable to update password.
    Cause: LDAP Result Code 53 \"Unwilling To Perform\": 00002035: LdapErr: DSID-0C090F22, 
    comment: Operation not allowed through GC port, data 0, v3839\x00" 
    method=POST path=/api/reset-password remote_ip=1.1.1.1 stack="github.com/authelia/authelia/internal/middlewares/authelia_context.go:64         
    (*AutheliaCtx).Error\ngithub.com/authelia/authelia/internal/handlers/handler_reset_password_step2.go:32 
    ResetPasswordPost\ngithub.com/authelia/authelia/internal/middlewares/authelia_context.go:49          
    AutheliaMiddleware.func1.1\ngithub.com/fasthttp/[email protected]/router.go:348                                   
    (*Router).Handler\ngithub.com/authelia/authelia/internal/middlewares/log_request.go:14               
    LogRequestMiddleware.func1\ngithub.com/valyala/[email protected]/server.go:2162                                
    (*Server).serveConn\ngithub.com/valyala/[email protected]/workerpool.go:223                             
    (*workerPool).workerFunc\ngithub.com/valyala/[email protected]/workerpool.go:195                             
    (*workerPool).getCh.func1\nruntime/asm_amd64.s:1373
    goexit"
    

    Actually I'm using the Administrator account for the connection between Authelia and AD, and doesn't seem to be an permissions issue. But don't know if perhaps is a config mistake.

    Thanks

    Bug In Progress P2 Integration Issue 
    opened by daurpam 24
  • e-mail address instead of username to login

    e-mail address instead of username to login

    Feature Request

    Description

    Please add a setting to enable login with email instead/in addition to username. This email should be case insensitive to grant access with:

    In both File and LDAP mode.

    Use Case

    It is common use to login with multiple combinations of email/username

    • Github: Email or username
    • Google: Email or phone
    • Facebook: Email or phone
    • instagram: Email, phone or username
    Feature Request 
    opened by JonasGutermuth 1
  • Support disabling

    Support disabling "Lost your device"

    Feature Request

    Description

    Please implement a setting to disable the "Lost your device" button/workflow.

    Use Case

    As described in https://github.com/authelia/authelia/issues/135 this feature could be abused to bypass 2FA when the attacker has gained access to the users email account. A quick and easy fix for this would be to support disabling/removing the "Lost your device" option in the configuration.yml as it's already possible with the normal password https://www.authelia.com/docs/configuration/authentication/#disable_reset_password.

    The user then has to contact the Admin for registering a new device (Admin delete his device from totp_configurations/webauthn_devices table on the database). A nice addition would be a way to reset someones devices without the need of accessing the database.

    Feature Request 
    opened by SysAdmLS 1
  • haproxy missing XFF header

    haproxy missing XFF header

    For some HEAD requests it seems that haproxy is not sending the XFF header (but it does send the x-real-ip). Because of this the ACL rules are not usable with haproxy (at least in docker) reverse proxy. haproxy and authelia are running in docker with host network. haproxy example:

    global
    	ssl-server-verify none
    
        # for authelia
        lua-prepend-path /lua/?/http.lua
        # Path to haproxy-auth-request
        lua-load /lua/haproxy-auth-request/auth-request.lua    
    defaults
    	log	global
    	mode	http
    	option	httplog
    	option	dontlognull
        option forwardfor
    frontend https_front
        mode http
        option http-server-close
        http-request add-header X-Forwarded-Proto https
    
        # authelia
        acl protected-frontends hdr(host) -m reg -i ^(?i)(organizr)\.xxx\.com
        #acl protected-frontends-basic hdr(host) -m reg -i ^(?i)(organizr)\.xxx\.com
        # This is required if utilising basic auth with /api/verify?auth=basic
        #http-request set-var(txn.host) hdr(Host)
    
        http-request set-var(req.scheme) str(https) if { ssl_fc }
        http-request set-var(req.scheme) str(http) if !{ ssl_fc }
        http-request set-var(req.questionmark) str(?) if { query -m found }
    
        # Required headers
        http-request set-header X-Real-IP %[src]
        http-request set-header X-Forwarded-Method %[var(req.method)]
        http-request set-header X-Forwarded-Proto %[var(req.scheme)]
        http-request set-header X-Forwarded-Host %[req.hdr(Host)]
        http-request set-header X-Forwarded-Uri %[path]%[var(req.questionmark)]%[query]    
    
        # Protect endpoints with haproxy-auth-request and Authelia
        http-request lua.auth-request back_auth /api/verify if protected-frontends
        #http-request lua.auth-intercept auth_request  /api/verify HEAD    *        Remote-User,Remote-Groups,Rmote-Name,Remote-Email -  if protected-frontends
        #http-request lua.auth-intercept back_auth  /api/verify HEAD    *        Remote-User,Remote-Groups,Rmote-Name,Remote-Email -  if protected-frontends
    
        # Force `Authorization` header via query arg to /api/verify
        # http-request lua.auth-request back_auth /api/verify?auth=basic if protected-frontends-basic
        
        # Redirect protected-frontends to Authelia if not authenticated
        http-request redirect location https://auth.xxx.com/?rd=%[var(req.scheme)]://%[base]%[var(req.questionmark)]%[query] if protected-frontends !{ var(txn.auth_response_successful) -m bool }
    
        # Send 401 and pass `WWW-Authenticate` header on protected-frontend-basic if not pre-authenticated
        #http-request set-var(txn.auth) var(req.auth_response_header.www_authenticate) if protected-frontends-basic !{ var(txn.auth_response_successful) -m bool }
        #http-response deny deny_status 401 hdr WWW-Authenticate %[var(txn.auth)] if { var(txn.host) -m reg -i ^(?i)(organizr)\.xxx\.com } !{ var(txn.auth_response_successful) -m bool }
    
        use_backend back_organizr if { hdr(host) -i organizr.xxx.com } trusted_ips
    
        # end of authelia
    
    
    backend back_organizr
        # Pass Remote-User, Remote-Name, Remote-Email and Remote-Groups headers
        #acl remote_user_exist var(req.auth_response_header.remote_user) -m found
        #acl remote_groups_exist var(req.auth_response_header.remote_groups) -m found
        #acl remote_name_exist var(req.auth_response_header.remote_name) -m found
        #acl remote_email_exist var(req.auth_response_header.remote_email) -m found
        #http-request set-header Remote-User %[var(req.auth_response_header.remote_user)] if remote_user_exist
        #http-request set-header Remote-Groups %[var(req.auth_response_header.remote_groups)] if remote_groups_exist
        #http-request set-header Remote-Name %[var(req.auth_response_header.remote_name)] if remote_name_exist
        #http-request set-header Remote-Email %[var(req.auth_response_header.remote_email)] if remote_email_exist
    
        mode http
        balance roundrobin
        #option forwardfor
        option httpclose
        http-request set-header X-Forwarded-Port %[dst_port]
        http-request add-header X-Forwarded-Proto https if { ssl_fc }
        option httpchk HEAD / HTTP/1.1\r\nHost:localhost
        timeout server  300000
        #server organizr localhost:8095 check
        server organizr localhost:9898 check
    
    backend back_auth
        mode http
        balance roundrobin
        #option forwardfor
        option httpclose
        http-request set-header X-Forwarded-Port %[dst_port]
        http-request add-header X-Forwarded-Proto https if { ssl_fc }
        option httpchk GET /api/state HTTP/1.1\r\nHost:localhost
        timeout server  300000
        server auth localhost:9091 check
    

    i opened a nc session to catch the requests, and the first HEAD was missing the XFF header

    HEAD /api/verify HTTP/1.1
    sec-fetch-mode: navigate
    x-forwarded-proto: https
    accept-language: en-US,en;q=0.5
    sec-fetch-dest: document
    cookie: organizrLanguage=en; authelia_session=bla
    accept-encoding: gzip, deflate, br
    upgrade-insecure-requests: 1
    x-forwarded-uri: /
    accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:100.0) Gecko/20100101 Firefox/100.0
    sec-fetch-site: cross-site
    x-forwarded-method:
    x-real-ip: 86.xx.xx.xx
    x-forwarded-host: organizr.domain.com
    host: 127.0.0.1:9091
    connection: close
    
    GET /?rd=https://organizr.example.cp,/ HTTP/1.1
    host: auth.domain.com
    user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:100.0) Gecko/20100101 Firefox/100.0
    accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    accept-language: en-US,en;q=0.5
    accept-encoding: gzip, deflate, br
    cookie: authelia_session=bla
    upgrade-insecure-requests: 1
    sec-fetch-dest: document
    sec-fetch-mode: navigate
    sec-fetch-site: cross-site
    x-real-ip: 86.xx.xx.xx
    x-forwarded-method:
    x-forwarded-proto: https
    x-forwarded-host: auth.domain.com
    x-forwarded-uri: /?rd=https://organizr.domain.com/
    x-forwarded-port: 443
    x-forwarded-proto: https
    x-forwarded-for: 86.xx.xx.xx
    connection: close
    
    Possible Bug 
    opened by WladyX 0
Releases(v4.35.5)
Owner
Authelia
An organization to federate opensource contributions to Authelia
Authelia
sso, aka S.S.Octopus, aka octoboi, is a single sign-on solution for securing internal services

sso See our launch blog post for more information! Please take the SSO Community Survey to let us know how we're doing, and to help us plan our roadma

BuzzFeed 2.9k May 10, 2022
Basic Single Sign-On with Go

Basic Single Sign-On (SSO) This is a basic project to implement SSO with Go. List Structure Configuration Database Implement Register Request Check Us

Milad Poshtdari 0 Nov 5, 2021
A single sign-on solution based on go-oauth2 / oauth2 and gin-gonic/gin

A single sign-on solution based on go-oauth2 / oauth2 and gin-gonic/gin

yinhuanyi 1 Nov 17, 2021
Home-sso-service - Single-Sign On service with golang

home-sso-service This is Single-Sign On service Dependencies go version go1.15.6

Nguyen Lam 1 May 10, 2022
Herbert Fischer 196 Nov 17, 2021
2FA (Two-Factor Authentication) application for CLI terminal with support to import/export andOTP files.

zauth zauth is a 2FA (Two-Factor Authentication) application for terminal written in Go. Features Supports both TOTP and HOTP codes. Add new entries d

Rijul Gulati 74 May 2, 2022
Authelia: an open-source authentication and authorization server providing two-factor authentication

Authelia is an open-source authentication and authorization server providing two

Streato 0 Jan 5, 2022
Sign, encrypt and authenticate http cookies with golang

ecookie sign, encrypt and authenticate cookies with golang... this package uses rabbit cipher to encrypt and blake2 hash function in order to authenti

Sina Ghaderi 5 Feb 3, 2022
A library for performing OAuth Device flow and Web application flow in Go client apps.

oauth A library for Go client applications that need to perform OAuth authorization against a server, typically GitHub.com. Traditionally,

GitHub CLI 326 May 8, 2022
Handle Web Authentication for Go apps that wish to implement a passwordless solution for users

WebAuthn Library This library is meant to handle Web Authentication for Go apps that wish to implement a passwordless solution for users. While the sp

Duo Labs 798 May 13, 2022
Handle Web Authentication for Go apps that wish to implement a passwordless solution for users

WebAuthn Library This library is meant to handle Web Authentication for Go apps that wish to implement a passwordless solution for users. While the sp

null 5 Apr 19, 2022
Provides AWS STS credentials based on Google Apps SAML SSO auth with interactive GUI support

What's this This command-line tool allows you to acquire AWS temporary (STS) credentials using Google Apps as a federated (Single Sign-On, or SSO) pro

Quan Hoang 30 Apr 29, 2022
Go-Guardian is a golang library that provides a simple, clean, and idiomatic way to create powerful modern API and web authentication.

❗ Cache package has been moved to libcache repository Go-Guardian Go-Guardian is a golang library that provides a simple, clean, and idiomatic way to

Sanad Haj Yahya 366 May 14, 2022
Package goth provides a simple, clean, and idiomatic way to write authentication packages for Go web applications.

Goth: Multi-Provider Authentication for Go Package goth provides a simple, clean, and idiomatic way to write authentication packages for Go web applic

Mark Bates 3.7k May 16, 2022
🍍Jeff provides the simplest way to manage web sessions in Go.

jeff A tool for managing login sessions in Go. Motivation I was looking for a simple session management wrapper for Go and from what I could tell ther

Alan Braithwaite 238 May 9, 2022
JSON Web Token library

About … a JSON Web Token (JWT) library for the Go programming language. Feature complete Full test coverage Dependency free Key management The API enf

Pascal S. de Kloe 284 Apr 23, 2022
Safe, simple and fast JSON Web Tokens for Go

jwt JSON Web Token for Go RFC 7519, also see jwt.io for more. The latest version is v3. Rationale There are many JWT libraries, but many of them are h

cristaltech 541 May 16, 2022
This package provides json web token (jwt) middleware for goLang http servers

jwt-auth jwt auth middleware in goLang. If you're interested in using sessions, checkout my sessions library! README Contents: Quickstart Performance

Adam Hanna 216 May 13, 2022
Golang implementation of JSON Web Tokens (JWT)

jwt-go A go (or 'golang' for search engine friendliness) implementation of JSON Web Tokens NEW VERSION COMING: There have been a lot of improvements s

Dave Grijalva 10.4k May 13, 2022