diff options
| author | Max Audron <audron@cocaine.farm> | 2024-02-07 14:45:25 +0000 |
|---|---|---|
| committer | Max Audron <audron@cocaine.farm> | 2024-02-07 17:27:38 +0000 |
| commit | 551d7a4268a9b8d9399478187c080b2d71f05f8f (patch) | |
| tree | a16d4ea9f6c019f458e35230847d069365c41be7 /lib | |
| parent | add netns template services (diff) | |
add aditional nginx proxy variants
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/nginx/default.nix | 99 |
1 files changed, 99 insertions, 0 deletions
diff --git a/lib/nginx/default.nix b/lib/nginx/default.nix index e7657e6..1f0f482 100644 --- a/lib/nginx/default.nix +++ b/lib/nginx/default.nix @@ -68,4 +68,103 @@ ''; }; }; + + proxyDomainGlobalAuth = cert: proxyPass: { + forceSSL = true; + useACMEHost = cert; + locations."/" = { + inherit proxyPass; + proxyWebsockets = true; + extraConfig = '' + auth_request /outpost.goauthentik.io/auth/nginx; + error_page 401 = @goauthentik_proxy_signin; + auth_request_set $auth_cookie $upstream_http_set_cookie; + add_header Set-Cookie $auth_cookie; + + # translate headers from the outposts back to the actual upstream + auth_request_set $authentik_username $upstream_http_x_authentik_username; + auth_request_set $authentik_groups $upstream_http_x_authentik_groups; + auth_request_set $authentik_email $upstream_http_x_authentik_email; + auth_request_set $authentik_name $upstream_http_x_authentik_name; + auth_request_set $authentik_uid $upstream_http_x_authentik_uid; + + proxy_set_header X-authentik-username $authentik_username; + proxy_set_header X-authentik-groups $authentik_groups; + proxy_set_header X-authentik-email $authentik_email; + proxy_set_header X-authentik-name $authentik_name; + proxy_set_header X-authentik-uid $authentik_uid; + ''; + }; + + locations."/outpost.goauthentik.io" = { + proxyPass = "https://auth.vapor.systems/outpost.goauthentik.io"; + proxyWebsockets = true; + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Original-URL $scheme://$http_host$request_uri; + add_header Set-Cookie $auth_cookie; + auth_request_set $auth_cookie $upstream_http_set_cookie; + proxy_pass_request_body off; + proxy_set_header Content-Length ""; ''; + }; + + locations."@goauthentik_proxy_signin" = { + extraConfig = '' + internal; + add_header Set-Cookie $auth_cookie; + # For domain level, use the below error_page to redirect to your authentik server with the full redirect path + return 302 https://auth.vapor.systems/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri; + ''; + }; + }; + + domainAuth = cert: { + forceSSL = true; + useACMEHost = cert; + locations."/" = { + proxyWebsockets = true; + extraConfig = '' + auth_request /outpost.goauthentik.io/auth/nginx; + error_page 401 = @goauthentik_proxy_signin; + auth_request_set $auth_cookie $upstream_http_set_cookie; + add_header Set-Cookie $auth_cookie; + + # translate headers from the outposts back to the actual upstream + auth_request_set $authentik_username $upstream_http_x_authentik_username; + auth_request_set $authentik_groups $upstream_http_x_authentik_groups; + auth_request_set $authentik_email $upstream_http_x_authentik_email; + auth_request_set $authentik_name $upstream_http_x_authentik_name; + auth_request_set $authentik_uid $upstream_http_x_authentik_uid; + + proxy_set_header X-authentik-username $authentik_username; + proxy_set_header X-authentik-groups $authentik_groups; + proxy_set_header X-authentik-email $authentik_email; + proxy_set_header X-authentik-name $authentik_name; + proxy_set_header X-authentik-uid $authentik_uid; + ''; + }; + + locations."/outpost.goauthentik.io" = { + proxyPass = "https://10.10.0.1:9444/outpost.goauthentik.io"; + proxyWebsockets = true; + extraConfig = '' + proxy_ssl_server_name on; + + proxy_set_header Host $host; + proxy_set_header X-Original-URL $scheme://$http_host$request_uri; + add_header Set-Cookie $auth_cookie; + auth_request_set $auth_cookie $upstream_http_set_cookie; + proxy_pass_request_body off; + proxy_set_header Content-Length ""; + ''; + }; + + locations."@goauthentik_proxy_signin" = { + extraConfig = '' + internal; + add_header Set-Cookie $auth_cookie; + return 302 /outpost.goauthentik.io/start?rd=$request_uri; + ''; + }; + }; } |