From 551d7a4268a9b8d9399478187c080b2d71f05f8f Mon Sep 17 00:00:00 2001 From: Max Audron Date: Wed, 7 Feb 2024 14:45:25 +0000 Subject: add aditional nginx proxy variants --- lib/nginx/default.nix | 99 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 99 insertions(+) (limited to 'lib/nginx') diff --git a/lib/nginx/default.nix b/lib/nginx/default.nix index e7657e6..1f0f482 100644 --- a/lib/nginx/default.nix +++ b/lib/nginx/default.nix @@ -68,4 +68,103 @@ ''; }; }; + + proxyDomainGlobalAuth = cert: proxyPass: { + forceSSL = true; + useACMEHost = cert; + locations."/" = { + inherit proxyPass; + proxyWebsockets = true; + extraConfig = '' + auth_request /outpost.goauthentik.io/auth/nginx; + error_page 401 = @goauthentik_proxy_signin; + auth_request_set $auth_cookie $upstream_http_set_cookie; + add_header Set-Cookie $auth_cookie; + + # translate headers from the outposts back to the actual upstream + auth_request_set $authentik_username $upstream_http_x_authentik_username; + auth_request_set $authentik_groups $upstream_http_x_authentik_groups; + auth_request_set $authentik_email $upstream_http_x_authentik_email; + auth_request_set $authentik_name $upstream_http_x_authentik_name; + auth_request_set $authentik_uid $upstream_http_x_authentik_uid; + + proxy_set_header X-authentik-username $authentik_username; + proxy_set_header X-authentik-groups $authentik_groups; + proxy_set_header X-authentik-email $authentik_email; + proxy_set_header X-authentik-name $authentik_name; + proxy_set_header X-authentik-uid $authentik_uid; + ''; + }; + + locations."/outpost.goauthentik.io" = { + proxyPass = "https://auth.vapor.systems/outpost.goauthentik.io"; + proxyWebsockets = true; + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Original-URL $scheme://$http_host$request_uri; + add_header Set-Cookie $auth_cookie; + auth_request_set $auth_cookie $upstream_http_set_cookie; + proxy_pass_request_body off; + proxy_set_header Content-Length ""; ''; + }; + + locations."@goauthentik_proxy_signin" = { + extraConfig = '' + internal; + add_header Set-Cookie $auth_cookie; + # For domain level, use the below error_page to redirect to your authentik server with the full redirect path + return 302 https://auth.vapor.systems/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri; + ''; + }; + }; + + domainAuth = cert: { + forceSSL = true; + useACMEHost = cert; + locations."/" = { + proxyWebsockets = true; + extraConfig = '' + auth_request /outpost.goauthentik.io/auth/nginx; + error_page 401 = @goauthentik_proxy_signin; + auth_request_set $auth_cookie $upstream_http_set_cookie; + add_header Set-Cookie $auth_cookie; + + # translate headers from the outposts back to the actual upstream + auth_request_set $authentik_username $upstream_http_x_authentik_username; + auth_request_set $authentik_groups $upstream_http_x_authentik_groups; + auth_request_set $authentik_email $upstream_http_x_authentik_email; + auth_request_set $authentik_name $upstream_http_x_authentik_name; + auth_request_set $authentik_uid $upstream_http_x_authentik_uid; + + proxy_set_header X-authentik-username $authentik_username; + proxy_set_header X-authentik-groups $authentik_groups; + proxy_set_header X-authentik-email $authentik_email; + proxy_set_header X-authentik-name $authentik_name; + proxy_set_header X-authentik-uid $authentik_uid; + ''; + }; + + locations."/outpost.goauthentik.io" = { + proxyPass = "https://10.10.0.1:9444/outpost.goauthentik.io"; + proxyWebsockets = true; + extraConfig = '' + proxy_ssl_server_name on; + + proxy_set_header Host $host; + proxy_set_header X-Original-URL $scheme://$http_host$request_uri; + add_header Set-Cookie $auth_cookie; + auth_request_set $auth_cookie $upstream_http_set_cookie; + proxy_pass_request_body off; + proxy_set_header Content-Length ""; + ''; + }; + + locations."@goauthentik_proxy_signin" = { + extraConfig = '' + internal; + add_header Set-Cookie $auth_cookie; + return 302 /outpost.goauthentik.io/start?rd=$request_uri; + ''; + }; + }; } -- cgit v1.2.3