Error 526 about authelia HOT 16 CLOSED

Is the advanced config taken from our Git exactly as is?

from authelia.

Yes, the only change I made was the server ip and the container name

from authelia.

Can you also provide me the code on your Authelia host in NPM? 526 Error indicates a possible mismatch of certificate or domain.

from authelia.

Sure, here is the code

location / {
set $upstream_authelia http://192.168.1.33:9091; # This example assumes a Docker deployment 
proxy_pass $upstream_authelia;
client_body_buffer_size 128k;

#Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;

# Advanced Proxy Config
send_timeout 5m;
proxy_read_timeout 360;
proxy_send_timeout 360;
proxy_connect_timeout 360;

# Basic Proxy Config
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Forwarded-Ssl on;
proxy_redirect  http://  $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 64 256k;

# If behind reverse proxy, forwards the correct IP
set_real_ip_from 10.0.0.0/8;
set_real_ip_from 172.0.0.0/8;
set_real_ip_from 192.168.0.0/16;
set_real_ip_from fc00::/7;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
}

from authelia.

The weird thing is that I have the same configuration for another host and that one will bring me to the authelia log in page but after I log on, I get error 403 forbidden and this shows up in the logs

time="2021-03-01T07:21:09-05:00" level=info msg="Access to https://sample.mydomain.com/ is not authorized to user , sending 401 response" method=GET path=/api/verify remote_ip=108.162.210.142
[mysql] 2021/03/01 07:21:37 packets.go:122: closing bad idle connection: EOF
[mysql] 2021/03/01 07:21:37 connection.go:158: driver: bad connection

time="2021-03-01T07:21:37-05:00" level=debug msg="Mark authentication attempt made by user eder" method=POST path=/api/firstfactor remote_ip=73.46.191.98
time="2021-03-01T07:21:37-05:00" level=debug msg="Credentials validation of user eder is ok" method=POST path=/api/firstfactor remote_ip=73.46.191.98
time="2021-03-01T07:21:37-05:00" level=debug msg="Required level for the URL https://sample.mydomain/ is 3" method=POST path=/api/firstfactor remote_ip=73.46.191.98
time="2021-03-01T07:21:37-05:00" level=debug msg="Redirection URL https://sample.mydomain.com/ is safe" method=POST path=/api/firstfactor remote_ip=73.46.191.98
time="2021-03-01T07:21:38-05:00" level=info msg="Access to https://sample.mydomain.com/ is forbidden to user eder" method=GET path=/api/verify remote_ip=108.162.210.143
time="2021-03-01T07:21:50-05:00" level=info msg="Access to https://sample.mydomain.com/ is forbidden to user eder" method=GET path=/api/verify remote_ip=108.162.210.142

from authelia.

Hmm looking at the log there's two things that stand out to me:

1. Looks like MySQL is not connecting. Can you check your setting configuration.yml are correct? Some users have reported issues related to having special characters in their passwords. I would recommend resetting it to something simple just to test.

2. Check your rules in the configuration.yml to ensure they are correct to as it looks like it's bouncing you

If you like, you can post your config for Authelia and I can have a read. Be wary of personal information

from authelia.

Okay so when my redis password had a special character, I changed that.
When you refer to rules, do you mean this section:

rules: # Rules applied to 'admins' group - domain: "sample.mydomain.com" subject: - "group:admins" policy: one_factor

It works with this one container but when I try with other containers such as Sonarr, radarr, etc I get the error I mentioned above, the advanced config is exactly the same besides the container name of course.
How do I add extra domains?

I'd love for you to look at my config if you wouldn't mind, can I email it?

from authelia.

sure mate. What about your MySQL password? Is that anything weird?
Email me the config I'll have a look for you: [email protected]

from authelia.

Ok mate, I've had a look. Your file looks good no issues, per se.
What I noticed is that you only really have one rule. And your default rule is to deny.

Therefore, any URL protected by Authelia other than the one you have in the config will deny.

So If you want to add multiple subdomains you can do it like so:

access_control:
  # Default policy can either be 'bypass', 'one_factor', 'two_factor' or 'deny'.
  # It is the policy applied to any resource if there is no policy to be applied
  # to the user.
  default_policy: deny

  rules:
    # Rules applied to 'admins' group
    - domain: "sonarr.example.com"
      subject:
        - "group:admins"
      policy: one_factor
    - domain: "radarr.example.com"
      subject:
        - "group:admins"
      policy: one_factor

Alternatively, if you just want to protect everything under one domain and have the same rule on them all, you can just use a wildcard. (Also useful for testing)

  rules:
    # Rules applied to 'admins' group
    - domain: "*.example.com"
      subject:
        - "group:admins"
      policy: one_factor

Can you make the relevant changes and let me know how your Authelia logs look then?

from authelia.

from authelia.

I have heard of that happening before actually. Can you test by creating a new container with one word name?

from authelia.

from authelia.

from authelia.

Woohoo! Congratulations my friend. Glad it's sorted. Good pickup, too.

If you enjoyed the help care to subscribe to our website and YouTube? https://ibracorp.io

Cheers

from authelia.

from authelia.

Yeah, it should be fine. As long as the rules you set are the ones you want for every subdomain there's no issue.
Since I assume it's a home use deployment, you would really be the only person needing access so having admin on all of them should be fine.
For security obviously, two-factor authentication would be the best option but that's totally up to you.

from authelia.