Comments (16)
Is the advanced config taken from our Git exactly as is?
from authelia.
Yes, the only change I made was the server ip and the container name
from authelia.
Can you also provide me the code on your Authelia host in NPM? 526 Error indicates a possible mismatch of certificate or domain.
from authelia.
Sure, here is the code
location / {
set $upstream_authelia http://192.168.1.33:9091; # This example assumes a Docker deployment
proxy_pass $upstream_authelia;
client_body_buffer_size 128k;
#Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
# Advanced Proxy Config
send_timeout 5m;
proxy_read_timeout 360;
proxy_send_timeout 360;
proxy_connect_timeout 360;
# Basic Proxy Config
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Forwarded-Ssl on;
proxy_redirect http:// $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 64 256k;
# If behind reverse proxy, forwards the correct IP
set_real_ip_from 10.0.0.0/8;
set_real_ip_from 172.0.0.0/8;
set_real_ip_from 192.168.0.0/16;
set_real_ip_from fc00::/7;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
}
from authelia.
The weird thing is that I have the same configuration for another host and that one will bring me to the authelia log in page but after I log on, I get error 403 forbidden and this shows up in the logs
time="2021-03-01T07:21:09-05:00" level=info msg="Access to https://sample.mydomain.com/ is not authorized to user , sending 401 response" method=GET path=/api/verify remote_ip=108.162.210.142
[mysql] 2021/03/01 07:21:37 packets.go:122: closing bad idle connection: EOF
[mysql] 2021/03/01 07:21:37 connection.go:158: driver: bad connection
time="2021-03-01T07:21:37-05:00" level=debug msg="Mark authentication attempt made by user eder" method=POST path=/api/firstfactor remote_ip=73.46.191.98
time="2021-03-01T07:21:37-05:00" level=debug msg="Credentials validation of user eder is ok" method=POST path=/api/firstfactor remote_ip=73.46.191.98
time="2021-03-01T07:21:37-05:00" level=debug msg="Required level for the URL https://sample.mydomain/ is 3" method=POST path=/api/firstfactor remote_ip=73.46.191.98
time="2021-03-01T07:21:37-05:00" level=debug msg="Redirection URL https://sample.mydomain.com/ is safe" method=POST path=/api/firstfactor remote_ip=73.46.191.98
time="2021-03-01T07:21:38-05:00" level=info msg="Access to https://sample.mydomain.com/ is forbidden to user eder" method=GET path=/api/verify remote_ip=108.162.210.143
time="2021-03-01T07:21:50-05:00" level=info msg="Access to https://sample.mydomain.com/ is forbidden to user eder" method=GET path=/api/verify remote_ip=108.162.210.142
from authelia.
Hmm looking at the log there's two things that stand out to me:
-
Looks like MySQL is not connecting. Can you check your setting configuration.yml are correct? Some users have reported issues related to having special characters in their passwords. I would recommend resetting it to something simple just to test.
-
Check your rules in the configuration.yml to ensure they are correct to as it looks like it's bouncing you
If you like, you can post your config for Authelia and I can have a read. Be wary of personal information
from authelia.
Okay so when my redis password had a special character, I changed that.
When you refer to rules, do you mean this section:
rules: # Rules applied to 'admins' group - domain: "sample.mydomain.com" subject: - "group:admins" policy: one_factor
It works with this one container but when I try with other containers such as Sonarr, radarr, etc I get the error I mentioned above, the advanced config is exactly the same besides the container name of course.
How do I add extra domains?
I'd love for you to look at my config if you wouldn't mind, can I email it?
from authelia.
sure mate. What about your MySQL password? Is that anything weird?
Email me the config I'll have a look for you: [email protected]
from authelia.
Ok mate, I've had a look. Your file looks good no issues, per se.
What I noticed is that you only really have one rule. And your default rule is to deny.
Therefore, any URL protected by Authelia other than the one you have in the config will deny.
So If you want to add multiple subdomains you can do it like so:
access_control:
# Default policy can either be 'bypass', 'one_factor', 'two_factor' or 'deny'.
# It is the policy applied to any resource if there is no policy to be applied
# to the user.
default_policy: deny
rules:
# Rules applied to 'admins' group
- domain: "sonarr.example.com"
subject:
- "group:admins"
policy: one_factor
- domain: "radarr.example.com"
subject:
- "group:admins"
policy: one_factor
Alternatively, if you just want to protect everything under one domain and have the same rule on them all, you can just use a wildcard. (Also useful for testing)
rules:
# Rules applied to 'admins' group
- domain: "*.example.com"
subject:
- "group:admins"
policy: one_factor
Can you make the relevant changes and let me know how your Authelia logs look then?
from authelia.
from authelia.
I have heard of that happening before actually. Can you test by creating a new container with one word name?
from authelia.
from authelia.
from authelia.
Woohoo! Congratulations my friend. Glad it's sorted. Good pickup, too.
If you enjoyed the help care to subscribe to our website and YouTube? https://ibracorp.io
Cheers
from authelia.
from authelia.
Yeah, it should be fine. As long as the rules you set are the ones you want for every subdomain there's no issue.
Since I assume it's a home use deployment, you would really be the only person needing access so having admin on all of them should be fine.
For security obviously, two-factor authentication would be the best option but that's totally up to you.
from authelia.
Related Issues (14)
- After sings successfully redirected to 403 HOT 1
- Issues after updating container HOT 1
- Issues Using Together with VSCode (Code-Server) HOT 2
- ERR_CONNECTION_REFUSED New Install HOT 1
- Websocket Issues when using SSL HOT 1
- Authelia Configs Changed HOT 1
- Buffer size error HOT 1
- conf location HOT 2
- Proxy Hosts don't redirect to Authelia HOT 22
- Configuration file permissions HOT 1
- question endpoint conf HOT 3
- documenation request: cloudflare / hardening of authelia with certs and nginx proxy manager HOT 4
- Issues with browser cache and Authelia/NginxProxyManager HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from authelia.