diff --git a/hosts/cloud/proxy/auth.nix b/hosts/cloud/proxy/auth.nix index b8e10d5..6aa22e3 100644 --- a/hosts/cloud/proxy/auth.nix +++ b/hosts/cloud/proxy/auth.nix @@ -1,23 +1,35 @@ { ... }: { - services.nginx.upstreams.keycloak = { + services.nginx.upstreams.authentik = { servers = { - "10.89.88.11:38080" = { }; - "[fd31:185d:722f::11]:38080" = { }; + "10.89.88.11:9000" = { }; + "[fd31:185d:722f::11]:9000" = { }; }; + extraConfig = '' + keepalive 10; + ''; }; services.nginx.virtualHosts."auth.oxapentane.com" = { forceSSL = true; enableACME = true; locations."/" = { - proxyPass = "http://keycloak"; + proxyPass = "http://authentik"; extraConfig = '' - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port 433; + # general proxy settings + proxy_connect_timeout 60s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + proxy_http_version 1.1; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Server $host; + # authentik specifik + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade_keepalive; ''; }; }; diff --git a/hosts/cloud/proxy/dav-htaccess.nix b/hosts/cloud/proxy/dav-htaccess.nix deleted file mode 100644 index 7902270..0000000 --- a/hosts/cloud/proxy/dav-htaccess.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ ... }: -{ - services.nginx.upstreams.radicale = { - servers = { - "10.89.88.12:5232" = { }; - "[fd31:185d:722f::12]:5232" = { }; - }; - }; - - services.nginx.virtualHosts."dav.oxapentane.com" = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://radicale/"; - }; - }; -} diff --git a/hosts/cloud/proxy/dav.nix b/hosts/cloud/proxy/dav.nix index d3bf7fb..40db331 100644 --- a/hosts/cloud/proxy/dav.nix +++ b/hosts/cloud/proxy/dav.nix @@ -10,39 +10,55 @@ services.nginx.virtualHosts."dav.oxapentane.com" = { forceSSL = true; enableACME = true; - locations."/oauth2/" = { - proxyPass = "http://10.89.88.11:4180/"; - extraConfig = '' - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri; - ''; - }; - locations."/oauth2/auth" = { - proxyPass = "http://10.89.88.11:4180"; - extraConfig = '' - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-Uri $request_uri; - proxy_set_header Content-Length ""; - proxy_pass_request_body off; - ''; - }; + # Radicale locations."/" = { - proxyPass = "http://radicale/"; + proxyPass = "http://radicale"; extraConfig = '' - auth_request /oauth2/auth; - error_page 401 =403 /oauth2/sign_in; - - auth_request_set $user $upstream_http_x_auth_request_user; + # Radicale stuff + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade_keepalive; + # authentik stuff + auth_request /outpost.goauthentik.io/auth/nginx; + error_page 401 = @goauthentik_proxy_signin; auth_request_set $auth_cookie $upstream_http_set_cookie; - # add_header Set-Cookie $auth_cookie; + proxy_set_header Set-Cookie $auth_cookie; - proxy_set_header X-Remote-User $user; - proxy_set_header X-User $user; - proxy_set_header X-Real-IP $remote_addr; + # translate headers from the outposts back to the actual upstream + auth_request_set $authentik_username $upstream_http_x_authentik_username; + auth_request_set $authentik_groups $upstream_http_x_authentik_groups; + auth_request_set $authentik_entitlements $upstream_http_x_authentik_entitlements; + auth_request_set $authentik_email $upstream_http_x_authentik_email; + auth_request_set $authentik_name $upstream_http_x_authentik_name; + auth_request_set $authentik_uid $upstream_http_x_authentik_uid; + proxy_set_header X-authentik-username $authentik_username; + proxy_set_header X-Remote-User $authentik_username; + proxy_set_header X-authentik-groups $authentik_groups; + proxy_set_header X-authentik-entitlements $authentik_entitlements; + proxy_set_header X-authentik-email $authentik_email; + proxy_set_header X-authentik-name $authentik_name; + proxy_set_header X-authentik-uid $authentik_uid; + ''; + }; + + + locations."/outpost.goauthentik.io" = { + proxyPass = "http://authentik/outpost.goauthentik.io"; + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Original-URL $scheme://$http_host$request_uri; + proxy_set_header Set-Cookie $auth_cookie; + auth_request_set $auth_cookie $upstream_http_set_cookie; + proxy_pass_request_body off; + proxy_set_header Content-Length ""; + ''; + }; + locations."@goauthentik_proxy_signin" = { + extraConfig = '' + internal; + proxy_set_header Set-Cookie $auth_cookie; + return 302 /outpost.goauthentik.io/start?rd=$request_uri; ''; }; }; diff --git a/hosts/cloud/proxy/default.nix b/hosts/cloud/proxy/default.nix index 548fbc7..d727f06 100644 --- a/hosts/cloud/proxy/default.nix +++ b/hosts/cloud/proxy/default.nix @@ -2,7 +2,7 @@ { imports = [ ./auth.nix - ./dav-htaccess.nix + ./dav.nix ]; networking.firewall.allowedTCPPorts = [ @@ -16,14 +16,15 @@ recommendedGzipSettings = true; recommendedOptimisation = true; recommendedTlsSettings = true; - recommendedProxySettings = true; sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; appendHttpConfig = '' - proxy_buffers 4 256k; - proxy_buffer_size 128k; - proxy_busy_buffers_size 256k; + # upgrade websockets + map $http_upgrade $connection_upgrade_keepalive { + default upgrade; + ''' '''; + } ### TLS # Add HSTS header with preloading to HTTPS requests.