issue for access from LAN

[captainabloc]

Hi everyone,
I use Authelia combined with Nginx Proxy Manager (NPMPLUS). In addition I use adguard home.

the issue is that even having bypass from lan addresses active in configuration.yaml, I get faulty (emptty) request from authelia to access : https://auth.mysite.me/?rd=https:///
All is working well when accessed from outside my LAN

Adguard home is working on a standalone machine, with /etc/hosts pointing to my NPM IP:

192.168.1.231   nextcloud.mysite.me
192.168.1.231   jeedom.mysite.me
192.168.1.231   adguard-vm.mysite.me
192.168.1.231   auth.mysite.me

Authelia configuration.yaml:

---
###############################################################
#                   Authelia configuration                    #
###############################################################

server:
  address: 'tcp://:9091'

log:
  level: 'debug'
  format: 'text'
  file_path: /config/authelia.log

totp:
  issuer: 'authelia.com'

identity_validation:
  reset_password:
    jwt_secret: 'super secret'

authentication_backend:
  file:
    path: /config/users_database.yml
    password:
      algorithm: argon2id
      iterations: 3
      salt_length: 16
      parallelism: 8
      memory: 64

access_control:
  default_policy: deny
  networks:
  - name: 'internal'
    networks:
      - '192.168.1.0/24'
      - '10.7.0.0/24'
      - '172.27.224.0/20'
      - '172.27.240.0/20'
      - '172.24.0.0/20'
      - '172.15.0.0/8'
      - '127.0.0.0/8'
  rules:
    # Allow free access from local network
    - domain:
      - 'mysite.me'
      - 'jeedom.mysite.me'
      - 'admin.mysite.me'
      - 'adguard.mysite.me'
      policy: bypass
      networks:
      - '192.168.1.0/24'
      - '10.7.0.0/24'
      - '172.27.224.0/20'
      - '172.27.240.0/20'
      - '172.24.0.0/20'
      - '172.15.0.0/8'
      - '127.0.0.0/8'

    - domain:
        - 'auth.mysite.me'
        - 'nextcloud.mysite.me'
      policy: bypass

    - domain:
      - 'mysite.me'
      - 'jeedom.mysite.me'
      - 'admin.mysite.me'
      - 'adguard.mysite.me'
      policy: two_factor



session:
  # This secret can also be set using the env variables AUTHELIA_SESSION_SECRET_FILE
  secret: 'againsecret'

  cookies:
    - name: 'authelia_session'
      domain: "mysite.me"

      authelia_url: 'https://auth.mysite.me'
      expiration: '1 hour'
      inactivity: '5 minutes'
      same_site: 'lax'

  redis:
    host: '192.168.1.231'
    port: 6379
    # This secret can also be set using the env variables AUTHELIA_SESSION_REDIS_PASSWORD_FILE
    # password: mypass


regulation:
  max_retries: 3
  find_time: '2 minutes'
  ban_time: '5 minutes'


storage:
  encryption_key: anotherkey # Now required
  local:
    path: /config/db.sqlite3

notifier:
  filesystem:
    filename: /config/notification.txt
...

typical error line in authelia.log when trying to access from within LAN:

time="2024-04-15T12:23:29Z" level=error msg="Target URL does not appear to have a relevant session cookies configuration" error="unable to retrieve session cookie domain provider: no configured session cookie domain matches the url 'https:///api/search?limit=5&type=dash-db&dashboardUID=uTWqRmQfk&dashboardUID=6L33dB47z&dashboardUID=e7sFPRVnk'" method=GET path=/api/verify remote_ip=192.168.1.208 stack="github.com/authelia/authelia/v4/internal/handlers/handler_authz.go:40 (*Authz).Handler\ngithub.com/authelia/authelia/v4/internal/middlewares/bridge.go:54 handleRouter.(*BridgeBuilder).Build.func1.1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:30 SecurityHeadersBase.func1\ngithub.com/fasthttp/router@v1.5.0/router.go:454 (*Router).Handler\ngithub.com/authelia/authelia/v4/internal/middlewares/log_request.go:14 handleRouter.LogRequest.func40\ngithub.com/authelia/authelia/v4/internal/middlewares/errors.go:38 RecoverPanic.func1\ngithub.com/valyala/fasthttp@v1.52.0/server.go:2374 (*Server).serveConn\ngithub.com/valyala/fasthttp@v1.52.0/workerpool.go:224 (*workerPool).workerFunc\ngithub.com/valyala/fasthttp@v1.52.0/workerpool.go:196 (*workerPool).getCh.func1\nruntime/asm_amd64.s:1695 goexit" target_url="https:///api/search?limit=5&type=dash-db&dashboardUID=uTWqKmQmk&dashboardUID=6L2GdB47z&dashboardUID=e7sWOBVnk"

NPMPLUS authelia proxy advanced config:

 location / {
        set $upstream_authelia http://192.168.1.231:9091; 
       proxy_pass $upstream_authelia;
        client_body_buffer_size 128k;
 
        #Timeout if the real server is dead
        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
 
        # Advanced Proxy Config
        send_timeout 5m;
        proxy_read_timeout 360;
        proxy_send_timeout 360;
        proxy_connect_timeout 360;
 
        # Basic Proxy Config

proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Forwarded-For $remote_addr;

        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Host $http_host;
        proxy_set_header X-Forwarded-Uri $request_uri;
        proxy_set_header X-Forwarded-Ssl on;
        proxy_redirect  http://  $scheme://;
        proxy_http_version 1.1;
        proxy_set_header Connection "";
        proxy_cache_bypass $cookie_session;
        proxy_no_cache $cookie_session;


 
        # If behind reverse proxy, forwards the correct IP
        set_real_ip_from 10.0.0.0/8;
        set_real_ip_from 172.0.0.0/8;
        set_real_ip_from 192.168.1.0/24;
        real_ip_header X-Forwarded-For;
        real_ip_recursive on;
    }

protected host typical advanced config in NPM:

proxy_set_header Host  $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
real_ip_header CF-Connecting-IP;

location /authelia {
    internal;
    set $upstream_authelia http://192.168.1.231:9091/api/verify;
    proxy_pass_request_body off;
    proxy_pass $upstream_authelia;    
    proxy_set_header Content-Length "";
 
    # Timeout if the real server is dead
    proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
    proxy_set_header Host $host;
    proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $remote_addr; 
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Host $http_host;
    proxy_set_header X-Forwarded-Uri $request_uri;
    proxy_set_header X-Forwarded-Ssl on;
    proxy_redirect  http://  $scheme://;
    proxy_http_version 1.1;
    proxy_set_header Connection "";
    proxy_cache_bypass $cookie_session;
    proxy_no_cache $cookie_session;
 
 
    send_timeout 5m;
    proxy_read_timeout 240;
    proxy_send_timeout 240;
    proxy_connect_timeout 240;
}
 
    location / {
        set $upstream_jeedom http://192.168.1.236:80;
        proxy_pass $upstream_jeedom; 
 
		auth_request /authelia;
		auth_request_set $target_url $scheme://$http_host$request_uri;
		auth_request_set $user $upstream_http_remote_user;
		auth_request_set $groups $upstream_http_remote_groups;
		proxy_set_header Remote-User $user;
		proxy_set_header Remote-Groups $groups;
		error_page 401 =302 https://auth.mysite.me/?rd=$target_url; 
 
 
		proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
 
		send_timeout 5m;
		proxy_read_timeout 360;
		proxy_send_timeout 360;
		proxy_connect_timeout 360;
 
		proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto $scheme;
		proxy_set_header X-Forwarded-Host $http_host;
		proxy_set_header X-Forwarded-Uri $request_uri;
		proxy_set_header X-Forwarded-Ssl on;
		proxy_redirect  http://  $scheme://;
		proxy_http_version 1.1;
		proxy_set_header Connection "";
		proxy_cache_bypass $cookie_session;
		proxy_no_cache $cookie_session;

		real_ip_header X-Forwarded-For;
		real_ip_recursive on;
 
    }

Would someone have a clue on how to get it working both inside and outside LAN?

[glime-ai[bot]]

Please note this response was created using generative AI leveraging previously available information from the repository. This information may be helpful however it is our strong recommendation that you carefully consider the information before blindly applying it.

---

It seems like the issue you're encountering with Authelia when accessing from within your LAN might be related to how the redirection URLs are being handled or constructed in your Nginx configuration. The empty redirection URL (https:///) suggests that there might be a misconfiguration or an issue with how headers are being forwarded or interpreted by Authelia.

Here are a few steps and checks you can perform to troubleshoot and potentially resolve this issue:

1. Check Redirection Logic in Nginx Configuration:
   Ensure that the redirection URL is being constructed correctly in your Nginx configuration. The part where you set $target_url should correctly reflect the intended destination. You might want to explicitly log this variable to ensure it's being set as expected.

2. Verify Header Forwarding:
   Make sure that all necessary headers are being forwarded correctly by Nginx to Authelia, especially the X-Forwarded-Proto, X-Forwarded-Host, and X-Original-URL headers. These headers are crucial for Authelia to understand the original request context and construct the correct redirection URLs.

3. Examine Authelia's Session Cookie Configuration:
   The error message from Authelia about the session cookie domain suggests there might be an issue with how the session cookies are configured. Ensure that the domain attribute in the session configuration in Authelia's configuration.yaml matches the domain from which the requests are originating. Since you're using mysite.me, this should be correctly set, but it's worth double-checking.

4. Inspect Authelia and Nginx Logs:
   Since you have logging enabled at the debug level for Authelia, review the logs to see if there are any additional details about the requests when they fail. Similarly, increase the logging level in Nginx to capture more details about the incoming requests and the headers being passed to Authelia.

5. Network Configuration and DNS Resolution:
   Since you're using AdGuard Home on a separate machine, ensure that DNS resolution is consistent across your network, especially for the domains pointed to your Nginx Proxy Manager. Misconfigured DNS or DNS caching issues could lead to incorrect routing or header information being passed to Authelia.

6. Simplify Configuration for Testing:
   Temporarily simplify your Nginx and Authelia configurations to the basics needed to authenticate and redirect. This can help isolate the problem by removing potential confounding factors in more complex configurations.

If after these checks the issue still persists, you might want to explicitly set the redirection URL in the error handling of your Nginx configuration to see if forcing a correct redirection URL resolves the issue. Additionally, consider reaching out to the Authelia community or reviewing similar configuration examples to see if others have encountered and resolved similar issues.

This comment was generated by Glime.

[james-d-elliott]

Can you try with proxy_set_header X-Forwarded-Host $http_host; replaced with proxy_set_header X-Forwarded-Host $host;, I suspect this is related to the other QUIC issue which I have not really had time to investigate fully.

[captainabloc]

thanks, I'll try,

so far testing another one:
added the following in the location / { part of the configured proxies

proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_cache_bypass $http_upgrade;

right after
proxy_no_cache $cookie_session;

looks like working, but still under test

edit: after a week of test, confirm my last input works OK, no more request for 2fa from LAN