dynamically redirect auth_request

Dave Macias davama at gmail.com
Tue Sep 19 21:25:34 UTC 2023


figured it out

using lua-resty-http

i created a simple lua script which checks both uris and returns the
correct url for the active one:

local http = require "resty.http"
local httpc = http.new()
local res1, err1 = httpc:request_uri("https://authelia1.domain.net", {
  method = "GET",
  keepalive_timeout = 60000,
  keepalive_pool = 10,
  ssl_verify = false
})
if res1.status == 200 then
  ngx.var.authelia_uri = 'https://authelia1.domain.net'
else
  local res2, err2 = httpc:request_uri("https://authelia2.domain.net", {
    method = "GET",
    keepalive_timeout = 60000,
    keepalive_pool = 10,
    ssl_verify = false
  })
  if res2.status == 200 then
    ngx.var.authelia_uri = 'https://authelia2.domain.net'
  end
end

then on my nginx config i have:

server {
  location / {
    set $authelia_uri "";
    rewrite_by_lua_file   /etc/nginx/health_check.lua;
    add_header X-Authelia-Uri "$authelia_uri"; # just for debugging

    auth_request /authelia;
    error_page 401 =302 $authelia_uri/?rd=$target_url;
    }
  set upstream_authelia $authelia_uri/api/verify;
}

With this my app is protected with the active authelia server.

Not sure if the best setup but it works.

Thanks

On Tue, Sep 19, 2023 at 11:06 AM Dave Macias <davama at gmail.com> wrote:

> Hello,
>
> Hope you are doing well.
> We currently use Authelia to authenticate users but want to add a
> redundant Authelia server so that users can continue to access the content.
>
> Put simply our current nginx config is:
>
> server {
>   location / {
>     auth_request /authelia;
>     error_page 401 =302 https://authelia1.domain.net/?rd=$target_url
> <https://authelia_cluster/?rd=$%7BDOLLAR%7Dtarget_url>;
>   }
>   set upstream_authelia https://authelia1.domain.net/api/verify
> <https://authealia1.domain.net/api/verify>;
>   location /authelia {
>     internal;
>     proxy_pass $upstream_authelia;
>   }
> }
>
> Things I have tried:
>
> With lua-resty-upstream-healthcheck
> <https://github.com/openresty/lua-resty-upstream-healthcheck> and the
> below upstream:
>
> upstream authelia_cluster {
>     least_conn;
>     server authelia1.domain.net:443;
>     server authelia2.domain:443 backup;
>     keepalive 60;
> }
>
> With this I am able to dynamically render content based on the available
> upstream authelia server but cannot translate that to authentication with
> `auth_request`.
>
> location /test {
>   proxy_pass https://authelia_cluster/metrics;
> }
>
> My guess as to most simplest solution is to dynamically set the
> upstream_authelia variable and the error_page setting based on
> the available upstream authelia_cluster server but I am not sure how.
>
> Any input is much appreciated!
>
> Best,
> Dave
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20230919/73ff2840/attachment.htm>


More information about the nginx mailing list