init support for auth_request and add authentik example

core/reverseproxy/confs/server-http/reverse-proxy.conf

@@ -6,59 +6,81 @@ proxy_intercept_errors on;
 proxy_intercept_errors off;
 	{% endif +%}
 
-    {% if USE_PROXY_CACHE == "yes" +%}
+	{% if USE_PROXY_CACHE == "yes" +%}
 proxy_cache proxycache;
 proxy_cache_methods {{ PROXY_CACHE_METHODS }};
 proxy_cache_min_uses {{ PROXY_CACHE_MIN_USES }};
 proxy_cache_key {{ PROXY_CACHE_KEY }};
 proxy_no_cache {{ PROXY_NO_CACHE }};
 proxy_cache_bypass {{ PROXY_CACHE_BYPASS }};
-        {% if PROXY_CACHE_VALID != "" +%}
+		{% if PROXY_CACHE_VALID != "" +%}
-            {% for element in PROXY_CACHE_VALID.split(" ") +%}
+			{% for element in PROXY_CACHE_VALID.split(" ") +%}
 proxy_cache_valid {{ element.split("=")[0] }} {{ element.split("=")[1] }};
-            {% endfor %}
+			{% endfor %}
 add_header X-Proxy-Cache $upstream_cache_status;
-        {% endif %}
+		{% endif %}
 
-    {% endif %}
+	{% endif %}
 
+	{% set counter = namespace(value=1) %}
 	{% for k, v in all.items() %}
 		{% if k.startswith("REVERSE_PROXY_URL") and v != "" +%}
 			{% set url = v %}
 			{% set host = all[k.replace("URL", "HOST")] if k.replace("URL", "HOST") in all else "" %}
 			{% set ws = all[k.replace("URL", "WS")] if k.replace("URL", "WS") in all else "" %}
 			{% set headers = all[k.replace("URL", "HEADERS")] if k.replace("URL", "HEADERS") in all else "" %}
+			{% set headers_client = all[k.replace("URL", "HEADERS_CLIENT")] if k.replace("URL", "HEADERS_CLIENT") in all else "" %}
 			{% set buffering = all[k.replace("URL", "BUFFERING")] if k.replace("URL", "BUFFERING") in all else "yes" %}
 			{% set keepalive = all[k.replace("URL", "KEEPALIVE")] if k.replace("URL", "KEEPALIVE") in all else "yes" %}
+			{% set auth_request = all[k.replace("URL", "AUTH_REQUEST")] if k.replace("URL", "AUTH_REQUEST") in all else "" %}
+			{% set auth_request_signin_url = all[k.replace("URL", "AUTH_REQUEST_SIGNIN_URL")] if k.replace("URL", "AUTH_REQUEST_SIGNIN_URL") in all else "" %}
+			{% set auth_request_sets = all[k.replace("URL", "AUTH_REQUEST_SET")] if k.replace("URL", "AUTH_REQUEST_SET") in all else "" %}
 location {{ url }} {% raw %}{{% endraw +%}
 	etag off;
-	set $backend "{{ host }}";
+	set $backend{{ counter.value }} "{{ host }}";
-	proxy_pass $backend;
+	proxy_pass $backend{{ counter.value }};
 	proxy_set_header Host $host;
 	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 	proxy_set_header X-Real-IP $remote_addr;
 	proxy_set_header X-Forwarded-Proto $scheme;
 	proxy_set_header X-Forwarded-Protocol $scheme;
 	proxy_set_header X-Forwarded-Host $http_host;
-	{% if buffering == "yes" +%}
+		{% if buffering == "yes" +%}
 	proxy_buffering on;
-	{% else +%}
+		{% else +%}
 	proxy_buffering off;
-	{% endif %}
+		{% endif %}
-			{% if ws == "yes" +%}
+		{% if ws == "yes" +%}
 	proxy_http_version 1.1;
 	proxy_set_header Upgrade $http_upgrade;
 	proxy_set_header Connection $connection_upgrade;
-			{% elif keepalive == "yes" +%}
+		{% elif keepalive == "yes" +%}
 	proxy_http_version 1.1;
 	proxy_set_header Connection "";
-			{% endif %}
+		{% endif %}
-			{% if headers != "" %}
+		{% if auth_request != "" +%}
-				{% for header in headers.split(";") +%}
+	auth_request {{ auth_request }};
+		{% endif +%}
+		{% if auth_request_signin_url != "" +%}
+	error_page 401 =302 {{ auth_request_signin_url }};
+		{% endif +%}
+		{% if auth_request_sets != "" +%}
+			{% for auth_request_set in auth_request_sets.split(";") +%}
+	auth_request_set {{ auth_request_set }};
+			{% endfor +%}
+		{% endif +%}
+		{% if headers != "" +%}
+			{% for header in headers.split(";") +%}
 	proxy_set_header {{ header }};
-				{% endfor %}
+			{% endfor +%}
-			{% endif %}
+		{% endif +%}
+		{% if headers_client != "" +%}
+			{% for header_client in headers_client.split(";") +%}
+	add_header {{ header_client }};
+			{% endfor +%}
+		{% endif +%}
 {% raw %}}{% endraw %}
 		{% endif %}
+		{% set counter.value = counter.value + 1 %}
 	{% endfor %}
 {% endif %}

core/reverseproxy/plugin.json

@@ -56,13 +56,23 @@
 		"REVERSE_PROXY_HEADERS": {
 			"context": "multisite",
 			"default": "",
-			"help": "List of HTTP headers to send to proxied resource.",
+			"help": "List of HTTP headers to send to proxied resource separated with ; (values for proxy_set_header directive).",
 			"id": "reverse-proxy-headers",
 			"label": "Reverse proxy headers",
 			"regex": "^.*$",
 			"type": "text",
 			"multiple": "reverse-proxy"
 		},
+        "REVERSE_PROXY_HEADERS_CLIENT": {
+			"context": "multisite",
+			"default": "",
+			"help": "List of HTTP headers to send to client separated with ; (values for add_header directive).",
+			"id": "reverse-proxy-headers-client",
+			"label": "Reverse proxy headers-client",
+			"regex": "^.*$",
+			"type": "text",
+			"multiple": "reverse-proxy"
+		},
 		"REVERSE_PROXY_BUFFERING": {
 			"context": "multisite",
 			"default": "yes",
@@ -83,6 +93,36 @@
 			"type": "check",
 			"multiple": "reverse-proxy"
 		},
+        "REVERSE_PROXY_AUTH_REQUEST": {
+			"context": "multisite",
+			"default": "",
+			"help": "Enable authentication using an external provider (value of auth_request directive).",
+			"id": "reverse-proxy-auth-request",
+			"label": "Reverse proxy auth request",
+			"regex": "^/.*$",
+			"type": "text",
+			"multiple": "reverse-proxy"
+		},
+        "REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL": {
+			"context": "multisite",
+			"default": "",
+			"help": "Redirect clients to signin URL when using REVERSE_PROXY_AUTH_REQUEST (used when auth_request call returned 401).",
+			"id": "reverse-proxy-auth-request-signin-url",
+			"label": "Auth request signin URL",
+			"regex": "^http.*$",
+			"type": "text",
+			"multiple": "reverse-proxy"
+		},
+        "REVERSE_PROXY_AUTH_REQUEST_SET": {
+			"context": "multisite",
+			"default": "",
+			"help": "List of variables to set from the authentication provider, separated with ; (values of auth_request_set directives).",
+			"id": "reverse-proxy-auth-request-set",
+			"label": "Reverse proxy auth request set",
+			"regex": "^.*$",
+			"type": "text",
+			"multiple": "reverse-proxy"
+		},
 		"USE_PROXY_CACHE": {
 			"context": "multisite",
 			"default": "no",

examples/authentik/.env

@@ -0,0 +1,3 @@
+PG_PASS=changeme
+AUTHENTIK_SECRET_KEY=changeme
+AUTHENTIK_COOKIE_DOMAIN=example.com

examples/authentik/docker-compose.yml

@@ -0,0 +1,154 @@
+version: '3.4'
+
+services:
+
+  mybunker:
+    image: bunkerity/bunkerweb:1.4.0
+    ports:
+      - 80:8080
+      - 443:8443
+    # ⚠️ read this if you use local folders for volumes ⚠️
+    # bunkerweb runs as an unprivileged user with UID/GID 101
+    # don't forget to edit the permissions of the files and folders accordingly
+    # example if you need to create a directory : mkdir folder && chown root:101 folder && chmod 770 folder
+    # or for an existing one : chown -R root:101 folder && chmod -R 770 folder
+    # more info at https://docs.bunkerweb.io
+    volumes:
+      - bw_data:/data
+    environment:
+      - MULTISITE=yes
+      - SERVER_NAME=auth.example.com app1.example.com app2.example.com # replace with your domains
+      - SERVE_FILES=no
+      - DISABLE_DEFAULT_SERVER=yes
+      - AUTO_LETS_ENCRYPT=yes
+      - USE_CLIENT_CACHE=yes
+      - USE_GZIP=yes
+      - USE_REVERSE_PROXY=yes
+      # Proxy to outpost
+      - REVERSE_PROXY_URL_999=/outpost.goauthentik.io
+      - REVERSE_PROXY_HOST_999=http://server:9000
+      - REVERSE_PROXY_HEADERS_999=X-Original-URL $$scheme://$$http_host$$request_uri;Content-Length ""
+      - REVERSE_PROXY_HEADERS_CLIENT_999=Set-Cookie $$auth_cookie
+      - REVERSE_PROXY_AUTH_REQUEST_SET_999=$$auth_cookie $$upstream_http_set_cookie
+      # Authentik
+      - auth.example.com_REVERSE_PROXY_URL=/
+      - auth.example.com_REVERSE_PROXY_HOST=http://server:9000
+      - auth.example.com_REVERSE_PROXY_WS=yes
+      - auth.example.com_LIMIT_REQ_URL_1=^/api/
+      - auth.example.com_LIMIT_REQ_RATE_1=5r/s
+      - auth.example.com_REVERSE_PROXY_INTERCEPT_ERRORS=no
+      - auth.example.com_ALLOWED_METHODS=GET|POST|HEAD|PUT|DELETE|PATCH
+      - auth.example.com_COOKIE_FLAGS=* SameSite=Lax
+      # Applications
+      - app1.example.com_REVERSE_PROXY_URL=/
+      - app1.example.com_REVERSE_PROXY_HOST=http://app1:3000
+      - app1.example.com_REVERSE_PROXY_AUTH_REQUEST=/outpost.goauthentik.io/auth/nginx
+      - app1.example.com_REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL=http://auth.example.com/outpost.goauthentik.io/start?rd=$$scheme%3A%2F%2F$$host$$request_uri
+      - app1.example.com_REVERSE_PROXY_AUTH_REQUEST_SET=$$auth_cookie $$upstream_http_set_cookie;$$authentik_username $$upstream_http_x_authentik_username;$$authentik_groups $$upstream_http_x_authentik_groups;$$authentik_email $$upstream_http_x_authentik_email;$$authentik_name $$upstream_http_x_authentik_name;$$authentik_uid $$upstream_http_x_authentik_uid
+      - app1.example.com_REVERSE_PROXY_HEADERS_CLIENT=Set-Cookie $$auth_cookie
+      - app1.example.com_REVERSE_PROXY_HEADERS=X-authentik-username $$authentik_username;X-authentik-groups $$authentik_groups;X-authentik-email $$authentik_email;X-authentik-name $$authentik_name;X-authentik-uid $$authentik_uid
+      - app2.example.com_REVERSE_PROXY_URL=/
+      - app2.example.com_REVERSE_PROXY_HOST=http://app2
+      - app2.example.com_REVERSE_PROXY_AUTH_REQUEST=/outpost.goauthentik.io/auth/nginx
+      - app2.example.com_REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL=http://auth.example.com/outpost.goauthentik.io/start?rd=$$scheme%3A%2F%2F$$host$$request_uri
+      - app2.example.com_REVERSE_PROXY_AUTH_REQUEST_SET=$$auth_cookie $$upstream_http_set_cookie;$$authentik_username $$upstream_http_x_authentik_username;$$authentik_groups $$upstream_http_x_authentik_groups;$$authentik_email $$upstream_http_x_authentik_email;$$authentik_name $$upstream_http_x_authentik_name;$$authentik_uid $$upstream_http_x_authentik_uid
+      - app2.example.com_REVERSE_PROXY_HEADERS_CLIENT=Set-Cookie $$auth_cookie
+      - app2.example.com_REVERSE_PROXY_HEADERS=X-authentik-username $$authentik_username;X-authentik-groups $$authentik_groups;X-authentik-email $$authentik_email;X-authentik-name $$authentik_name;X-authentik-uid $$authentik_uid
+
+  # APPLICATIONS
+  app1:
+    image: node
+    working_dir: /home/node/app
+    volumes:
+      - ./js-app:/home/node/app
+    environment:
+      - NODE_ENV=production
+    command: bash -c "npm install express && node index.js"
+  app2:
+    image: tutum/hello-world
+
+  # AUTHENTIK SERVICES
+  postgresql:
+    image: postgres:12-alpine
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD", "pg_isready"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 5s
+    volumes:
+      - database:/var/lib/postgresql/data
+    environment:
+      - POSTGRES_PASSWORD=${PG_PASS:?database password required}
+      - POSTGRES_USER=${PG_USER:-authentik}
+      - POSTGRES_DB=${PG_DB:-authentik}
+    env_file:
+      - .env
+  redis:
+    image: redis:alpine
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 3s
+  server:
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.6.2}
+    restart: unless-stopped
+    command: server
+    environment:
+      AUTHENTIK_REDIS__HOST: redis
+      AUTHENTIK_POSTGRESQL__HOST: postgresql
+      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
+      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
+      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
+      # AUTHENTIK_ERROR_REPORTING__ENABLED: "true"
+      # WORKERS: 2
+    volumes:
+      - ./media:/media
+      - ./custom-templates:/templates
+      - geoip:/geoip
+    env_file:
+      - .env
+    # ports:
+      # - "0.0.0.0:${AUTHENTIK_PORT_HTTP:-9000}:9000"
+      # - "0.0.0.0:${AUTHENTIK_PORT_HTTPS:-9443}:9443"
+  worker:
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.6.2}
+    restart: unless-stopped
+    command: worker
+    environment:
+      AUTHENTIK_REDIS__HOST: redis
+      AUTHENTIK_POSTGRESQL__HOST: postgresql
+      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
+      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
+      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
+      # AUTHENTIK_ERROR_REPORTING__ENABLED: "true"
+    # This is optional, and can be removed. If you remove this, the following will happen
+    # - The permissions for the /media folders aren't fixed, so make sure they are 1000:1000
+    # - The docker socket can't be accessed anymore
+    user: root
+    volumes:
+      - ./media:/media
+      - ./certs:/certs
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ./custom-templates:/templates
+      - geoip:/geoip
+    env_file:
+      - .env
+  geoipupdate:
+    image: "maxmindinc/geoipupdate:latest"
+    volumes:
+      - "geoip:/usr/share/GeoIP"
+    environment:
+      GEOIPUPDATE_EDITION_IDS: "GeoLite2-City"
+      GEOIPUPDATE_FREQUENCY: "8"
+    env_file:
+      - .env
+
+volumes:
+  bw_data:
+  database:
+  geoip:

examples/authentik/js-app/index.js

@@ -0,0 +1,13 @@
+const express = require('express')
+const app = express()
+const port = 3000
+
+app.get('/', (req, res) => {
+  res.send('Hello World from app1!')
+})
+
+app.listen(port, () => {
+  console.log(`Example app listening at http://localhost:${port}`)
+})
+
+

examples/authentik/js-app/package.json

@@ -0,0 +1,15 @@
+{
+  "name": "js-app",
+  "version": "1.0.0",
+  "description": "demo",
+  "main": "index.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "author": "",
+  "license": "ISC",
+  "dependencies": {
+    "express": "^4.17.1"
+  }
+}
+

helpers/entrypoint.sh

@@ -40,6 +40,10 @@ function trap_reload() {
 }
 trap "trap_reload" HUP
 
+if [ -f /opt/bunkerweb/tmp/scheduler.pid ] ; then
+	rm -f /opt/bunkerweb/tmp/scheduler.pid
+fi
+
 if [ "$SWARM_MODE" != "yes" ] && [ "$KUBERNETES_MODE" != "yes" ] && [ "$AUTOCONF_MODE" != "yes" ] ; then
 	# execute temp nginx with no server
 	export TEMP_NGINX="yes"