How to use my SSO system? #282

Closed
opened 2025-11-13 11:55:33 -06:00 by GiteaMirror · 4 comments
Owner

Originally created by @Rihan9 on GitHub (Apr 30, 2025).

Hi all,
I'd like to use my authalia installation on the other side of the tunnel, but I don't know how.

I setted up the middleware in this way:

{
  "address": "https://public.authelia.url.com/api/authz/forward-auth",
  "authResponseHeaders": [
    "Remote-User",
    "Remote-Groups",
    "Remote-Name",
    "Remote-Email"
  ],
  "trustForwardHeader": true
}

but the X-Forwarded headers got removed by traefik/badger/something so I can't really use it (francly, I prefer that endpoint can't be used from the public url)

I even tried this:

{
  "address": "http://authelia:9001/api/authz/forward-auth",
  "authResponseHeaders": [
    "Remote-User",
    "Remote-Groups",
    "Remote-Name",
    "Remote-Email"
  ],
  "trustForwardHeader": true
}

where authelia is the name of my docker container in the local machine, but the address http://authelia:9001 seems unreachable (I guess it cannot resolve the hostname).

Is there a way to do this?

  • Maybe a custom rule on traefik just to create a unguarded endpoint? Like "if the incoming traffic is from the local machine, and the urls is "authelia.alternative.url" then go to service-xxx mainteining the X-Forwarded headers"? Can I ask some help to made something like this, if possible?
  • I will not host authelia on my VPS.
  • I can not use the Pangolin Authentication system. My entire network system is mode so if the WAN connection is down, the server will be reachable and working without any issue (my smart home will collapse otherwise). Locally I have a dns rewritting and a caddy reverse proxy configurated and most of my services use SSO. Pangolin doesn't have a way to works like a SSO server and even if pangolin should one day have it,It may not be used locally.
Originally created by @Rihan9 on GitHub (Apr 30, 2025). Hi all, I'd like to use my authalia installation on the other side of the tunnel, but I don't know how. I setted up the middleware in this way: ``` { "address": "https://public.authelia.url.com/api/authz/forward-auth", "authResponseHeaders": [ "Remote-User", "Remote-Groups", "Remote-Name", "Remote-Email" ], "trustForwardHeader": true } ``` but the X-Forwarded headers got removed by traefik/badger/something so I can't really use it (francly, I prefer that endpoint can't be used from the public url) I even tried this: ``` { "address": "http://authelia:9001/api/authz/forward-auth", "authResponseHeaders": [ "Remote-User", "Remote-Groups", "Remote-Name", "Remote-Email" ], "trustForwardHeader": true } ``` where authelia is the name of my docker container in the local machine, but the address http://authelia:9001 seems unreachable (I guess it cannot resolve the hostname). Is there a way to do this? - Maybe a custom rule on traefik just to create a unguarded endpoint? Like "if the incoming traffic is from the local machine, and the urls is "authelia.alternative.url" then go to service-xxx mainteining the X-Forwarded headers"? Can I ask some help to made something like this, if possible? - I will not host authelia on my VPS. - I can not use the Pangolin Authentication system. My entire network system is mode so if the WAN connection is down, the server will be reachable and working without any issue (my smart home will collapse otherwise). Locally I have a dns rewritting and a caddy reverse proxy configurated and most of my services use SSO. Pangolin doesn't have a way to works like a SSO server and even if pangolin should one day have it,It may not be used locally.
Author
Owner

@Rihan9 commented on GitHub (Apr 30, 2025):

this issues is related to this: https://github.com/hhftechnology/middleware-manager/issues/23 opened on middleware-manager

@Rihan9 commented on GitHub (Apr 30, 2025): this issues is related to this: https://github.com/hhftechnology/middleware-manager/issues/23 opened on middleware-manager
Author
Owner

@Rihan9 commented on GitHub (Apr 30, 2025):

I stole the internal ip using the traefik dashboard:

Image

Image

and now the middleware works perfectly. Obviusly I can't use the Ip like this, I doubt it is stable.

I tried to made a route:

http:
  routers:
    authelia:
      entryPoints:
          - web
      priority: 100
      rule: "Host(`internal-auth.{{OMITTED}}`)"
      service: 14-service@http

and use that host but it doesn't work.

@Rihan9 commented on GitHub (Apr 30, 2025): I stole the internal ip using the traefik dashboard: ![Image](https://github.com/user-attachments/assets/a6b07076-917f-4579-abfc-6e599b61c68f) ![Image](https://github.com/user-attachments/assets/21ea02ea-242b-481f-8510-c2bca257e292) and now the middleware works perfectly. Obviusly I can't use the Ip like this, I doubt it is stable. I tried to made a route: ``` http: routers: authelia: entryPoints: - web priority: 100 rule: "Host(`internal-auth.{{OMITTED}}`)" service: 14-service@http ``` and use that host but it doesn't work.
Author
Owner

@oschwartz10612 commented on GitHub (May 2, 2025):

In 1.3.0 this is now naively built in!

@oschwartz10612 commented on GitHub (May 2, 2025): In [1.3.0](https://github.com/fosrl/pangolin/releases/tag/1.3.0) this is now naively built in!
Author
Owner

@Rihan9 commented on GitHub (May 2, 2025):

Thanks for the info!! I'll wait for it then!!

@Rihan9 commented on GitHub (May 2, 2025): Thanks for the info!! I'll wait for it then!!
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/pangolin#282