Comments (4)
Please note this response was created using generative AI leveraging previously available information from the repository. This information may be helpful however it is our strong recommendation that you carefully consider the information before blindly applying it.
Based on the error message you provided, it seems that Authelia is rejecting the request because the target URL https://authelia.authelia.svc.cluster.local/api/verify
is not recognized as being under the protected domain example.de
. This is a common issue when internal service URLs do not match the external domain names that Authelia is configured to protect.
To resolve this issue, you have a couple of options:
-
Use External Domain Name: As you discovered, using the external domain name (
https://auth.example.de/api/verify
) works because it matches the protected domain. However, you mentioned that you do not want the traffic to route over the internet. This approach ensures that the domain name matches but might not meet your network traffic requirements. -
Modify Authelia's Configuration: You can adjust Authelia's configuration to recognize the internal service URL as a valid target. This involves adding the internal domain (
authelia.authelia.svc.cluster.local
) to the list of domains that Authelia considers to be protected. You would need to update the domain configuration in Authelia to include this internal domain. -
Network Configuration: Another approach could be to adjust your network configuration so that requests to
https://auth.example.de
are internally routed tohttps://authelia.authelia.svc.cluster.local
without leaving your internal network. This might involve internal DNS configurations or specific routing rules that keep the traffic within your internal network. -
SSL/TLS Configuration: Ensure that SSL/TLS is properly configured for internal communications if not already done. This ensures that even internal communications are secure and might help in resolving some of the issues related to secure URLs.
Given your requirements and setup, modifying Authelia's configuration to recognize the internal service URL or adjusting the network configuration to route internal traffic properly without going over the internet might be the most suitable solutions.
This comment was generated by Glime.
from authelia.
See the headers required (which must be set from the original request) for this authorization mechanism: https://www.authelia.com/reference/guides/proxy-authorization/#legacy
This will need either a configuration fix or a fix from haproxy-ingress.
from authelia.
Looks like something they support configuring via the headers option at their end: jcmoraisjr/haproxy-ingress#926
I've also updated the previously posted example to reflect this for the 4.38 forward auth endpoint: #2411 (comment)
from authelia.
Converting to a discussion, this clearly isn't a bug on our end looking at the headers they set.
from authelia.
Related Issues (20)
- wrong error message for old config of "host" value HOT 2
- Authelia should fail to start with a clear error message when it encounters invalid YAML configuration HOT 2
- MFA not loaded, if oidc has authorization_policy with two_factor HOT 3
- Not every error needs a stacktrace HOT 2
- Missing trailing slash can lead to Authelia showing empty window HOT 15
- Server Authz Endpoints invalid configuration example HOT 2
- Using AWS' SES for password reset emails errors on latest version HOT 3
- authelia-v4.38.7-public_html.tar.gz has changed, was this intentional? HOT 4
- settings: identity verification hangs indefinitely instead of showing error HOT 4
- legacy totp authenticators on an account will still be considered and will block / fail for users when totp is globally disabled HOT 2
- Gmail OAuth client as notifier HOT 4
- Upgrading from 4.37.7 to 4.38.8 got the following error while trying to compose up HOT 3
- "authelia config validate" should return 1 in case of invalid config HOT 1
- Password reset fails with PUID set HOT 2
- Troubles connecting to redis with secret HOT 4
- Authelia tries to get a non-existing 'memberof' attribute from groups in LLDAP backend HOT 1
- 3rd party authentication_backend HOT 2
- Authelia fails to run migrations on empty database HOT 3
- Networks rule not allowed as part of identity_providers.oidc.clients.authorization_policies.policy.rules HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from authelia.