aki/docker-compose-nas
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix(authelia): Update configuration and setup script for Tailscale domain handling in Authelia v4.38+
Some checks failed
/ validate-docker-compose (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Jose Daniel G. Percy 2025-04-26 00:41:41 +08:00
parent 6d9139408d
commit 4ad7bf0a38
3 changed files with 27 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
README.md
View File

@ -401,7 +401,10 @@ If you are running Docker on a host with SELinux enabled (like Fedora, CentOS, R
Authelia v4.38+ introduces significant changes to its configuration structure, particularly for session domains and authentication flows. The setup in this repository has been carefully configured to work with these changes: Authelia v4.38+ introduces significant changes to its configuration structure, particularly for session domains and authentication flows. The setup in this repository has been carefully configured to work with these changes:
1. **Domain Configuration**: The configuration now properly uses the base Tailscale domain (e.g., `ts.net`) for cookies rather than a wildcard domain, which is not allowed for cookie configuration in Authelia v4.38+. Wildcards are still used in access control rules where they are permitted. 1. **Domain Configuration**:
- You must use your specific Tailnet domain (e.g., `example.ts.net`) for cookies, not just `ts.net`
- The domain `ts.net` is part of the [Public Suffix List](https://publicsuffix.org/), which means browsers restrict cookies on it for security reasons
- Authelia will refuse to start if you try to use a domain from this list
2. **Required Secret Variables**: You must set these four variables in your `.env` file: 2. **Required Secret Variables**: You must set these four variables in your `.env` file:
- `AUTHELIA_JWT_SECRET`: Used for password reset tokens - `AUTHELIA_JWT_SECRET`: Used for password reset tokens
@ -412,15 +415,15 @@ Authelia v4.38+ introduces significant changes to its configuration structure, p
Generate strong random values for these with: `openssl rand -hex 32` Generate strong random values for these with: `openssl rand -hex 32`
3. **Automatic Domain Setup**: The `update-setup.sh` script automatically: 3. **Automatic Domain Setup**: The `update-setup.sh` script automatically:
- Extracts your Tailscale base domain (e.g., `ts.net`) from your `.env` file - Uses your specific Tailnet domain (e.g., `example.ts.net`) from your `.env` file
- Configures cookie domains properly without wildcards - Configures cookie domains properly to avoid Public Suffix List issues
- Sets the correct URLs based on your Tailscale hostname - Sets up proper access control rules for both your domain and its subdomains
4. **File Permissions**: The Authelia container runs with your user ID and group ID, preventing permission issues when managing the configuration files with git or other tools. 4. **File Permissions**: The Authelia container runs with your user ID and group ID, preventing permission issues when managing the configuration files with git or other tools.
If you encounter any of these common errors, running the setup script should resolve them: If you encounter any of these common errors, running the setup script should resolve them:
``` ```
error: option 'domain' must be the domain you wish to protect not a wildcard domain error: option 'domain' is not a valid cookie domain: the domain is part of the special public suffix list
error: option 'authelia_url' does not share a cookie scope with domain error: option 'authelia_url' does not share a cookie scope with domain
error: can't be specified at the same time: option 'domain' and option 'cookies' error: can't be specified at the same time: option 'domain' and option 'cookies'
configuration key 'jwt_secret' is deprecated in 4.38.0 configuration key 'jwt_secret' is deprecated in 4.38.0

15
authelia/configuration.example.yml
View File

@ -22,10 +22,10 @@ session:
password: ${AUTHELIA_SESSION_REDIS_PASSWORD} password: ${AUTHELIA_SESSION_REDIS_PASSWORD}
database_index: 0 database_index: 0
cookies: cookies:
# Using parent domain to allow proper cookie scope # Using your specific Tailscale domain (e.g. example.ts.net) not just ts.net
- domain: 'ts.net' - domain: 'your-tailnet.ts.net'
authelia_url: 'https://tailscale-nas.ts.net' authelia_url: 'https://tailscale-nas.your-tailnet.ts.net'
default_redirection_url: 'https://tailscale-nas.ts.net/home' default_redirection_url: 'https://tailscale-nas.your-tailnet.ts.net/home'
same_site: lax same_site: lax
# Regulation (brute force protection) # Regulation (brute force protection)
@ -56,8 +56,11 @@ authentication_backend:
access_control: access_control:
default_policy: deny default_policy: deny
rules: rules:
# This will match any Tailscale domain - using wildcard with domains is allowed in rules # This will match any subdomain of your specific Tailscale domain
- domain: '*.ts.net' - domain: '*.your-tailnet.ts.net'
policy: one_factor
# Also match the main domain without subdomain
- domain: 'your-tailnet.ts.net'
policy: one_factor policy: one_factor
# Notifier configuration # Notifier configuration

20
update-setup.sh
View File

@ -233,22 +233,22 @@ update_authelia_config() {
TAILSCALE_HOSTNAME=$(grep -o "TAILSCALE_HOSTNAME=.*" "$ENV_FILE" | cut -d'=' -f2 | tr -d '"' | tr -d "'") TAILSCALE_HOSTNAME=$(grep -o "TAILSCALE_HOSTNAME=.*" "$ENV_FILE" | cut -d'=' -f2 | tr -d '"' | tr -d "'")
if [ -n "$TAILNET_DOMAIN" ] && [ -n "$TAILSCALE_HOSTNAME" ]; then if [ -n "$TAILNET_DOMAIN" ] && [ -n "$TAILSCALE_HOSTNAME" ]; then
# Extract the base domain (e.g., from "example.ts.net" get "ts.net") # Use the full Tailnet domain (e.g., "example.ts.net") for cookies
BASE_DOMAIN=$(echo "$TAILNET_DOMAIN" | grep -o '[^.]\+\.[^.]\+$') # not just "ts.net" which is a public suffix and not allowed
# Replace placeholders with actual values # Replace domain placeholder with actual Tailnet domain
# For cookie domain, use the base domain (e.g., "ts.net" not "*.ts.net") sed -i "s/domain: 'your-tailnet.ts.net'/domain: '$TAILNET_DOMAIN'/g" "$AUTHELIA_CONFIG"
sed -i "s/domain: 'ts.net'/domain: '$BASE_DOMAIN'/g" "$AUTHELIA_CONFIG"
# For access control rules, wildcard pattern is allowed # For access control rules, update both wildcards and direct domain
sed -i "s/domain: '\*.ts.net'/domain: '\*.$BASE_DOMAIN'/g" "$AUTHELIA_CONFIG" sed -i "s/domain: '\*.your-tailnet.ts.net'/domain: '\*.$TAILNET_DOMAIN'/g" "$AUTHELIA_CONFIG"
sed -i "s/domain: 'your-tailnet.ts.net'/domain: '$TAILNET_DOMAIN'/g" "$AUTHELIA_CONFIG"
# For URLs, use the full hostname # For URLs, use the full hostname
sed -i "s/https:\/\/tailscale-nas.ts.net/https:\/\/$TAILSCALE_HOSTNAME.$TAILNET_DOMAIN/g" "$AUTHELIA_CONFIG" sed -i "s/https:\/\/tailscale-nas.your-tailnet.ts.net/https:\/\/$TAILSCALE_HOSTNAME.$TAILNET_DOMAIN/g" "$AUTHELIA_CONFIG"
echo -e "${GREEN}Configured Authelia with your Tailscale domain:${NC}" echo -e "${GREEN}Configured Authelia with your Tailscale domain:${NC}"
echo -e "${CYAN} - Base domain for cookies: ${GREEN}$BASE_DOMAIN${NC}" echo -e "${CYAN} - Cookie domain: ${GREEN}$TAILNET_DOMAIN${NC}"
echo -e "${CYAN} - Access control for: ${GREEN}*.$BASE_DOMAIN${NC}" echo -e "${CYAN} - Access control for: ${GREEN}*.$TAILNET_DOMAIN and $TAILNET_DOMAIN${NC}"
echo -e "${CYAN} - Authelia URL: ${GREEN}https://$TAILSCALE_HOSTNAME.$TAILNET_DOMAIN${NC}" echo -e "${CYAN} - Authelia URL: ${GREEN}https://$TAILSCALE_HOSTNAME.$TAILNET_DOMAIN${NC}"
else else
echo -e "${YELLOW}Warning: Could not find both TAILSCALE_HOSTNAME and TAILSCALE_TAILNET_DOMAIN in .env${NC}" echo -e "${YELLOW}Warning: Could not find both TAILSCALE_HOSTNAME and TAILSCALE_TAILNET_DOMAIN in .env${NC}"