From 2ce3afd3e7ad2db2d8509f8d726430f4262fdf14 Mon Sep 17 00:00:00 2001
From: Leonardo Christino <leomilho@gmail.com>
Date: Wed, 18 Oct 2023 11:26:36 +0200
Subject: [PATCH] chore: update nginx config to forward headers to frontend

---
 Makefile         |  7 +++++--
 nginx/nginx.conf | 44 ++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 49 insertions(+), 2 deletions(-)

diff --git a/Makefile b/Makefile
index 04b9b607c..86e4539b9 100644
--- a/Makefile
+++ b/Makefile
@@ -8,9 +8,12 @@
 # linux:
 # 	pnpm build
 
-docker: login
+# @docker push harbor.graphpolaris.com/graphpolaris/frontend\:latest
+
+docker:
 	@docker build -t harbor.graphpolaris.com/graphpolaris/frontend:latest .
-	@docker push harbor.graphpolaris.com/graphpolaris/frontend\:latest
+dockerrun:
+	@docker run --publish 4200:4200 harbor.graphpolaris.com/graphpolaris/frontend:latest
 
 push:
 	@pnpm lint
diff --git a/nginx/nginx.conf b/nginx/nginx.conf
index e053b4e8a..c9114ea10 100644
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@@ -5,8 +5,52 @@ server {
     root   /usr/share/nginx/html;
     index  index.html index.htm;
     try_files $uri $uri/ /index.html;
+
+    ##############################
+    # authentik-specific config
+    ##############################
+    auth_request     /outpost.goauthentik.io/auth/nginx;
+    error_page       401 = @goauthentik_proxy_signin;
+    auth_request_set $auth_cookie $upstream_http_set_cookie;
+    add_header       Set-Cookie $auth_cookie;
+
+    # translate headers from the outposts back to the actual upstream
+    auth_request_set $authentik_username $upstream_http_x_authentik_username;
+    auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
+    auth_request_set $authentik_email $upstream_http_x_authentik_email;
+    auth_request_set $authentik_name $upstream_http_x_authentik_name;
+    auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
+
+    proxy_set_header X-authentik-username $authentik_username;
+    proxy_set_header X-authentik-groups $authentik_groups;
+    proxy_set_header X-authentik-email $authentik_email;
+    proxy_set_header X-authentik-name $authentik_name;
+    proxy_set_header X-authentik-uid $authentik_uid;
   }
 
+  # all requests to /outpost.goauthentik.io must be accessible without authentication
+    location /outpost.goauthentik.io {
+        proxy_pass              https://auth.staging.graphpolaris.com/outpost.goauthentik.io;
+        # ensure the host of this vserver matches your external URL you've configured
+        # in authentik
+        proxy_set_header        Host $host;
+        proxy_set_header        X-Original-URL $scheme://$http_host$request_uri;
+        add_header              Set-Cookie $auth_cookie;
+        auth_request_set        $auth_cookie $upstream_http_set_cookie;
+        proxy_pass_request_body off;
+        proxy_set_header        Content-Length "";
+    }
+
+    # Special location for when the /auth endpoint returns a 401,
+    # redirect to the /start URL which initiates SSO
+    location @goauthentik_proxy_signin {
+        internal;
+        add_header Set-Cookie $auth_cookie;
+        return 302 /outpost.goauthentik.io/start?rd=$request_uri;
+        # For domain level, use the below error_page to redirect to your authentik server with the full redirect path
+        # return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
+    }
+
   error_page 500 502 503 504 /50x.html;
 
   location = /50x.html {
-- 
GitLab