diff --git a/authelia.nix b/authelia.nix index 19e349a..5fc52df 100644 --- a/authelia.nix +++ b/authelia.nix @@ -7,7 +7,7 @@ nginxEnableACME ? true, nginxForceSSL ? true, nginxIsDefault ? true, - config + config ? {} }: let @@ -32,6 +32,8 @@ runAuthelia = pkgs.writeShellScriptBin "runAuthelia" '' ${package}/bin/authelia --config ${configFile} ''; +port = pkgs.attrByPath ["server" "port"] 9091 config; + in { package = package; @@ -56,7 +58,44 @@ in enableACME = nginxEnableACME; forceSSL = nginxForceSSL; default = nginxIsDefault; - locations."/".proxyPass = "http://localhost:9091"; + locations."/" = { + proxyPass = "http://localhost:${port}"; + extraConfig = '' + client_body_buffer_size 128k; + + #Timeout if the real server is dead + proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; + + # Advanced Proxy Config + send_timeout 5m; + proxy_read_timeout 360; + proxy_send_timeout 360; + proxy_connect_timeout 360; + + # Basic Proxy Config + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header X-Forwarded-Uri $request_uri; + proxy_set_header X-Forwarded-Ssl on; + proxy_redirect http:// $scheme://; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_cache_bypass $cookie_session; + proxy_no_cache $cookie_session; + proxy_buffers 64 256k; + + # If behind reverse proxy, forwards the correct IP + set_real_ip_from 10.0.0.0/8; + set_real_ip_from 172.16.0.0/12; + set_real_ip_from 192.168.0.0/16; + set_real_ip_from fc00::/7; + real_ip_header X-Forwarded-For; + real_ip_recursive on; + ''; + }; }; }; };