OPNsense Forum
English Forums => Web Proxy Filtering and Caching => Topic started by: achandran on August 26, 2020, 09:36:54 pm
-
Hi, new to opnsense, previously had just an off the shelf router and had my home server running an nginx proxy that had multi factor authentication done by authelia.
Now I am evaluating opnsense and have 20.7.1 running on an old machine with the nginx proxy plugin. I have nginx setup properly that I can access all my sites/services internally and externally correctly. Now I am trying to add the authorization server and am getting a little lost and would appreciate if someone can help. reading through the available information it seems like I need to check Enable Advanced ACLs in the location setting and then modify the /usr/local/opnsense/scripts/nginx/ngx_auth.php script to point to the auth server. Is my understanding correct? is this even possible?
EDIT: Actually reading more, it seems like the right way is to define an authentication server in Opnsense and then that can be used within nginx. going to try that now. Please do correct me if I am wrong, looks like there isn't a way of adding an external authentication server in the plugin.
Another Edit: Figured out how to get two factor authentication using the authentication backend server defined in opnsense. It would be nice if I can use a standalone authentication server in this plugin like it is possible with the standalone nginx proxy. if there is a way to do that, will appreciate someone sharing that knowledge..
-
I am the author of that piece of code and I do not really want an authentication system directly in the plugin. It should be configured in the system because then you can use the same authentication server in other components (like VPN) as well and you also get the tester in the UI for debugging. For your Server, you only need one small class in this directory: https://github.com/opnsense/core/tree/master/src/opnsense/mvc/app/library/OPNsense/Auth
-
I think I agree with that conceptually.
I am not a developer by any stretch of the imagination, just trying to set this up correctly and securely access my services. Now I am trying to see if I can direct traffic through nginx differently depending on if it is from intranet vs the internet, that way I can have different authentication for different class of users... a lot to read and understand :-)
-
I am the author of that piece of code and I do not really want an authentication system directly in the plugin. It should be configured in the system because then you can use the same authentication server in other components (like VPN) as well and you also get the tester in the UI for debugging. For your Server, you only need one small class in this directory: https://github.com/opnsense/core/tree/master/src/opnsense/mvc/app/library/OPNsense/Auth
Is there a way to set the authorised user as remote_user in the header passed to upstream server?
-
If you cannot do that with an authentication server, you need a custom include. The config has some include hooks so you just need to add a directory with a special name containing a conf file to add a custom configuration.