figured it out
using lua-resty-http
i created a simple lua script which checks both uris and returns the
correct url for the active one:
local http = require "resty.http"
local httpc = http.new()
local res1, err1 = httpc:request_uri("https://authelia1.domain.net";, {
method = "GET",
keepalive_timeout = 60000,
keepalive_pool = 10,
ssl_verify = false
})
if res1.status == 200 then
ngx.var.authelia_uri = 'https://authelia1.domain.net'
else
local res2, err2 = httpc:request_uri("https://authelia2.domain.net";, {
method = "GET",
keepalive_timeout = 60000,
keepalive_pool = 10,
ssl_verify = false
})
if res2.status == 200 then
ngx.var.authelia_uri = 'https://authelia2.domain.net'
end
end
then on my nginx config i have:
server {
location / {
set $authelia_uri "";
rewrite_by_lua_file /etc/nginx/health_check.lua;
add_header X-Authelia-Uri "$authelia_uri"; # just for debugging
auth_request /authelia;
error_page 401 =302 $authelia_uri/?rd=$target_url;
}
set upstream_authelia $authelia_uri/api/verify;
}
With this my app is protected with the active authelia server.
Not sure if the best setup but it works.
Thanks
On Tue, Sep 19, 2023 at 11:06 AM Dave Macias <dav...@gmail.com> wrote:
> Hello,
>
> Hope you are doing well.
> We currently use Authelia to authenticate users but want to add a
> redundant Authelia server so that users can continue to access the content.
>
> Put simply our current nginx config is:
>
> server {
> location / {
> auth_request /authelia;
> error_page 401 =302 https://authelia1.domain.net/?rd=$target_url
> <https://authelia_cluster/?rd=$%7BDOLLAR%7Dtarget_url>;
> }
> set upstream_authelia https://authelia1.domain.net/api/verify
> <https://authealia1.domain.net/api/verify>;
> location /authelia {
> internal;
> proxy_pass $upstream_authelia;
> }
> }
>
> Things I have tried:
>
> With lua-resty-upstream-healthcheck
> <https://github.com/openresty/lua-resty-upstream-healthcheck> and the
> below upstream:
>
> upstream authelia_cluster {
> least_conn;
> server authelia1.domain.net:443;
> server authelia2.domain:443 backup;
> keepalive 60;
> }
>
> With this I am able to dynamically render content based on the available
> upstream authelia server but cannot translate that to authentication with
> `auth_request`.
>
> location /test {
> proxy_pass https://authelia_cluster/metrics;
> }
>
> My guess as to most simplest solution is to dynamically set the
> upstream_authelia variable and the error_page setting based on
> the available upstream authelia_cluster server but I am not sure how.
>
> Any input is much appreciated!
>
> Best,
> Dave
>
>
>
_______________________________________________
nginx mailing list
nginx@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx
