renamed folder

reverse-proxy/.env

@@ -0,0 +1,12 @@
+#GLOBAL SETTINGS
+COMPOSE_HTTP_TIMEOUT=120
+COMPOSE_IGNORE_ORPHANS=1
+DOCKER_CONFIGS=.
+DOCKERGID=999
+DOCKERHOSTNAME=ProxyServer
+DOCKERLOGGING_MAXFILE=10
+DOCKERLOGGING_MAXSIZE=200k
+PGID=1000
+PUID=1000
+UMASK=000
+TZ=America/Chicago

reverse-proxy/authelia/add-to-protected-domains.conf

@@ -0,0 +1,10 @@
+include /snippets/authelia-location.conf;
+
+location / {
+    include /snippets/authelia-proxy.conf;
+    include /snippets/authelia-authrequest.conf;
+    proxy_pass $forward_scheme://$server:$port;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection upgrade;
+    proxy_set_header Accept-Encoding gzip;
+}

reverse-proxy/authelia/auth.domain.conf

@@ -0,0 +1,4 @@
+location / {
+    include /snippets/authelia-proxy.conf;
+    proxy_pass $forward_scheme://$server:$port;
+}

reverse-proxy/authelia/config/configuration.yml

@@ -0,0 +1,132 @@
+theme: dark
+jwt_secret: 9DGPzQy8SZQ7rV57V3DJnw
+
+#default_redirection_url: https://akanealw.com
+
+server:
+  host: 0.0.0.0
+  port: 9091
+  path: ""
+  buffers:
+    read: 4096
+    write: 4096
+  enable_pprof: false
+  enable_expvars: false
+  disable_healthcheck: false
+  tls:
+    key: ""
+    certificate: ""
+
+ntp:
+  address: "0.debian.pool.ntp.org:123"
+  version: 3
+  max_desync: 3s
+  disable_startup_check: true
+  disable_failure: true
+
+log:
+  level: info
+
+totp:
+  disable: false
+  issuer: akanealw.com
+  algorithm: sha1
+  digits: 6
+  period: 30
+  skew: 1
+  secret_size: 32
+
+authentication_backend:
+  password_reset:
+    disable: true
+  refresh_interval: 5m
+  file:
+    path: /config/users_database.yml
+    password:
+      algorithm: argon2id
+      iterations: 1
+      salt_length: 16
+      parallelism: 8
+      memory: 64
+
+access_control:
+  default_policy: deny
+  networks:
+    - name: internal
+      networks:
+      - '10.0.0.0/8'
+      - '172.16.0.0/12'
+      - '192.168.0.0/16'
+  rules:
+    ## bypass all domains and subdomains from local ips
+    - domain:
+      - aknlw.com
+      - akanealw.com
+      - "*.akanealw.com"
+      networks:
+      - 'internal'
+      policy: bypass
+    ## bypass api for subdomains
+    - domain: 
+      - "*.akanealw.com"
+      resources:
+      - "^/api([/?].*)?$"
+      - "^/add([/?].*)?$"  
+      - "^/public([/?].*)?$"        
+      policy: bypass
+    # bypass specific subdomains
+    - domain:
+      - aknlw.com
+      - bitwarden.akanealw.com
+      - gitea.akanealw.com
+      - nextcloud.akanealw.com
+      policy: bypass
+    # bypass filebrowser shares
+    - domain:
+        - "filebrowser.akanealw.com"
+      resources:
+        - "^/api([/?].*)?$"
+        - "^/share([/?].*)?$"
+        - "^/static([/?].*)?$"
+      policy: bypass
+    # two_factor subdomains
+    - domain: 
+      - akanealw.com
+      - "*.akanealw.com"
+      policy: two_factor
+
+session:
+  name: authelia_session
+  domain: akanealw.com
+  same_site: lax
+  secret: 8r9y4d8mY7NfQtpCe2oU
+  expiration: 6h
+  inactivity: 5m
+  remember_me_duration: 1w
+
+regulation:
+  max_retries: 3
+  find_time: 10m
+  ban_time: 12h
+
+storage:
+  local:
+    path: /config/db.sqlite3
+  encryption_key: iiB7C8Bn4A2gAhzs2fWaggUug76PZ4LU
+  
+notifier:
+  disable_startup_check: true
+  smtp:
+    username: akanealw@gmail.com
+    password: qlvmffuzpscltdgz
+    host: smtp.gmail.com
+    port: 587
+    sender: akanealw@gmail.com
+    identifier: dockerserver
+    subject: "[Authelia] {title}"
+    startup_check_address: akanealw@gmail.com
+    disable_require_tls: false
+    disable_html_emails: false
+    tls:
+      skip_verify: false
+      minimum_version: TLS1.2

reverse-proxy/authelia/config/users_database.yml

@@ -0,0 +1,8 @@
+users:
+  akanealw:
+    displayname: "akanealw"
+    password: "$argon2id$v=19$m=65536,t=1,p=8$ZWJ2UGVPUDE2SnU0YXNvNg$Q3LQfN90kPI5/3Yr06WmTUjFbvIBBZPJP44YLhysT0M"
+    email: akanealw@gmail.com
+    groups:
+      - admins
+      

reverse-proxy/compose.yml

@@ -0,0 +1,37 @@
+services:
+  authelia:
+    container_name: authelia
+    image: authelia/authelia:4.38.10
+    environment:
+      - TZ=${TZ}
+    networks:
+      - reverse-proxy
+    ports:
+      - 9091:9091
+    restart: always
+    volumes:
+      - ${DOCKER_CONFIGS}/authelia/config:/config
+
+  nginxproxymanager:
+    container_name: nginxproxymanager
+    image: jc21/nginx-proxy-manager:2.12.3
+    environment:
+      - X_FRAME_OPTIONS=sameorigin
+      - DB_SQLITE_FILE=/data/database.sqlite
+    networks:
+      - reverse-proxy
+    ports:
+      - 443:443/tcp
+      - 80:80/tcp
+      - 81:81/tcp
+    restart: always
+    volumes:
+      - ${DOCKER_CONFIGS}/nginxproxymanager/data:/data
+      - ${DOCKER_CONFIGS}/nginxproxymanager/letsencrypt:/etc/letsencrypt
+      - ${DOCKER_CONFIGS}/nginxproxymanager/snippets:/snippets:ro
+      - /etc/localtime:/etc/localtime:ro
+
+networks:
+  reverse-proxy:
+    name: reverse-proxy
+    external: true

reverse-proxy/nginxproxymanager/snippets/authelia-authrequest.conf

@@ -0,0 +1,25 @@
+## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource.
+auth_request /authelia;
+
+## Set the $target_url variable based on the original request.
+
+## Comment this line if you're using nginx without the http_set_misc module.
+set_escape_uri $target_url $scheme://$http_host$request_uri;
+
+## Uncomment this line if you're using NGINX without the http_set_misc module.
+# set $target_url $scheme://$http_host$request_uri;
+
+## Save the upstream response headers from Authelia to variables.
+auth_request_set $user $upstream_http_remote_user;
+auth_request_set $groups $upstream_http_remote_groups;
+auth_request_set $name $upstream_http_remote_name;
+auth_request_set $email $upstream_http_remote_email;
+
+## Inject the response headers from the variables into the request made to the backend.
+proxy_set_header Remote-User $user;
+proxy_set_header Remote-Groups $groups;
+proxy_set_header Remote-Name $name;
+proxy_set_header Remote-Email $email;
+
+## If the subreqest returns 200 pass to the backend, if the subrequest returns 401 redirect to the portal.
+error_page 401 =302 https://auth.akanealw.com/?rd=$target_url;

reverse-proxy/nginxproxymanager/snippets/authelia-location.conf

@@ -0,0 +1,36 @@
+set $upstream_authelia http://authelia:9091/api/verify;
+
+## Virtual endpoint created by nginx to forward auth requests.
+location /authelia {
+    ## Essential Proxy Configuration
+    internal;
+    proxy_pass $upstream_authelia;
+
+    ## Headers
+    ## The headers starting with X-* are required.
+    proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
+    proxy_set_header X-Original-Method $request_method;
+    proxy_set_header X-Forwarded-Method $request_method;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header X-Forwarded-Host $http_host;
+    proxy_set_header X-Forwarded-Uri $request_uri;
+    proxy_set_header X-Forwarded-For $remote_addr;
+    proxy_set_header Content-Length "";
+    proxy_set_header Connection "";
+
+    ## Basic Proxy Configuration
+    proxy_pass_request_body off;
+    proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # Timeout if the real server is dead
+    proxy_redirect http:// $scheme://;
+    proxy_http_version 1.1;
+    proxy_cache_bypass $cookie_session;
+    proxy_no_cache $cookie_session;
+    proxy_buffers 4 32k;
+    client_body_buffer_size 128k;
+
+    ## Advanced Proxy Configuration
+    send_timeout 5m;
+    proxy_read_timeout 240;
+    proxy_send_timeout 240;
+    proxy_connect_timeout 240;
+}

reverse-proxy/nginxproxymanager/snippets/authelia-proxy.conf

@@ -0,0 +1,8 @@
+## Headers
+proxy_set_header Host $host;
+proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
+proxy_set_header X-Forwarded-Proto $scheme;
+proxy_set_header X-Forwarded-Host $http_host;
+proxy_set_header X-Forwarded-Uri $request_uri;
+proxy_set_header X-Forwarded-Ssl on;
+proxy_set_header X-Forwarded-For $remote_addr;