Skip to content

Instantly share code, notes, and snippets.

@userdocs

userdocs/authelia_nginx.md

Last active August 23, 2025 10:21
Show Gist options
  • Save userdocs/7634b8a57e803e378b09c18225edd446 to your computer and use it in GitHub Desktop.
Save userdocs/7634b8a57e803e378b09c18225edd446 to your computer and use it in GitHub Desktop.
Download ZIP
A simplified Authelia nginx reverse proxy configuration
Raw
authelia_nginx.md

Nginx baseurl with authelia

nginx is a reverse proxy supported by Authelia

https://www.authelia.com/integration/proxies/nginx/

Update info

Note

Updated 22/08/2025 using nginx docs

Please check the documentation for help. This setup should be almost 1:1 with the current guide with minor tweaks to use a baseurl instead of a sub domain.

Authelia config

Caution

You must have this configuration in your authelia config.yml. you can change port and baseurl If you change it here it needs to be change in the nginx authelia.conf to match.

server:
  endpoints:
    authz:
      auth-request:
        implementation: "AuthRequest"
  address: "tcp://127.0.0.1:9091/login"
  buffers:
    read: 4096
    write: 4096

Configuration

We will be working with these files.

/etc/nginx/conf.d/authelia.conf # this file should included into your nginx enabled in the server block
/etc/nginx/snippets/authelia_auth.conf # this file is loaded by protected endpoints to redirect to /login to auth
/etc/nginx/snippets/authelia_proxy.conf # this file is included in the authelia.conf /login location only

Warning

The default configuration below uses the baseurl of /login but this can be changed according to the notes of each conf.

authelia.conf /etc/nginx/conf.d/authelia.conf

Note

baseurl specific lines for /etc/nginx/conf.d/authelia.conf

set $authz "/login/api/authz/auth-request"; # prefix sub directory - here it is /login

location /login {

Create this file /etc/nginx/conf.d/authelia.conf and populate it with this:

set $upstream_authelia http://127.0.0.1:9091; # set the reused upstream proxypass url
set $authz "/login/api/authz/auth-request"; # prefix baseurl - here it is /login

location /login {
    include /etc/nginx/snippets/authelia_proxy.conf;
    proxy_pass $upstream_authelia;
}

location /internal/authelia/authz {
    internal;
    proxy_pass $upstream_authelia$authz; # $authz is suffixed here only

    ## Headers
    ## The headers starting with X-* are required.
    proxy_set_header X-Original-Method $request_method;
    proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header Content-Length "";
    proxy_set_header Connection "";

    ## Basic Proxy Configuration
    proxy_pass_request_body off;
    proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # Timeout if the real server is dead
    proxy_redirect http:// $scheme://;
    proxy_http_version 1.1;
    proxy_cache_bypass $cookie_session;
    proxy_no_cache $cookie_session;
    proxy_buffers 4 32k;
    client_body_buffer_size 128k;

    ## Advanced Proxy Configuration
    send_timeout 5m;
    proxy_read_timeout 240;
    proxy_send_timeout 240;
    proxy_connect_timeout 240;
}

authelia_auth.conf /etc/nginx/snippets/authelia_auth.conf

Note

baseurl specific lines for the /etc/nginx/snippets/authelia_auth.conf

error_page 401 =302 https://$http_host/login/?rd=$target_url;

Create this file /etc/nginx/snippets/authelia_auth.conf and populate it with this:

## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource.
auth_request /internal/authelia/authz;

## Save the upstream metadata response headers from Authelia to variables.
auth_request_set $user $upstream_http_remote_user;
auth_request_set $groups $upstream_http_remote_groups;
auth_request_set $name $upstream_http_remote_name;
auth_request_set $email $upstream_http_remote_email;

## Inject the metadata response headers from the variables into the request made to the backend.
proxy_set_header Remote-User $user;
proxy_set_header Remote-Groups $groups;
proxy_set_header Remote-Email $email;
proxy_set_header Remote-Name $name;

## Configure the redirection when the authz failure occurs. Lines starting with 'Modern Method' and 'Legacy Method'
## should be commented / uncommented as pairs. The modern method uses the session cookies configuration's authelia_url
## value to determine the redirection URL here. It's much simpler and compatible with the mutli-cookie domain easily.

## Modern Method: Set the $redirection_url to the Location header of the response to the Authz endpoint.
# auth_request_set $redirection_url $upstream_http_location;

## Modern Method: When there is a 401 response code from the authz endpoint redirect to the $redirection_url.
# error_page 401 =302 $redirection_url;

## Legacy Method: Set $target_url to the original requested URL.
## This requires http_set_misc module, replace 'set_escape_uri' with 'set' if you don't have this module.
set $target_url $scheme://$http_host$request_uri;

## Legacy Method: When there is a 401 response code from the authz endpoint redirect to the portal with the 'rd'
## URL parameter set to $target_url. This requires users update '.site.co.uk/' with their external authelia URL.
error_page 401 =302 https://$http_host/login/?rd=$target_url;

authelia_proxy.conf /etc/nginx/snippets/authelia_proxy.conf

Note

There no baseurl specific lines for the /etc/nginx/snippets/authelia_proxy.conf

Create this file /etc/nginx/snippets/authelia_proxy.conf and populate it with this:

## Headers
proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-URI $request_uri;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Real-IP $remote_addr;

## Basic Proxy Configuration
client_body_buffer_size 128k;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; ## Timeout if the real server is dead.
proxy_redirect http:// $scheme://;
proxy_http_version 1.1;
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 64 256k;

## Trusted Proxies Configuration
## Please read the following documentation before configuring this:
##     https://www.authelia.com/integration/proxies/nginx/#trusted-proxies
# set_real_ip_from 10.0.0.0/8;
# set_real_ip_from 172.16.0.0/12;
# set_real_ip_from 192.168.0.0/16;
# set_real_ip_from fc00::/7;
real_ip_header X-Forwarded-For;
real_ip_recursive on;

## Advanced Proxy Configuration
send_timeout 5m;
proxy_read_timeout 360;
proxy_send_timeout 360;
proxy_connect_timeout 360;

Protected Endpoint

This is how you protect and endpoint, which is a app or webpagge being served by nginx.

Tip

location / will protect whole site but you only need to include the authelia_auth.conf on locations you want protected by authelia, like location /nextcloud

location / {
    set $upstream_nextcloud https://nextcloud;
    proxy_pass $upstream_nextcloud;
    include /etc/nginx/snippets/authelia_auth.conf; # Activates Authelia for specified route/location, please ensure you have setup the domain in your config.yml
}
@afm-mike
Copy link

afm-mike commented Aug 21, 2025
edited
Loading

My nginx config is working just fine with Authelia. However, if I set a network ip address to bypass in Authelia access, it is not bypassing the Authelia login screen. What needs to be done in the nginx config to make sure these defined ip's bypass the Authelia login screen?

@MrJake222
Copy link

@afm-mike I have sth like this:

 access_control:
   ## Default policy can either be 'bypass', 'one_factor', 'two_factor' or 'deny'. It is the policy applied to any
   ## resource if there is no policy to be applied to the user.
   default_policy: deny
 
   networks:
     - name: internal
       networks:
         - x.y.0.0/12
         - x.y.z.z
 
   rules:
     # public sites, bypass
     - domain:
       - abc.eu
       - mail.abc.eu
       policy: 'bypass'
 
     # INTERNAL ACCESS
     # no security, bypass
     - domain:
       - xxx.abc.eu
       - yyy.abc.eu
       - zzz.abc.eu
       networks:
         - internal
       policy: 'bypass'

@userdocs
Copy link
Author

It does sound more like a authelia config issue that an nginx one. The notification made me wonder if the config needed updating.

I was just looking at the doc to see what changed. https://www.authelia.com/integration/proxies/nginx/

Not a lot changed tbh but they do use the auth_request /internal/authelia/authz;

I could update this to be inline with the current docs but it not a major overhaul, just a a few lines changes.

@userdocs
Copy link
Author

I updated to current docs.

/api/verify is depreciated for /api/authz/auth-request

It's even less to customise now, mostly copy and pasted from docs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment