Added experimental authelia support

- Integrated #33 code snippet - Added UI for setting Authelia server address - Updated authentication provider implementation
2025-08-09 22:57:47 +02:00 · 2024-12-15 15:52:59 +08:00
parent bb0f55018c
commit 2423d0fb3a
24 changed files with 267 additions and 2029 deletions
--- a/src/mod/dynamicproxy/Server.go
+++ b/src/mod/dynamicproxy/Server.go
@@ -83,24 +83,11 @@ func (h *ProxyHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 			}
 		}

-		//SSO Interception Mode
-		/*
-			if sep.AuthenticationProvider.SSOInterceptMode {
-				allowPass := h.Parent.Option.SSOHandler.ServeForwardAuth(w, r)
-				if !allowPass {
-					h.Parent.Option.Logger.LogHTTPRequest(r, "sso-x", 307)
-					return
-				}
-			}
-		*/
-
 		//Validate basic auth
-		if sep.AuthenticationProvider.AuthMethod == AuthMethodBasic {
-			err := h.handleBasicAuthRouting(w, r, sep)
-			if err != nil {
-				h.Parent.Option.Logger.LogHTTPRequest(r, "host", 401)
-				return
-			}
+		respWritten := handleAuthProviderRouting(sep, w, r, h)
+		if respWritten {
+			//Request handled by subroute
+			return
 		}

 		//Check if any virtual directory rules matches
--- a/src/mod/dynamicproxy/authProviders.go
+++ b/src/mod/dynamicproxy/authProviders.go
@@ -9,12 +9,47 @@ import (
 )

 /*
-	BasicAuth.go
+	authProviders.go

-	This file handles the basic auth on proxy endpoints
-	if RequireBasicAuth is set to true
+	This script handle authentication providers
 */

+/*
+Central Authentication Provider Router
+
+This function will route the request to the correct authentication provider
+if the return value is true, do not continue to the next handler
+
+handleAuthProviderRouting takes in 4 parameters:
+- sep: the ProxyEndpoint object
+- w: the http.ResponseWriter object
+- r: the http.Request object
+- h: the ProxyHandler object
+
+and return a boolean indicate if the request is written to http.ResponseWriter
+- true: the request is handled, do not write to http.ResponseWriter
+- false: the request is not handled (usually means auth ok), continue to the next handler
+*/
+func handleAuthProviderRouting(sep *ProxyEndpoint, w http.ResponseWriter, r *http.Request, h *ProxyHandler) bool {
+	if sep.AuthenticationProvider.AuthMethod == AuthMethodBasic {
+		err := h.handleBasicAuthRouting(w, r, sep)
+		if err != nil {
+			h.Parent.Option.Logger.LogHTTPRequest(r, "host", 401)
+			return true
+		}
+	} else if sep.AuthenticationProvider.AuthMethod == AuthMethodAuthelia {
+		err := h.handleAutheliaAuth(w, r)
+		if err != nil {
+			h.Parent.Option.Logger.LogHTTPRequest(r, "host", 401)
+			return true
+		}
+	}
+
+	//No authentication provider, do not need to handle
+	return false
+}
+
+/* Basic Auth */
 func (h *ProxyHandler) handleBasicAuthRouting(w http.ResponseWriter, r *http.Request, pe *ProxyEndpoint) error {
 	err := handleBasicAuth(w, r, pe)
 	if err != nil {
@@ -64,3 +99,10 @@ func handleBasicAuth(w http.ResponseWriter, r *http.Request, pe *ProxyEndpoint)

 	return nil
 }
+
+/* Authelia */
+
+// Handle authelia auth routing
+func (h *ProxyHandler) handleAutheliaAuth(w http.ResponseWriter, r *http.Request) error {
+	return h.Parent.Option.AutheliaRouter.HandleAutheliaAuth(w, r)
+}
--- a/src/mod/dynamicproxy/typedef.go
+++ b/src/mod/dynamicproxy/typedef.go
@@ -7,7 +7,7 @@ import (
 	"sync"

 	"imuslab.com/zoraxy/mod/access"
-	"imuslab.com/zoraxy/mod/auth/sso"
+	"imuslab.com/zoraxy/mod/auth/sso/authelia"
 	"imuslab.com/zoraxy/mod/dynamicproxy/dpcore"
 	"imuslab.com/zoraxy/mod/dynamicproxy/loadbalance"
 	"imuslab.com/zoraxy/mod/dynamicproxy/permissionpolicy"
@@ -33,14 +33,17 @@ type ProxyHandler struct {

 /* Router Object Options */
 type RouterOption struct {
-	HostUUID           string                    //The UUID of Zoraxy, use for heading mod
-	HostVersion        string                    //The version of Zoraxy, use for heading mod
-	Port               int                       //Incoming port
-	UseTls             bool                      //Use TLS to serve incoming requsts
-	ForceTLSLatest     bool                      //Force TLS1.2 or above
-	NoCache            bool                      //Force set Cache-Control: no-store
-	ListenOnPort80     bool                      //Enable port 80 http listener
-	ForceHttpsRedirect bool                      //Force redirection of http to https endpoint
+	/* Basic Settings */
+	HostUUID           string //The UUID of Zoraxy, use for heading mod
+	HostVersion        string //The version of Zoraxy, use for heading mod
+	Port               int    //Incoming port
+	UseTls             bool   //Use TLS to serve incoming requsts
+	ForceTLSLatest     bool   //Force TLS1.2 or above
+	NoCache            bool   //Force set Cache-Control: no-store
+	ListenOnPort80     bool   //Enable port 80 http listener
+	ForceHttpsRedirect bool   //Force redirection of http to https endpoint
+
+	/* Routing Service Managers */
 	TlsManager         *tlscert.Manager          //TLS manager for serving SAN certificates
 	RedirectRuleTable  *redirection.RuleTable    //Redirection rules handler and table
 	GeodbStore         *geodb.Store              //GeoIP resolver
@@ -48,8 +51,12 @@ type RouterOption struct {
 	StatisticCollector *statistic.Collector      //Statistic collector for storing stats on incoming visitors
 	WebDirectory       string                    //The static web server directory containing the templates folder
 	LoadBalancer       *loadbalance.RouteManager //Load balancer that handle load balancing of proxy target
-	SSOHandler         *sso.SSOHandler           //SSO handler for handling SSO requests, interception mode only
-	Logger             *logger.Logger            //Logger for reverse proxy requets
+
+	/* Authentication Providers */
+	AutheliaRouter *authelia.AutheliaRouter //Authelia router for Authelia authentication
+
+	/* Utilities */
+	Logger *logger.Logger //Logger for reverse proxy requets
 }

 /* Router Object */
@@ -129,9 +136,15 @@ const (
 )

 type AuthenticationProvider struct {
-	AuthMethod              AuthMethod                //The authentication method to use
+	AuthMethod AuthMethod //The authentication method to use
+	/* Basic Auth Settings */
 	BasicAuthCredentials    []*BasicAuthCredentials   //Basic auth credentials
 	BasicAuthExceptionRules []*BasicAuthExceptionRule //Path to exclude in a basic auth enabled proxy target
+	BasicAuthGroupIDs       []string                  //Group IDs that are allowed to access this endpoint
+
+	/* Authelia Settings */
+	AutheliaURL string //URL of the Authelia server, leave empty to use global settings e.g. authelia.example.com
+	UseHTTPS    bool   //Whether to use HTTPS for the Authelia server
 }

 // A proxy endpoint record, a general interface for handling inbound routing