From 7a73ddfb60b57bf51db61e071f44ec49bf76d2ed Mon Sep 17 00:00:00 2001
From: Jens Langhammer
Date: Sat, 18 Dec 2021 15:50:42 +0100
Subject: [PATCH] outposts/proxy: match skipPathRegex against full URL on
domain auth
closes #1955
Signed-off-by: Jens Langhammer
---
.../proxyv2/application/application.go | 10 ++++++--
web/src/locales/en.po | 24 +++++++++++++++----
web/src/locales/fr_FR.po | 24 +++++++++++++++----
web/src/locales/pseudo-LOCALE.po | 22 ++++++++++++++---
.../providers/proxy/ProxyProviderForm.ts | 12 ++++++++--
website/docs/providers/proxy/proxy.md | 20 ++++++++++++++--
6 files changed, 95 insertions(+), 17 deletions(-)
diff --git a/internal/outpost/proxyv2/application/application.go b/internal/outpost/proxyv2/application/application.go
index f6d48fcc8..1c7604769 100644
--- a/internal/outpost/proxyv2/application/application.go
+++ b/internal/outpost/proxyv2/application/application.go
@@ -180,8 +180,14 @@ func NewApplication(p api.ProxyOutpostConfig, c *http.Client, cs *ak.CryptoStore
func (a *Application) IsAllowlisted(r *http.Request) bool {
for _, u := range a.UnauthenticatedRegex {
- a.log.WithField("regex", u.String()).WithField("url", r.URL.Path).Trace("Matching URL against allow list")
- if u.MatchString(r.URL.Path) {
+ var testString string
+ if a.Mode() == api.PROXYMODE_PROXY || a.Mode() == api.PROXYMODE_FORWARD_SINGLE {
+ testString = r.URL.Path
+ } else {
+ testString = r.URL.String()
+ }
+ a.log.WithField("regex", u.String()).WithField("url", testString).Trace("Matching URL against allow list")
+ if u.MatchString(testString) {
return true
}
}
diff --git a/web/src/locales/en.po b/web/src/locales/en.po
index b425af419..75444ade2 100644
--- a/web/src/locales/en.po
+++ b/web/src/locales/en.po
@@ -3772,8 +3772,12 @@ msgid "Register device"
msgstr "Register device"
#: src/pages/providers/proxy/ProxyProviderForm.ts
-msgid "Regular expressions for which authentication is not required. Each new line is interpreted as a new Regular Expression."
-msgstr "Regular expressions for which authentication is not required. Each new line is interpreted as a new Regular Expression."
+#~ msgid "Regular expressions for which authentication is not required. Each new line is interpreted as a new Regular Expression."
+#~ msgstr "Regular expressions for which authentication is not required. Each new line is interpreted as a new Regular Expression."
+
+#: src/pages/providers/proxy/ProxyProviderForm.ts
+msgid "Regular expressions for which authentication is not required. Each new line is interpreted as a new expression."
+msgstr "Regular expressions for which authentication is not required. Each new line is interpreted as a new expression."
#: src/pages/users/UserListPage.ts
msgid "Regular user"
@@ -4255,8 +4259,8 @@ msgid "Single use"
msgstr "Single use"
#: src/pages/providers/proxy/ProxyProviderForm.ts
-msgid "Skip path regex"
-msgstr "Skip path regex"
+#~ msgid "Skip path regex"
+#~ msgstr "Skip path regex"
#: src/pages/applications/ApplicationForm.ts
#: src/pages/applications/ApplicationListPage.ts
@@ -5246,6 +5250,14 @@ msgstr "URL used by authentik to retrieve tokens."
msgid "URL used to request the initial token. This URL is only required for OAuth 1."
msgstr "URL used to request the initial token. This URL is only required for OAuth 1."
+#: src/pages/providers/proxy/ProxyProviderForm.ts
+msgid "Unauthenticated Paths"
+msgstr "Unauthenticated Paths"
+
+#: src/pages/providers/proxy/ProxyProviderForm.ts
+msgid "Unauthenticated URLs"
+msgstr "Unauthenticated URLs"
+
#: src/pages/admin-overview/charts/PolicyStatusChart.ts
msgid "Unbound policies"
msgstr "Unbound policies"
@@ -5861,6 +5873,10 @@ msgstr "When used in conjunction with a User Write stage, use attributes.foo to
msgid "When using an external logging solution for archiving, this can be set to \"minutes=5\"."
msgstr "When using an external logging solution for archiving, this can be set to \"minutes=5\"."
+#: src/pages/providers/proxy/ProxyProviderForm.ts
+msgid "When using proxy or forward auth (single application) mode, the requested URL Path is checked against the regular expressions. When using forward auth (domain mode), the full requested URL including scheme and host is matched against the regular expressions."
+msgstr "When using proxy or forward auth (single application) mode, the requested URL Path is checked against the regular expressions. When using forward auth (domain mode), the full requested URL including scheme and host is matched against the regular expressions."
+
#: src/flows/FlowExecutor.ts
msgid "Whoops!"
msgstr "Whoops!"
diff --git a/web/src/locales/fr_FR.po b/web/src/locales/fr_FR.po
index 8ef50a27a..c205efd53 100644
--- a/web/src/locales/fr_FR.po
+++ b/web/src/locales/fr_FR.po
@@ -3743,8 +3743,12 @@ msgid "Register device"
msgstr "Enregistrer un appareil"
#: src/pages/providers/proxy/ProxyProviderForm.ts
-msgid "Regular expressions for which authentication is not required. Each new line is interpreted as a new Regular Expression."
-msgstr "Expression régulière pour laquelle l'authentification n'est pas nécessaire. Chaque nouvelle ligne est interprétée comme une nouvelle expression régulière."
+#~ msgid "Regular expressions for which authentication is not required. Each new line is interpreted as a new Regular Expression."
+#~ msgstr "Expression régulière pour laquelle l'authentification n'est pas nécessaire. Chaque nouvelle ligne est interprétée comme une nouvelle expression régulière."
+
+#: src/pages/providers/proxy/ProxyProviderForm.ts
+msgid "Regular expressions for which authentication is not required. Each new line is interpreted as a new expression."
+msgstr ""
#: src/pages/users/UserListPage.ts
msgid "Regular user"
@@ -4218,8 +4222,8 @@ msgid "Single use"
msgstr "Usage unique"
#: src/pages/providers/proxy/ProxyProviderForm.ts
-msgid "Skip path regex"
-msgstr "Regex chemins exclus"
+#~ msgid "Skip path regex"
+#~ msgstr "Regex chemins exclus"
#: src/pages/applications/ApplicationForm.ts
#: src/pages/applications/ApplicationListPage.ts
@@ -5187,6 +5191,14 @@ msgstr "URL utilisée par authentik pour récupérer les jetons."
msgid "URL used to request the initial token. This URL is only required for OAuth 1."
msgstr "URL utilisée pour demander le jeton initial. Cette URL est uniquement requise pour OAuth 1."
+#: src/pages/providers/proxy/ProxyProviderForm.ts
+msgid "Unauthenticated Paths"
+msgstr ""
+
+#: src/pages/providers/proxy/ProxyProviderForm.ts
+msgid "Unauthenticated URLs"
+msgstr ""
+
#: src/pages/admin-overview/charts/PolicyStatusChart.ts
msgid "Unbound policies"
msgstr "Politiques non liées"
@@ -5799,6 +5811,10 @@ msgstr ""
msgid "When using an external logging solution for archiving, this can be set to \"minutes=5\"."
msgstr "En cas d'utilisation d'une solution de journalisation externe pour l'archivage, cette valeur peut être fixée à \"minutes=5\"."
+#: src/pages/providers/proxy/ProxyProviderForm.ts
+msgid "When using proxy or forward auth (single application) mode, the requested URL Path is checked against the regular expressions. When using forward auth (domain mode), the full requested URL including scheme and host is matched against the regular expressions."
+msgstr ""
+
#: src/flows/FlowExecutor.ts
msgid "Whoops!"
msgstr "Oups !"
diff --git a/web/src/locales/pseudo-LOCALE.po b/web/src/locales/pseudo-LOCALE.po
index 633cd4e26..91378e09d 100644
--- a/web/src/locales/pseudo-LOCALE.po
+++ b/web/src/locales/pseudo-LOCALE.po
@@ -3762,7 +3762,11 @@ msgid "Register device"
msgstr ""
#: src/pages/providers/proxy/ProxyProviderForm.ts
-msgid "Regular expressions for which authentication is not required. Each new line is interpreted as a new Regular Expression."
+#~ msgid "Regular expressions for which authentication is not required. Each new line is interpreted as a new Regular Expression."
+#~ msgstr ""
+
+#: src/pages/providers/proxy/ProxyProviderForm.ts
+msgid "Regular expressions for which authentication is not required. Each new line is interpreted as a new expression."
msgstr ""
#: src/pages/users/UserListPage.ts
@@ -4245,8 +4249,8 @@ msgid "Single use"
msgstr ""
#: src/pages/providers/proxy/ProxyProviderForm.ts
-msgid "Skip path regex"
-msgstr ""
+#~ msgid "Skip path regex"
+#~ msgstr ""
#: src/pages/applications/ApplicationForm.ts
#: src/pages/applications/ApplicationListPage.ts
@@ -5226,6 +5230,14 @@ msgstr ""
msgid "URL used to request the initial token. This URL is only required for OAuth 1."
msgstr ""
+#: src/pages/providers/proxy/ProxyProviderForm.ts
+msgid "Unauthenticated Paths"
+msgstr ""
+
+#: src/pages/providers/proxy/ProxyProviderForm.ts
+msgid "Unauthenticated URLs"
+msgstr ""
+
#: src/pages/admin-overview/charts/PolicyStatusChart.ts
msgid "Unbound policies"
msgstr ""
@@ -5841,6 +5853,10 @@ msgstr ""
msgid "When using an external logging solution for archiving, this can be set to \"minutes=5\"."
msgstr ""
+#: src/pages/providers/proxy/ProxyProviderForm.ts
+msgid "When using proxy or forward auth (single application) mode, the requested URL Path is checked against the regular expressions. When using forward auth (domain mode), the full requested URL including scheme and host is matched against the regular expressions."
+msgstr ""
+
#: src/flows/FlowExecutor.ts
msgid "Whoops!"
msgstr ""
diff --git a/web/src/pages/providers/proxy/ProxyProviderForm.ts b/web/src/pages/providers/proxy/ProxyProviderForm.ts
index bff2c5169..836914607 100644
--- a/web/src/pages/providers/proxy/ProxyProviderForm.ts
+++ b/web/src/pages/providers/proxy/ProxyProviderForm.ts
@@ -401,12 +401,20 @@ export class ProxyProviderFormPage extends ModelForm {
-
+
- ${t`Regular expressions for which authentication is not required. Each new line is interpreted as a new Regular Expression.`}
+ ${t`Regular expressions for which authentication is not required. Each new line is interpreted as a new expression.`}
+
+
+ ${t`When using proxy or forward auth (single application) mode, the requested URL Path is checked against the regular expressions. When using forward auth (domain mode), the full requested URL including scheme and host is matched against the regular expressions.`}
diff --git a/website/docs/providers/proxy/proxy.md b/website/docs/providers/proxy/proxy.md
index ffcf643f3..f92899b8b 100644
--- a/website/docs/providers/proxy/proxy.md
+++ b/website/docs/providers/proxy/proxy.md
@@ -46,7 +46,7 @@ Besides these user-specific headers, some application specific headers are also
The authentik outpost's version.
-# HTTPS
+## HTTPS
The outpost listens on both 9000 for HTTP and 9443 for HTTPS.
@@ -54,7 +54,7 @@ The outpost listens on both 9000 for HTTP and 9443 for HTTPS.
If your upstream host is HTTPS, and you're not using forward auth, you need to access the outpost over HTTPS too.
:::
-# Logging out
+## Logging out
Login is done automatically when you visit the domain without a valid cookie.
@@ -63,3 +63,19 @@ When using single-application mode, navigate to `app.domain.tld/akprox/sign_out`
When using domain-level mode, navigate to `auth.domain.tld/akprox/sign_out`, where auth.domain.tld is the external host configured for the provider.
To log out, navigate to `/akprox/sign_out`.
+
+## Allowing unauthenticated requests
+
+To allow un-authenticated requests to certain paths/URLs, you can use the *Unauthenticated URLs* / *Unauthenticated Paths* field.
+
+Each new line is interpreted as a regular expression, and is compiled and checked using the standard Golang regex parser.
+
+The behaviour of this field changes depending on which mode you're in.
+
+### Proxy and Forward auth (single application)
+
+In this mode, the regular expressions are matched against the Request's Path.
+
+### Forward auth (domain level)
+
+In this mode, the regular expressions are matched against the Request's full URL.