working on authentication
This commit is contained in:
parent
148324b37f
commit
6192277778
@ -48,8 +48,12 @@ SHOPPING_MIN_AUTOSYNC_INTERVAL=5
|
|||||||
GUNICORN_MEDIA=0
|
GUNICORN_MEDIA=0
|
||||||
|
|
||||||
# allow authentication via reverse proxy (e.g. authelia), leave of if you dont know what you are doing
|
# allow authentication via reverse proxy (e.g. authelia), leave of if you dont know what you are doing
|
||||||
# docs: https://github.com/vabene1111/recipes/tree/develop/docs/docker/nginx-proxy%20with%20proxy%20authentication
|
# see docs for more information https://vabene1111.github.io/recipes/features/authentication/
|
||||||
# when unset: 0 (false)
|
# when unset: 0 (false)
|
||||||
REVERSE_PROXY_AUTH=0
|
REVERSE_PROXY_AUTH=0
|
||||||
|
|
||||||
|
|
||||||
|
# allows you to setup o auth providers
|
||||||
|
# see docs for more information https://vabene1111.github.io/recipes/features/authentication/
|
||||||
|
# SOCIAL_PROVIDERS = allauth.socialaccount.providers.github, allauth.socialaccount.providers.nextcloud,
|
||||||
|
|
||||||
|
108
docs/features/authentication.md
Normal file
108
docs/features/authentication.md
Normal file
@ -0,0 +1,108 @@
|
|||||||
|
Besides the normal django username and password authentication this application supports multiple
|
||||||
|
methods of central account management and authentication.
|
||||||
|
|
||||||
|
## Allauth
|
||||||
|
[Django Allauth](https://django-allauth.readthedocs.io/en/latest/index.html) is an awesome project that
|
||||||
|
allows you to use a [huge number](https://django-allauth.readthedocs.io/en/latest/providers.html) of different
|
||||||
|
authentication providers.
|
||||||
|
|
||||||
|
They basically explain everything in their documentation, but the following is a short overview on how to get started.
|
||||||
|
|
||||||
|
!!! warning "Public Providers"
|
||||||
|
If you choose Google, Github or any other publicly available service as your authentication provider anyone
|
||||||
|
with an account on that site can create an account on your installation.
|
||||||
|
A new account does not have any permission but it is still **not recommended** to give public access to
|
||||||
|
your installation.
|
||||||
|
|
||||||
|
Choose a provider from the [list](https://django-allauth.readthedocs.io/en/latest/providers.html) and install it using the environment variable `SOCIAL_PROVIDERS` as shown
|
||||||
|
in the example below.
|
||||||
|
|
||||||
|
```ini
|
||||||
|
SOCIAL_PROVIDERS = allauth.socialaccount.providers.github, allauth.socialaccount.providers.nextcloud,
|
||||||
|
```
|
||||||
|
|
||||||
|
After that, use your superuser account to configure your authentication backend.
|
||||||
|
Open the admin page and do the following
|
||||||
|
|
||||||
|
1. Select `Sites` and create a new site with the URL of your installation.
|
||||||
|
2. Create a new `Social Application` with the required information as stated in the provider documentation of allauth.
|
||||||
|
3. Make sure to add your site to the list of available sites
|
||||||
|
|
||||||
|
Now the provider is configured and you should be able to sign up and sign in using the provider.
|
||||||
|
|
||||||
|
## Reverse Proxy Authentication
|
||||||
|
!!! Info "Community Contributed Tutorial"
|
||||||
|
This tutorial was provided by a community member. Since I do not use reverse proxy authentication, I cannot provide any
|
||||||
|
assistance should you choose to use this authentication method.
|
||||||
|
|
||||||
|
In order use proxy authentication you will need to:
|
||||||
|
|
||||||
|
1. Set `REVERSE_PROXY_AUTH=1` in the `.env` file
|
||||||
|
2. Update your nginx configuration file
|
||||||
|
|
||||||
|
Using any of the examples above will automatically generate a configuration file inside a docker volume.
|
||||||
|
Use `docker volume inspect recipes_nginx` to find out where your volume is stored.
|
||||||
|
|
||||||
|
!!! warning "Configuration File Volume"
|
||||||
|
The nginx config volume is generated when the container is first run. You can change the volume to a bind mount in the
|
||||||
|
warning `docker-compose.yml`, but then you will need to manually create it. See section `Volumes vs Bind Mounts` below
|
||||||
|
for more information.
|
||||||
|
|
||||||
|
The following example shows a configuration for Authelia:
|
||||||
|
|
||||||
|
```
|
||||||
|
server {
|
||||||
|
listen 80;
|
||||||
|
server_name localhost;
|
||||||
|
|
||||||
|
client_max_body_size 16M;
|
||||||
|
|
||||||
|
# serve static files
|
||||||
|
location /static/ {
|
||||||
|
alias /static/;
|
||||||
|
}
|
||||||
|
# serve media files
|
||||||
|
location /media/ {
|
||||||
|
alias /media/;
|
||||||
|
}
|
||||||
|
|
||||||
|
# Authelia endpoint for authentication requests
|
||||||
|
include /config/nginx/auth.conf;
|
||||||
|
|
||||||
|
# pass requests for dynamic content to gunicorn
|
||||||
|
location / {
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_pass http://web_recipes:8080;
|
||||||
|
|
||||||
|
# Ensure Authelia is specifically required for this endpoint
|
||||||
|
# This line is important as it will return a 401 error if the user doesn't have access
|
||||||
|
include /config/nginx/authelia.conf;
|
||||||
|
|
||||||
|
auth_request_set $user $upstream_http_remote_user;
|
||||||
|
proxy_set_header REMOTE-USER $user;
|
||||||
|
}
|
||||||
|
|
||||||
|
# Required to allow user to logout of authentication from within Recipes
|
||||||
|
# Ensure the <auth_endpoint> below is changed to actual the authentication url
|
||||||
|
location /accounts/logout/ {
|
||||||
|
return 301 http://<auth_endpoint>/logout
|
||||||
|
}
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
Please refer to the appropriate documentation on how to setup the reverse proxy, authentication, and networks.
|
||||||
|
|
||||||
|
Ensure users have been configured for Authelia, and that the endpoint recipes is pointed to is protected but
|
||||||
|
available.
|
||||||
|
|
||||||
|
There is a good guide to the other additional files that need to be added to your nginx set up at
|
||||||
|
the [Authelia Docs](https://docs.authelia.com/deployment/supported-proxies/nginx.html).
|
||||||
|
|
||||||
|
Remember to add the appropriate environment variables to `.env` file (example for nginx proxy):
|
||||||
|
|
||||||
|
```
|
||||||
|
VIRTUAL_HOST=
|
||||||
|
LETSENCRYPT_HOST=
|
||||||
|
LETSENCRYPT_EMAIL=
|
||||||
|
PROXY_HEADER=
|
||||||
|
```
|
@ -290,84 +290,6 @@ to the host system and from there into the nginx container.
|
|||||||
This is not really a clean solution, but I could not find any better alternative that provided the same amount of
|
This is not really a clean solution, but I could not find any better alternative that provided the same amount of
|
||||||
usability. If you know of any better way, feel free to open an issue.
|
usability. If you know of any better way, feel free to open an issue.
|
||||||
|
|
||||||
### Using Proxy Authentication
|
|
||||||
|
|
||||||
!!! Info "Community Contributed Tutorial"
|
|
||||||
This tutorial was provided by a community member. Since I do not use reverse proxy authentication, I cannot provide any
|
|
||||||
assistance should you choose to use this authentication method.
|
|
||||||
|
|
||||||
In order use proxy authentication you will need to:
|
|
||||||
|
|
||||||
1. Set `REVERSE_PROXY_AUTH=1` in the `.env` file
|
|
||||||
2. Update your nginx configuration file
|
|
||||||
|
|
||||||
Using any of the examples above will automatically generate a configuration file inside a docker volume.
|
|
||||||
Use `docker volume inspect recipes_nginx` to find out where your volume is stored.
|
|
||||||
|
|
||||||
!!! warning "Configuration File Volume"
|
|
||||||
The nginx config volume is generated when the container is first run. You can change the volume to a bind mount in the
|
|
||||||
warning `docker-compose.yml`, but then you will need to manually create it. See section `Volumes vs Bind Mounts` below
|
|
||||||
for more information.
|
|
||||||
|
|
||||||
The following example shows a configuration for Authelia:
|
|
||||||
|
|
||||||
```
|
|
||||||
server {
|
|
||||||
listen 80;
|
|
||||||
server_name localhost;
|
|
||||||
|
|
||||||
client_max_body_size 16M;
|
|
||||||
|
|
||||||
# serve static files
|
|
||||||
location /static/ {
|
|
||||||
alias /static/;
|
|
||||||
}
|
|
||||||
# serve media files
|
|
||||||
location /media/ {
|
|
||||||
alias /media/;
|
|
||||||
}
|
|
||||||
|
|
||||||
# Authelia endpoint for authentication requests
|
|
||||||
include /config/nginx/auth.conf;
|
|
||||||
|
|
||||||
# pass requests for dynamic content to gunicorn
|
|
||||||
location / {
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
proxy_pass http://web_recipes:8080;
|
|
||||||
|
|
||||||
# Ensure Authelia is specifically required for this endpoint
|
|
||||||
# This line is important as it will return a 401 error if the user doesn't have access
|
|
||||||
include /config/nginx/authelia.conf;
|
|
||||||
|
|
||||||
auth_request_set $user $upstream_http_remote_user;
|
|
||||||
proxy_set_header REMOTE-USER $user;
|
|
||||||
}
|
|
||||||
|
|
||||||
# Required to allow user to logout of authentication from within Recipes
|
|
||||||
# Ensure the <auth_endpoint> below is changed to actual the authentication url
|
|
||||||
location /accounts/logout/ {
|
|
||||||
return 301 http://<auth_endpoint>/logout
|
|
||||||
}
|
|
||||||
}
|
|
||||||
```
|
|
||||||
|
|
||||||
Please refer to the appropriate documentation on how to setup the reverse proxy, authentication, and networks.
|
|
||||||
|
|
||||||
Ensure users have been configured for Authelia, and that the endpoint recipes is pointed to is protected but
|
|
||||||
available.
|
|
||||||
|
|
||||||
There is a good guide to the other additional files that need to be added to your nginx set up at
|
|
||||||
the [Authelia Docs](https://docs.authelia.com/deployment/supported-proxies/nginx.html).
|
|
||||||
|
|
||||||
Remember to add the appropriate environment variables to `.env` file (example for nginx proxy):
|
|
||||||
|
|
||||||
```
|
|
||||||
VIRTUAL_HOST=
|
|
||||||
LETSENCRYPT_HOST=
|
|
||||||
LETSENCRYPT_EMAIL=
|
|
||||||
PROXY_HEADER=
|
|
||||||
```
|
|
||||||
|
|
||||||
### Volumes vs Bind Mounts
|
### Volumes vs Bind Mounts
|
||||||
|
|
||||||
Since I personally prefer to have my data where my `docker-compose.yml` resides, bind mounts are used in the example
|
Since I personally prefer to have my data where my `docker-compose.yml` resides, bind mounts are used in the example
|
||||||
|
@ -31,6 +31,7 @@ nav:
|
|||||||
- Features:
|
- Features:
|
||||||
- Tempalating: features/templating.md
|
- Tempalating: features/templating.md
|
||||||
- Shopping: features/shopping.md
|
- Shopping: features/shopping.md
|
||||||
|
- Authentication: features/authentication.md
|
||||||
- Storages and Sync: features/external_recipes.md
|
- Storages and Sync: features/external_recipes.md
|
||||||
- System:
|
- System:
|
||||||
- Updating: system/updating.md
|
- Updating: system/updating.md
|
||||||
|
@ -9,6 +9,7 @@ https://docs.djangoproject.com/en/2.0/topics/settings/
|
|||||||
For the full list of settings and their values, see
|
For the full list of settings and their values, see
|
||||||
https://docs.djangoproject.com/en/2.0/ref/settings/
|
https://docs.djangoproject.com/en/2.0/ref/settings/
|
||||||
"""
|
"""
|
||||||
|
import ast
|
||||||
import os
|
import os
|
||||||
import random
|
import random
|
||||||
import string
|
import string
|
||||||
@ -82,10 +83,14 @@ INSTALLED_APPS = [
|
|||||||
'allauth',
|
'allauth',
|
||||||
'allauth.account',
|
'allauth.account',
|
||||||
'allauth.socialaccount',
|
'allauth.socialaccount',
|
||||||
'allauth.socialaccount.providers.github',
|
|
||||||
'cookbook.apps.CookbookConfig',
|
'cookbook.apps.CookbookConfig',
|
||||||
]
|
]
|
||||||
|
|
||||||
|
SOCIAL_PROVIDERS = os.getenv('SOCIAL_PROVIDERS').split(',') if os.getenv('SOCIAL_PROVIDERS') else []
|
||||||
|
INSTALLED_APPS = INSTALLED_APPS + SOCIAL_PROVIDERS
|
||||||
|
|
||||||
|
SOCIALACCOUNT_PROVIDERS = ast.literal_eval(os.getenv('SOCIALACCOUNT_PROVIDERS') if os.getenv('SOCIALACCOUNT_PROVIDERS') else '{}')
|
||||||
|
|
||||||
MIDDLEWARE = [
|
MIDDLEWARE = [
|
||||||
'django.middleware.security.SecurityMiddleware',
|
'django.middleware.security.SecurityMiddleware',
|
||||||
'whitenoise.middleware.WhiteNoiseMiddleware',
|
'whitenoise.middleware.WhiteNoiseMiddleware',
|
||||||
@ -109,9 +114,6 @@ SITE_ID = int(os.getenv('ALLAUTH_SITE_ID', 1))
|
|||||||
|
|
||||||
ACCOUNT_ADAPTER = 'cookbook.helper.AllAuthCustomAdapter'
|
ACCOUNT_ADAPTER = 'cookbook.helper.AllAuthCustomAdapter'
|
||||||
|
|
||||||
# disable account creation using allauth
|
|
||||||
ACCOUNT_ALLOW_SIGNUPS = bool(int(os.getenv('ACCOUNT_ALLOW_SIGNUPS', False)))
|
|
||||||
|
|
||||||
if REVERSE_PROXY_AUTH:
|
if REVERSE_PROXY_AUTH:
|
||||||
MIDDLEWARE.append('recipes.middleware.CustomRemoteUser')
|
MIDDLEWARE.append('recipes.middleware.CustomRemoteUser')
|
||||||
AUTHENTICATION_BACKENDS.append('django.contrib.auth.backends.RemoteUserBackend')
|
AUTHENTICATION_BACKENDS.append('django.contrib.auth.backends.RemoteUserBackend')
|
||||||
|
Loading…
Reference in New Issue
Block a user