我一直在努力将我的 jellyfin 本地容器打开到互联网,同时通过 Authelia(用于 2FA)保护它。我有一个用于 swag (nginx)、authelia 和 jellyfin 的 docker 容器,它们的命名方式都相同。
我使用了 Jellyfin 的 swag 中的 示例子域配置,并添加了 authelia 导入以在 jellyfin 之前通过 authelia 进行重定向。 Authelia 与服务器上的其他服务配合良好。
如果我删除 jellyfin 配置中的 authelia include 行,我可以毫无问题地访问 jellyfinhttps://jellyfin.myserver.com。
如果我有 authelia 处于活动状态,我可以毫无问题地通过https://jellyfin.myserver.com 进入 authelia 登录页面,但在通过 authelia 检查后,我从 Nginx 收到错误 500。
我在日志中看不到相关事件,所以我在这里有点盲目。知道可能出了什么问题吗?
这是我的 jellyfin.subdomain.conf:
## Version 2023/05/31
# make sure that your jellyfin container is named jellyfin
# make sure that your dns has a cname set for jellyfin
# if jellyfin is running in bridge mode and the container is named "jellyfin", the below config should work a
s is
# if not, replace the line "set $upstream_app jellyfin;" with "set $upstream_app <containername>;"
# or "set $upstream_app <HOSTIP>;" for host mode, HOSTIP being the IP address of jellyfin
# in jellyfin settings, under "Advanced/Networking" add subdomain.mydomain.tld as a known proxy
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name jellyfin.*;
include /config/nginx/ssl.conf;
client_max_body_size 0;
location / {
# enable for Authelia (requires authelia-server.conf in the server block)
include /config/nginx/authelia-location.conf;
include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf;
set $upstream_app jellyfin;
set $upstream_port 8096;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
proxy_set_header Range $http_range;
proxy_set_header If-Range $http_if_range;
}
location ~ (/jellyfin)?/socket {
include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf;
set $upstream_app jellyfin;
set $upstream_port 8096;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
}
}
还有 authelia.conf:
## Version 2023/02/09 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/authelia-location.conf.sample
# Make sure that your authelia container is in the same user defined bridge network and is named authelia
# Rename /config/nginx/proxy-confs/authelia.conf.sample to /config/nginx/proxy-confs/authelia.conf
# Make sure that the authelia configuration.yml has 'path: "authelia"' defined
## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource.
auth_request /authelia/api/verify;
## If the subreqest returns 200 pass to the backend, if the subrequest returns 401 redirect to the portal.
error_page 401 = @authelia_proxy_signin;
## Translate response headers from Authelia into variables
auth_request_set $user $upstream_http_remote_user;
auth_request_set $groups $upstream_http_remote_groups;
auth_request_set $name $upstream_http_remote_name;
auth_request_set $email $upstream_http_remote_email;
auth_request_set $authorization $upstream_http_authorization;
auth_request_set $proxy_authorization $upstream_http_proxy_authorization;
## Inject the response header variables into the request made to the actual upstream
proxy_set_header Remote-User $user;
proxy_set_header Remote-Groups $groups;
proxy_set_header Remote-Name $name;
proxy_set_header Remote-Email $email;
proxy_set_header Authorization $authorization;
proxy_set_header Proxy-Authorization $proxy_authorization;
## Include the Set-Cookie header if present.
auth_request_set $set_cookie $upstream_http_set_cookie;
add_header Set-Cookie $set_cookie;
和 proxy.conf:
## Version 2023/02/09 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/proxy.conf.sample
# Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
# Proxy Connection Settings
proxy_buffers 32 4k;
proxy_connect_timeout 240;
proxy_headers_hash_bucket_size 128;
proxy_headers_hash_max_size 1024;
proxy_http_version 1.1;
proxy_read_timeout 240;
proxy_redirect http:// $scheme://;
proxy_send_timeout 240;
# Proxy Cache and Cookie Settings
proxy_cache_bypass $cookie_session;
#proxy_cookie_path / "/; Secure"; # enable at your own risk, may break certain apps
proxy_no_cache $cookie_session;
# Proxy Header Settings
proxy_set_header Connection $connection_upgrade;
proxy_set_header Early-Data $ssl_early_data;
proxy_set_header Host $host;
proxy_set_header Proxy "";
proxy_set_header Upgrade $http_upgrade;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Method $request_method;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Original-Method $request_method;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Real-IP $remote_addr;
LinuxServer 的博客文章所示。
server {
[server block code]
include /config/nginx/authelia-server.conf;
location / {
[location block code]
include /config/nginx/authelia-location.conf;
仔细检查 Docker 网络也可能是谨慎的做法。让 SWAG 无缝工作的最简单的解决方案是让任何 SWAG 管理的容器与 SWAG 容器位于同一网络上,如 SWAG GitHub 上所述。由于 SWAG 默认情况下使用容器名称作为 DNS 主机名,因此它将无法在单独的网络上找到您的容器,除非您修改配置以包含服务器的 IP 地址。