Nginx ACL control implementation without any information XD

[NEANC]

Hi, I would like to ask you a question.

I found and implemented Nginx ACL control while using AI to help me deploy tinyauth and I want to know if this is the expected behavior.

Using Pocket ID as SSO provider and then importing /etc/tinyauth/acl.yaml and setting up environment, the following is the compose.yaml example ( Which is not the full compose.yaml ).

services:
  tinyauth:
    image: tinyauth/tinyauth:latest
    container_name: tinyauth
    restart: always
    environment:
      - APP_URL=https://sso.example.com
      - PROVIDERS_POCKETID_SCOPES=openid email profile groups
      - TINYAUTH_ACL_CONFIG=/etc/tinyauth/acl.yaml
      - TINYAUTH_PASS_USER_HEADERS=true
    volumes:
      - ./tinyauth-acl.yaml:/etc/tinyauth/acl.yaml
    ports:
      - "3000:3000"
    networks:
      - tinyauth-network

networks:
  tinyauth-network:
    driver: bridge

Create three different users and groups in Pocket ID, for example admin and admins, group and groups, no-group and no-groups.
The corresponding user groups and domain control are then set in acl.yaml, acl.yaml example:

rules:
  - match: "https://beszel.example.com/*"
    allow:
      groups: ["groups"]

  - match: "*"
    allow:
      groups: ["admins"]

Set up nginx.conf example:

location ^~ / {
    proxy_pass http://127.0.0.1:20000;

    # Tinyauth front-end authentication
    auth_request /_tinyauth_check;
    error_page 401 = @tinyauth_login;

    # Pass user information to the backend (if tinyauth has returned user information)
    auth_request_set $ta_user $upstream_http_remote_user;
    proxy_set_header Remote-User $ta_user;

    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header REMOTE-HOST $remote_addr;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $http_connection;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Port $server_port;
    proxy_http_version 1.1;
    add_header X-Cache $upstream_cache_status;
    add_header Cache-Control no-cache;
    proxy_ssl_server_name off;
    proxy_ssl_name $proxy_host;
}

# Sub-request: call tinyauth to check login
location = /_tinyauth_check {
    internal;
    proxy_pass http://127.0.0.1:3000/api/auth/nginx;
    proxy_set_header x-forwarded-proto $scheme;
    proxy_set_header x-forwarded-host  $host;
    proxy_set_header x-forwarded-uri   $request_uri;
}

# If not logged in, jump to tinyauth login page
location @tinyauth_login {
    return 302 https://sso.example.com/login?redirect_uri=$scheme://$host$request_uri;
}

Then when you visit the corresponding web page and perform authentication, no-group is blocked and admin and group are permitted, thus ACL control is achieved.

I didn't find the information in docs and issues and discussions, so I sent you this XD

Ps. English is not my native language, I used Deepl translation, please point out if it's wrong and I'll give you more detailed information.

[steveiliop56]

Your configuration is wrong, everything generated by AI are hallucinations. Doing ACLs without Docker is not supported yet but it will be in the next version. For now, please consult the documentation for all the supported options. You may be interested in the pocket ID and access controls with docker guides.

[NEANC]

Thank you for your reply. You're absolutely right—this is an AI hallucination.
Though it seems to be running just fine XD

I'm really looking forward to the release of version v5. After all, there are always web services that don't run on Docker.

For now, I'll add an extra authentication program carried by Nginx as a temporary solution for these web services.