User Tools

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
services:lubelogger [2025/01/26 17:11] willyservices:lubelogger [2025/01/27 17:31] (current) – [Authentication] willy
Line 1: Line 1:
 ====== LubeLogger ====== ====== LubeLogger ======
  
-[[https://lubelogger.com/|LubeLogger]] is an aSelf-Hosted, Open-Source, Unconventionally-Named Vehicle Maintenance Records and Fuel Mileage Tracker for your cars and vehicles.+[[https://lubelogger.com/|LubeLogger]] is an aSelf-Hosted, Open-Source, Unconventionally-Named Vehicle Maintenance Records and Fuel Mileage Tracker for your cars and vehicles. In other words, you can use it to track expenditures, taxes and maintenance done (with costs) of you vehicles.
  
 ===== Installation ===== ===== Installation =====
Line 14: Line 14:
 Now, create the following **docker-compose.yml** as user //lubelogger//: Now, create the following **docker-compose.yml** as user //lubelogger//:
 <file - docker-compose.yml> <file - docker-compose.yml>
 +---
 +version: "3.4"
  
 +services:
 +  app:
 +    image: ghcr.io/hargata/lubelogger:latest
 +    build: .
 +    environment:
 +      - LC_ALL=it_IT.UTF-8 # this will affect how numbers, currencies, and dates are formatted.
 +      - LANG=it_IT.UTF-8   # Same as above. 
 +#      - EnableAuth=false  # See authentication below
 +    volumes:
 +      - /data/lubelogger/config:/App/config
 +      - /data/lubelogger/data:/App/data
 +      - /data/lubelogger/translations:/App/wwwroot/translations
 +      - /data/lubelogger/documents:/App/wwwroot/documents
 +      - /data/lubelogger/images:/App/wwwroot/images
 +      - /data/lubelogger/temp:/App/wwwroot/temp
 +      - /data/lubelogger/log:/App/log
 +      - /data/lubelogger/keys:/root/.aspnet/DataProtection-Keys
 +    ports:
 +      - 8485:8080
  
 +    networks:
 +      - lubelogger-net
 +
 +networks:
 +  lubelogger-net: {}
 </file> </file>
  
Line 24: Line 50:
 podman compose pull podman compose pull
 </code> </code>
 +
  
 ===== Authentication ===== ===== Authentication =====
  
-Unfortunatelywhile it is possible to disable authentication, it will **not** work with SSOso you cannot disable authentication and then have a simple SSO layer on top of it. This is quite annoying.+Authentication with LubeLogger took a bit to figure out. First of all, it's pretty unconventional in a few respects: 
 +  * Authentication is disabled by defaultbut once you mess with it, it can be managed only from web settings and the environment setting seems to be unresponsive 
 +  It does not support forwarded headers or similar proxy based stuff 
 +  It support OIDC (Authelia...) SSO type authentication but it still requires you to setup local authentication first 
 +  It does allow multiple users, but only via email registration with tokens, you cannot add users from the admin control panel. This is probably the weirdest choice.
  
-Enabling LubeLogget authentication is a bit of a mess. First of allit starts with authentication disabled. As stated [[https://docs.lubelogger.com/Installation/Authentication|here]] you need to go to settings and enable authentication in order to create a //root// user and setup a password. At this point, you can setup your SSO.+You have different options: 
 +  * disable LubeLogger auth and use your own proxy-based authentication, but you lose additional users 
 +  * enable internal LubeLogger auth, and disable your proxy autnehtication, but you need to create users  
 +  * enable LubeLogger authentication with your OIDC SSO (es Authelia), but you still need to create your LubeLogger root account and you will not be able to use your proxy authentication, not even via the SSO itself.
  
-To setup the SSO, you need to setup the following environments in your docker compose:+In general enabling LubeLogger authentication is a bit of a mess. First of all, it starts with authentication disabled. As stated [[https://docs.lubelogger.com/Installation/Authentication|here]] you need to go to settings and enable authentication in order to create a //root// user and setup a password. Also note that to add users you **must** setup an email provider and have LubeLogger send out a token to the new user email address. Very annoying. 
 + 
 +Instead, if you want to enable SSO, you need to setup the following environments in your docker compose:
 <code> <code>
 MailConfig__EmailServer="" <- Email SMTP settings used only for configuring multiple users(to send their registration token and forgot password tokens) MailConfig__EmailServer="" <- Email SMTP settings used only for configuring multiple users(to send their registration token and forgot password tokens)
Line 38: Line 74:
 MailConfig__Username="" <- Same as above. MailConfig__Username="" <- Same as above.
 MailConfig__Password="" <- Same as above. MailConfig__Password="" <- Same as above.
-OpenIDConfig__Name=Name of the OpenID Connect Provider +OpenIDConfig__Name=Authelia 
-OpenIDConfig__ClientId=Client Id to Authenticate with the Provider +OpenIDConfig__ClientId=lube 
-OpenIDConfig__ClientSecret=Client Secret to Authenticate with the Provider+OpenIDConfig__ClientSecret=client-secret-string
 OpenIDConfig__AuthURL=Authorization URL to the Provider's Login Page OpenIDConfig__AuthURL=Authorization URL to the Provider's Login Page
 OpenIDConfig__TokenURL=URL to retrieve user JWT from the Provider OpenIDConfig__TokenURL=URL to retrieve user JWT from the Provider
-OpenIDConfig__RedirectURL=https://<yourlubeloggerdomain.com>/Login/RemoteAuth(must be HTTPS) +OpenIDConfig__RedirectURL=https://lubelogger.mydomain.com/Login/RemoteAuth 
-OpenIDConfig__Scope=The scope for retrieving the user's email claim(usually it's just 'email')+OpenIDConfig__Scope="openid email"
 OpenIDConfig__ValidateState=true/false(default: false) - whether LubeLogger should validate state. OpenIDConfig__ValidateState=true/false(default: false) - whether LubeLogger should validate state.
 OpenIDConfig__UsePKCE=true/false(default: false) - whether LubeLogger should use PKCE OpenIDConfig__UsePKCE=true/false(default: false) - whether LubeLogger should use PKCE
 </code> </code>
  
-The examples provided in the above docker compose should be adapted to your setup, but are designed to work with Authelia.+My specific Authelia client setting is: 
 +<code> 
 +      - client_id: 'lube' 
 +        client_name: 'LubeLogger' 
 +        client_secret: 'client-secret-string' 
 +        public: false 
 +        authorization_policy: 'one_factor' 
 +        pre_configured_consent_duration: 1M 
 +        scopes: 
 +          - openid 
 +          - email 
 +          - profile 
 +        grant_types: 
 +          - 'authorization_code' 
 +        redirect_uris: 
 +          - https://lubelogger.mydomain.com/Login/RemoteAuth 
 +        userinfo_signed_response_alg: none 
 +        token_endpoint_auth_method: 'client_secret_post' 
 +</code> 
 + 
 +I suggest you also setup email notification by creating a dedicated email address for LubeLogger to send out emails or you will **not** be able to add users. 
 + 
 +I choose to fully disable LubeLogger authentication and go with proxy authentication since i only need one user account no matter who is actually logged in.
  
-I suggest you also setup email notification by creating a dedicated email address for LubeLogger to send out emails.  
  
 ===== Reverse Proxy ===== ===== Reverse Proxy =====
Line 65: Line 122:
         access_log /var/log/nginx/lubelogger.mydomain.com_access_log main;         access_log /var/log/nginx/lubelogger.mydomain.com_access_log main;
         error_log /var/log/nginx/lubelogger.mydomain.com_error_log info;         error_log /var/log/nginx/lubelogger.mydomain.com_error_log info;
 +        
 +        # The following line enables proxy auth with SSO, uncomment to use LubeLogger auth
 +        include "com.mydomain/authelia_location.conf";
 +
  
          location / {          location / {
 +                # The following two lines enables proxy auth with SSO, uncomment to use LubeLogger auth
 +                include "com.mydomain.com/authelia_proxy.conf";
 +                include "com.mydomain.com/authelia_authrequest.conf";
 +                
                 proxy_pass http://127.0.0.1:8485;                 proxy_pass http://127.0.0.1:8485;
                 client_max_body_size               50000M;                 client_max_body_size               50000M;
-                proxy_set_header Host              $http_host; +                 
-                proxy_set_header X-Real-IP         $remote_addr; +# The following lines are all commented to use NGINX SSO authentication and NOT LubeLogger 
-                proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for; +# authentication. IF you want to use LubeLogger authentication, uncomment them. 
-                proxy_set_header X-Forwarded-Proto $scheme;+#                proxy_set_header Host              $http_host; 
 +               proxy_set_header X-Real-IP         $remote_addr; 
 +               proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for; 
 +               proxy_set_header X-Forwarded-Proto $scheme; 
                 proxy_set_header   Upgrade    $http_upgrade;                 proxy_set_header   Upgrade    $http_upgrade;
                 proxy_set_header   Connection "upgrade";                 proxy_set_header   Connection "upgrade";