salt/states/roles/maintain/nginx-proxy/auth.conf

#Authentication {{auth}}

{%- if auth == "none" %}

#No authentication
{%- elif auth == "ldap" %}

#Not Implemented
{%- elif auth == "2fa" -%}
#{{location}}
  {%- if location == "1" %}
  location /auth_verify {
    internal;
    proxy_pass_request_body off;
    proxy_set_header  X-Original-URI $request_uri;
    proxy_set_header  X-Real-IP $remote_addr;
    proxy_set_header  Host $http_host;
    proxy_set_header  Content-Length "";

    proxy_pass        https://authelia.actcur.com/verify;
  }

  {% elif location == "2" %}
    auth_request /auth_verify;

    auth_request_set $redirect $upstream_http_redirect;
    proxy_set_header Redirect $redirect;

    auth_request_set $user $upstream_http_remote_user;
    proxy_set_header X-Forwarded-User $user;

    auth_request_set $groups $upstream_http_remote_groups;
    proxy_set_header Remote-Groups $groups;

    error_page 401 =302 https://authelia.actcur.com?redirect=$redirect;
    error_page 403 = https://authelia.actcur.com/error/403;
  {%- endif -%}
{%- endif -%}