2021-11-12 21:57:19 +00:00
|
|
|
```
|
|
|
|
|
server {
|
|
|
|
|
# SSL and VHost configuration
|
|
|
|
|
listen 443 ssl http2;
|
|
|
|
|
server_name _;
|
|
|
|
|
|
|
|
|
|
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
|
|
|
|
|
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
|
|
|
|
|
|
|
|
|
|
# Increase buffer size for large headers
|
2021-11-26 13:08:45 +00:00
|
|
|
# This is needed only if you get 'upstream sent too big header while reading response
|
|
|
|
|
# header from upstream' error when trying to access an application protected by goauthentik
|
2021-11-12 21:57:19 +00:00
|
|
|
proxy_buffers 8 16k;
|
|
|
|
|
proxy_buffer_size 32k;
|
|
|
|
|
|
|
|
|
|
location / {
|
|
|
|
|
# Put your proxy_pass to your application here
|
|
|
|
|
# proxy_pass http://localhost:5000;
|
|
|
|
|
|
|
|
|
|
# authentik-specific config
|
2022-02-16 09:19:33 +00:00
|
|
|
auth_request /outpost.goauthentik.io/auth/nginx;
|
2022-02-08 19:25:38 +00:00
|
|
|
error_page 401 = @goauthentik_proxy_signin;
|
2022-01-25 13:25:21 +00:00
|
|
|
auth_request_set $auth_cookie $upstream_http_set_cookie;
|
|
|
|
|
add_header Set-Cookie $auth_cookie;
|
2021-11-12 21:57:19 +00:00
|
|
|
|
2022-08-30 19:19:25 +00:00
|
|
|
# pass original hostname and url to Nginx, it might be needed for some apps to work
|
|
|
|
|
# proxy_set_header Host $host;
|
|
|
|
|
# proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
|
|
|
|
|
|
2021-11-12 21:57:19 +00:00
|
|
|
# translate headers from the outposts back to the actual upstream
|
|
|
|
|
auth_request_set $authentik_username $upstream_http_x_authentik_username;
|
|
|
|
|
auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
|
|
|
|
|
auth_request_set $authentik_email $upstream_http_x_authentik_email;
|
|
|
|
|
auth_request_set $authentik_name $upstream_http_x_authentik_name;
|
|
|
|
|
auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
|
|
|
|
|
|
|
|
|
|
proxy_set_header X-authentik-username $authentik_username;
|
|
|
|
|
proxy_set_header X-authentik-groups $authentik_groups;
|
|
|
|
|
proxy_set_header X-authentik-email $authentik_email;
|
|
|
|
|
proxy_set_header X-authentik-name $authentik_name;
|
|
|
|
|
proxy_set_header X-authentik-uid $authentik_uid;
|
|
|
|
|
}
|
|
|
|
|
|
2022-02-16 09:19:33 +00:00
|
|
|
# all requests to /outpost.goauthentik.io must be accessible without authentication
|
|
|
|
|
location /outpost.goauthentik.io {
|
|
|
|
|
proxy_pass http://outpost.company:9000/outpost.goauthentik.io;
|
2021-11-12 21:57:19 +00:00
|
|
|
# ensure the host of this vserver matches your external URL you've configured
|
|
|
|
|
# in authentik
|
|
|
|
|
proxy_set_header Host $host;
|
2022-01-25 13:25:21 +00:00
|
|
|
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
|
2021-11-12 21:57:19 +00:00
|
|
|
add_header Set-Cookie $auth_cookie;
|
|
|
|
|
auth_request_set $auth_cookie $upstream_http_set_cookie;
|
2022-05-26 09:52:57 +00:00
|
|
|
|
|
|
|
|
# required for POST requests to work
|
|
|
|
|
proxy_pass_request_body off;
|
|
|
|
|
proxy_set_header Content-Length "";
|
2021-11-12 21:57:19 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# Special location for when the /auth endpoint returns a 401,
|
|
|
|
|
# redirect to the /start URL which initiates SSO
|
2022-02-08 19:25:38 +00:00
|
|
|
location @goauthentik_proxy_signin {
|
2021-11-12 21:57:19 +00:00
|
|
|
internal;
|
|
|
|
|
add_header Set-Cookie $auth_cookie;
|
2022-02-16 09:19:33 +00:00
|
|
|
return 302 /outpost.goauthentik.io/start?rd=$request_uri;
|
2022-02-15 09:24:04 +00:00
|
|
|
# For domain level, use the below error_page to redirect to your authentik server with the full redirect path
|
2022-02-16 09:19:33 +00:00
|
|
|
# return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
|
2021-11-12 21:57:19 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
```
|
