website/docs: update forward_auth for nginx config

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2021-06-29 20:32:49 +02:00 · 2021-06-29 20:32:49 +02:00 · 1e6c081e5c
parent 8b9ce4a745
commit 1e6c081e5c
1 changed files with 36 additions and 14 deletions
--- a/website/docs/outposts/proxy/forward_auth.mdx
+++ b/website/docs/outposts/proxy/forward_auth.mdx
@ -46,23 +46,45 @@ import TabItem from '@theme/TabItem';
  <TabItem value="standalone-nginx">

 ```
-    location /akprox {
-        proxy_pass          http://*ip of your outpost*:4180;
+server {
+    # SSL and VHost configuration
+    listen                  443 ssl http2;
+    server_name             _;
+
+    ssl_certificate         /etc/ssl/certs/ssl-cert-snakeoil.pem;
+    ssl_certificate_key     /etc/ssl/private/ssl-cert-snakeoil.key;
+
+    location / {
+        # Put your proxy_pass to your application here
+        # proxy_pass          http://localhost:5000;
+
+        # authentik-specific config
+        auth_request        /akprox/auth;
        error_page          401 = @akprox_signin;
-        proxy_set_header    X-Forwarded-Host $http_host;
-        auth_request_set    $auth_cookie $upstream_http_set_cookie;
-        add_header          Set-Cookie $auth_cookie;
+        # translate headers from the outposts back to the actual upstream
+        auth_request_set    $username    $upstream_http_x_auth_username;
+        auth_request_set    $email       $upstream_http_X_Forwarded_Email;
+        proxy_set_header    X-Auth-Username   $username;
+        proxy_set_header    X-Forwarded-Email $email;
    }

+    # all requests to /akprox must be accessible without authentication
+    location /akprox {
+        proxy_pass          http://*ip or hostname of the authentik OUTPOST*:4180;
+        # ensure the host of this vserver matches your external URL you've configured
+        # in authentik
+        proxy_set_header    Host $host;
+        add_header          Set-Cookie $auth_cookie;
+        auth_request_set    $auth_cookie $upstream_http_set_cookie;
+    }
+
+    # Special location for when the /auth endpoint returns a 401,
+    # redirect to the /start URL which initiates SSO
    location @akprox_signin {
        internal;
        add_header Set-Cookie $auth_cookie;
        return 302 /akprox/start?rd=$request_uri;
    }
-
-    location / {
-        auth_request /akprox/auth?nginx;
-        # All your other options...
 }
 ```