outpost: forwardAuth mode (#790)
This commit is contained in:
parent
ad8ee83697
commit
2a409215d3
|
@ -52,6 +52,7 @@ class ProxyProviderSerializer(ProviderSerializer):
|
||||||
"basic_auth_enabled",
|
"basic_auth_enabled",
|
||||||
"basic_auth_password_attribute",
|
"basic_auth_password_attribute",
|
||||||
"basic_auth_user_attribute",
|
"basic_auth_user_attribute",
|
||||||
|
"forward_auth_mode",
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
||||||
|
@ -86,6 +87,7 @@ class ProxyOutpostConfigSerializer(ModelSerializer):
|
||||||
"basic_auth_enabled",
|
"basic_auth_enabled",
|
||||||
"basic_auth_password_attribute",
|
"basic_auth_password_attribute",
|
||||||
"basic_auth_user_attribute",
|
"basic_auth_user_attribute",
|
||||||
|
"forward_auth_mode",
|
||||||
]
|
]
|
||||||
|
|
||||||
@swagger_serializer_method(serializer_or_field=OpenIDConnectConfigurationSerializer)
|
@swagger_serializer_method(serializer_or_field=OpenIDConnectConfigurationSerializer)
|
||||||
|
|
|
@ -0,0 +1,35 @@
|
||||||
|
# Generated by Django 3.2 on 2021-04-27 18:47
|
||||||
|
|
||||||
|
from django.db import migrations, models
|
||||||
|
|
||||||
|
import authentik.lib.models
|
||||||
|
|
||||||
|
|
||||||
|
class Migration(migrations.Migration):
|
||||||
|
|
||||||
|
dependencies = [
|
||||||
|
("authentik_providers_proxy", "0010_auto_20201214_0942"),
|
||||||
|
]
|
||||||
|
|
||||||
|
operations = [
|
||||||
|
migrations.AddField(
|
||||||
|
model_name="proxyprovider",
|
||||||
|
name="forward_auth_mode",
|
||||||
|
field=models.BooleanField(
|
||||||
|
default=False,
|
||||||
|
help_text="Enable support for forwardAuth in traefik and nginx auth_request. Exclusive with internal_host.",
|
||||||
|
),
|
||||||
|
),
|
||||||
|
migrations.AlterField(
|
||||||
|
model_name="proxyprovider",
|
||||||
|
name="internal_host",
|
||||||
|
field=models.TextField(
|
||||||
|
blank=True,
|
||||||
|
validators=[
|
||||||
|
authentik.lib.models.DomainlessURLValidator(
|
||||||
|
schemes=("http", "https")
|
||||||
|
)
|
||||||
|
],
|
||||||
|
),
|
||||||
|
),
|
||||||
|
]
|
|
@ -42,7 +42,8 @@ class ProxyProvider(OutpostModel, OAuth2Provider):
|
||||||
Protocols by using a Reverse-Proxy."""
|
Protocols by using a Reverse-Proxy."""
|
||||||
|
|
||||||
internal_host = models.TextField(
|
internal_host = models.TextField(
|
||||||
validators=[DomainlessURLValidator(schemes=("http", "https"))]
|
validators=[DomainlessURLValidator(schemes=("http", "https"))],
|
||||||
|
blank=True,
|
||||||
)
|
)
|
||||||
external_host = models.TextField(
|
external_host = models.TextField(
|
||||||
validators=[DomainlessURLValidator(schemes=("http", "https"))]
|
validators=[DomainlessURLValidator(schemes=("http", "https"))]
|
||||||
|
@ -52,6 +53,13 @@ class ProxyProvider(OutpostModel, OAuth2Provider):
|
||||||
help_text=_("Validate SSL Certificates of upstream servers"),
|
help_text=_("Validate SSL Certificates of upstream servers"),
|
||||||
verbose_name=_("Internal host SSL Validation"),
|
verbose_name=_("Internal host SSL Validation"),
|
||||||
)
|
)
|
||||||
|
forward_auth_mode = models.BooleanField(
|
||||||
|
default=False,
|
||||||
|
help_text=_(
|
||||||
|
"Enable support for forwardAuth in traefik and nginx auth_request. Exclusive with "
|
||||||
|
"internal_host."
|
||||||
|
),
|
||||||
|
)
|
||||||
|
|
||||||
skip_path_regex = models.TextField(
|
skip_path_regex = models.TextField(
|
||||||
default="",
|
default="",
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
all: clean generate build
|
all: clean generate
|
||||||
|
|
||||||
generate:
|
generate:
|
||||||
go get -u github.com/go-swagger/go-swagger/cmd/swagger
|
go get -u github.com/go-swagger/go-swagger/cmd/swagger
|
||||||
|
@ -11,5 +11,3 @@ clean:
|
||||||
go mod tidy
|
go mod tidy
|
||||||
go clean .
|
go clean .
|
||||||
|
|
||||||
build:
|
|
||||||
go build -v .
|
|
||||||
|
|
|
@ -31,6 +31,10 @@ type providerBundle struct {
|
||||||
log *log.Entry
|
log *log.Entry
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func intToPointer(i int) *int {
|
||||||
|
return &i
|
||||||
|
}
|
||||||
|
|
||||||
func (pb *providerBundle) prepareOpts(provider *models.ProxyOutpostConfig) *options.Options {
|
func (pb *providerBundle) prepareOpts(provider *models.ProxyOutpostConfig) *options.Options {
|
||||||
externalHost, err := url.Parse(*provider.ExternalHost)
|
externalHost, err := url.Parse(*provider.ExternalHost)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -61,14 +65,25 @@ func (pb *providerBundle) prepareOpts(provider *models.ProxyOutpostConfig) *opti
|
||||||
providerOpts.SkipAuthRegex = skipRegexes
|
providerOpts.SkipAuthRegex = skipRegexes
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if provider.ForwardAuthMode {
|
||||||
|
providerOpts.UpstreamServers = []options.Upstream{
|
||||||
|
{
|
||||||
|
ID: "static",
|
||||||
|
Static: true,
|
||||||
|
StaticCode: intToPointer(202),
|
||||||
|
Path: "/",
|
||||||
|
},
|
||||||
|
}
|
||||||
|
} else {
|
||||||
providerOpts.UpstreamServers = []options.Upstream{
|
providerOpts.UpstreamServers = []options.Upstream{
|
||||||
{
|
{
|
||||||
ID: "default",
|
ID: "default",
|
||||||
URI: *provider.InternalHost,
|
URI: provider.InternalHost,
|
||||||
Path: "/",
|
Path: "/",
|
||||||
InsecureSkipTLSVerify: provider.InternalHostSslValidation,
|
InsecureSkipTLSVerify: provider.InternalHostSslValidation,
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if provider.Certificate != nil {
|
if provider.Certificate != nil {
|
||||||
pb.log.WithField("provider", provider.ClientID).Debug("Enabling TLS")
|
pb.log.WithField("provider", provider.ClientID).Debug("Enabling TLS")
|
||||||
|
|
|
@ -63,6 +63,7 @@ type OAuthProxy struct {
|
||||||
AuthOnlyPath string
|
AuthOnlyPath string
|
||||||
UserInfoPath string
|
UserInfoPath string
|
||||||
|
|
||||||
|
forwardAuthMode bool
|
||||||
redirectURL *url.URL // the url to receive requests at
|
redirectURL *url.URL // the url to receive requests at
|
||||||
whitelistDomains []string
|
whitelistDomains []string
|
||||||
provider providers.Provider
|
provider providers.Provider
|
||||||
|
@ -132,6 +133,7 @@ func NewOAuthProxy(opts *options.Options, provider *models.ProxyOutpostConfig) (
|
||||||
CookieRefresh: opts.Cookie.Refresh,
|
CookieRefresh: opts.Cookie.Refresh,
|
||||||
CookieSameSite: opts.Cookie.SameSite,
|
CookieSameSite: opts.Cookie.SameSite,
|
||||||
|
|
||||||
|
forwardAuthMode: provider.ForwardAuthMode,
|
||||||
RobotsPath: "/robots.txt",
|
RobotsPath: "/robots.txt",
|
||||||
SignInPath: fmt.Sprintf("%s/sign_in", opts.ProxyPrefix),
|
SignInPath: fmt.Sprintf("%s/sign_in", opts.ProxyPrefix),
|
||||||
SignOutPath: fmt.Sprintf("%s/sign_out", opts.ProxyPrefix),
|
SignOutPath: fmt.Sprintf("%s/sign_out", opts.ProxyPrefix),
|
||||||
|
@ -335,12 +337,29 @@ func (p *OAuthProxy) SignOut(rw http.ResponseWriter, req *http.Request) {
|
||||||
func (p *OAuthProxy) AuthenticateOnly(rw http.ResponseWriter, req *http.Request) {
|
func (p *OAuthProxy) AuthenticateOnly(rw http.ResponseWriter, req *http.Request) {
|
||||||
session, err := p.getAuthenticatedSession(rw, req)
|
session, err := p.getAuthenticatedSession(rw, req)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
if p.forwardAuthMode {
|
||||||
|
if _, ok := req.URL.Query()["nginx"]; ok {
|
||||||
|
rw.WriteHeader(401)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if _, ok := req.URL.Query()["traefik"]; ok {
|
||||||
|
host := getHost(req)
|
||||||
|
http.Redirect(rw, req, fmt.Sprintf("//%s%s", host, p.OAuthStartPath), http.StatusTemporaryRedirect)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
http.Error(rw, "unauthorized request", http.StatusUnauthorized)
|
http.Error(rw, "unauthorized request", http.StatusUnauthorized)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
// we are authenticated
|
// we are authenticated
|
||||||
p.addHeadersForProxying(rw, req, session)
|
p.addHeadersForProxying(rw, req, session)
|
||||||
|
if p.forwardAuthMode {
|
||||||
|
for headerKey, headers := range req.Header {
|
||||||
|
for _, value := range headers {
|
||||||
|
rw.Header().Set(headerKey, value)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
rw.WriteHeader(http.StatusAccepted)
|
rw.WriteHeader(http.StatusAccepted)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -435,7 +454,6 @@ func (p *OAuthProxy) addHeadersForProxying(rw http.ResponseWriter, req *http.Req
|
||||||
authVal := b64.StdEncoding.EncodeToString([]byte(username + ":" + password))
|
authVal := b64.StdEncoding.EncodeToString([]byte(username + ":" + password))
|
||||||
req.Header["Authorization"] = []string{fmt.Sprintf("Basic %s", authVal)}
|
req.Header["Authorization"] = []string{fmt.Sprintf("Basic %s", authVal)}
|
||||||
}
|
}
|
||||||
rw.Header().Set("GAP-Auth", session.PreferredUsername)
|
|
||||||
// Check if user has additional headers set that we should sent
|
// Check if user has additional headers set that we should sent
|
||||||
if additionalHeaders, ok := userAttributes["additionalHeaders"].(map[string]string); ok {
|
if additionalHeaders, ok := userAttributes["additionalHeaders"].(map[string]string); ok {
|
||||||
if additionalHeaders == nil {
|
if additionalHeaders == nil {
|
||||||
|
|
14
swagger.yaml
14
swagger.yaml
|
@ -15764,7 +15764,6 @@ definitions:
|
||||||
ProxyOutpostConfig:
|
ProxyOutpostConfig:
|
||||||
required:
|
required:
|
||||||
- name
|
- name
|
||||||
- internal_host
|
|
||||||
- external_host
|
- external_host
|
||||||
type: object
|
type: object
|
||||||
properties:
|
properties:
|
||||||
|
@ -15779,7 +15778,6 @@ definitions:
|
||||||
internal_host:
|
internal_host:
|
||||||
title: Internal host
|
title: Internal host
|
||||||
type: string
|
type: string
|
||||||
minLength: 1
|
|
||||||
external_host:
|
external_host:
|
||||||
title: External host
|
title: External host
|
||||||
type: string
|
type: string
|
||||||
|
@ -15828,6 +15826,11 @@ definitions:
|
||||||
description: User/Group Attribute used for the user part of the HTTP-Basic
|
description: User/Group Attribute used for the user part of the HTTP-Basic
|
||||||
Header. If not set, the user's Email address is used.
|
Header. If not set, the user's Email address is used.
|
||||||
type: string
|
type: string
|
||||||
|
forward_auth_mode:
|
||||||
|
title: Forward auth mode
|
||||||
|
description: Enable support for forwardAuth in traefik and nginx auth_request.
|
||||||
|
Exclusive with internal_host.
|
||||||
|
type: boolean
|
||||||
ServiceConnection:
|
ServiceConnection:
|
||||||
required:
|
required:
|
||||||
- name
|
- name
|
||||||
|
@ -16737,7 +16740,6 @@ definitions:
|
||||||
required:
|
required:
|
||||||
- name
|
- name
|
||||||
- authorization_flow
|
- authorization_flow
|
||||||
- internal_host
|
|
||||||
- external_host
|
- external_host
|
||||||
type: object
|
type: object
|
||||||
properties:
|
properties:
|
||||||
|
@ -16783,7 +16785,6 @@ definitions:
|
||||||
internal_host:
|
internal_host:
|
||||||
title: Internal host
|
title: Internal host
|
||||||
type: string
|
type: string
|
||||||
minLength: 1
|
|
||||||
external_host:
|
external_host:
|
||||||
title: External host
|
title: External host
|
||||||
type: string
|
type: string
|
||||||
|
@ -16817,6 +16818,11 @@ definitions:
|
||||||
description: User/Group Attribute used for the user part of the HTTP-Basic
|
description: User/Group Attribute used for the user part of the HTTP-Basic
|
||||||
Header. If not set, the user's Email address is used.
|
Header. If not set, the user's Email address is used.
|
||||||
type: string
|
type: string
|
||||||
|
forward_auth_mode:
|
||||||
|
title: Forward auth mode
|
||||||
|
description: Enable support for forwardAuth in traefik and nginx auth_request.
|
||||||
|
Exclusive with internal_host.
|
||||||
|
type: boolean
|
||||||
SAMLProvider:
|
SAMLProvider:
|
||||||
required:
|
required:
|
||||||
- name
|
- name
|
||||||
|
|
|
@ -117,7 +117,7 @@ msgid "Additional user DN, prepended to the Base DN."
|
||||||
msgstr "Additional user DN, prepended to the Base DN."
|
msgstr "Additional user DN, prepended to the Base DN."
|
||||||
|
|
||||||
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:132
|
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:132
|
||||||
#: src/pages/providers/proxy/ProxyProviderForm.ts:130
|
#: src/pages/providers/proxy/ProxyProviderForm.ts:153
|
||||||
#: src/pages/providers/saml/SAMLProviderForm.ts:117
|
#: src/pages/providers/saml/SAMLProviderForm.ts:117
|
||||||
#: src/pages/sources/saml/SAMLSourceForm.ts:134
|
#: src/pages/sources/saml/SAMLSourceForm.ts:134
|
||||||
msgid "Advanced protocol settings"
|
msgid "Advanced protocol settings"
|
||||||
|
@ -305,7 +305,7 @@ msgid "Authorization URL"
|
||||||
msgstr "Authorization URL"
|
msgstr "Authorization URL"
|
||||||
|
|
||||||
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:62
|
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:62
|
||||||
#: src/pages/providers/proxy/ProxyProviderForm.ts:80
|
#: src/pages/providers/proxy/ProxyProviderForm.ts:104
|
||||||
#: src/pages/providers/saml/SAMLProviderForm.ts:59
|
#: src/pages/providers/saml/SAMLProviderForm.ts:59
|
||||||
#: src/pages/providers/saml/SAMLProviderImportForm.ts:44
|
#: src/pages/providers/saml/SAMLProviderImportForm.ts:44
|
||||||
msgid "Authorization flow"
|
msgid "Authorization flow"
|
||||||
|
@ -433,7 +433,7 @@ msgid "Case insensitive matching"
|
||||||
msgstr "Case insensitive matching"
|
msgstr "Case insensitive matching"
|
||||||
|
|
||||||
#: src/pages/crypto/CertificateKeyPairForm.ts:51
|
#: src/pages/crypto/CertificateKeyPairForm.ts:51
|
||||||
#: src/pages/providers/proxy/ProxyProviderForm.ts:134
|
#: src/pages/providers/proxy/ProxyProviderForm.ts:157
|
||||||
msgid "Certificate"
|
msgid "Certificate"
|
||||||
msgstr "Certificate"
|
msgstr "Certificate"
|
||||||
|
|
||||||
|
@ -1123,6 +1123,14 @@ msgstr "Enable Static Tokens"
|
||||||
msgid "Enable TOTP"
|
msgid "Enable TOTP"
|
||||||
msgstr "Enable TOTP"
|
msgstr "Enable TOTP"
|
||||||
|
|
||||||
|
#: src/pages/providers/proxy/ProxyProviderForm.ts:140
|
||||||
|
msgid "Enable forward-auth mode"
|
||||||
|
msgstr "Enable forward-auth mode"
|
||||||
|
|
||||||
|
#: src/pages/providers/proxy/ProxyProviderForm.ts:144
|
||||||
|
msgid "Enable this if you don't want to use this provider as a proxy, and want to use it with Traefik's forwardAuth or nginx's auth_request."
|
||||||
|
msgstr "Enable this if you don't want to use this provider as a proxy, and want to use it with Traefik's forwardAuth or nginx's auth_request."
|
||||||
|
|
||||||
#: src/pages/policies/BoundPoliciesList.ts:41
|
#: src/pages/policies/BoundPoliciesList.ts:41
|
||||||
#: src/pages/policies/PolicyBindingForm.ts:199
|
#: src/pages/policies/PolicyBindingForm.ts:199
|
||||||
#: src/pages/sources/ldap/LDAPSourceForm.ts:69
|
#: src/pages/sources/ldap/LDAPSourceForm.ts:69
|
||||||
|
@ -1281,7 +1289,7 @@ msgstr "External Applications which use authentik as Identity-Provider, utilizin
|
||||||
msgid "External Host"
|
msgid "External Host"
|
||||||
msgstr "External Host"
|
msgstr "External Host"
|
||||||
|
|
||||||
#: src/pages/providers/proxy/ProxyProviderForm.ts:119
|
#: src/pages/providers/proxy/ProxyProviderForm.ts:127
|
||||||
msgid "External host"
|
msgid "External host"
|
||||||
msgstr "External host"
|
msgstr "External host"
|
||||||
|
|
||||||
|
@ -1376,7 +1384,7 @@ msgid "Flow used by an authenticated user to configure this Stage. If empty, use
|
||||||
msgstr "Flow used by an authenticated user to configure this Stage. If empty, user will not be able to configure this stage."
|
msgstr "Flow used by an authenticated user to configure this Stage. If empty, user will not be able to configure this stage."
|
||||||
|
|
||||||
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:76
|
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:76
|
||||||
#: src/pages/providers/proxy/ProxyProviderForm.ts:94
|
#: src/pages/providers/proxy/ProxyProviderForm.ts:118
|
||||||
#: src/pages/providers/saml/SAMLProviderForm.ts:73
|
#: src/pages/providers/saml/SAMLProviderForm.ts:73
|
||||||
#: src/pages/providers/saml/SAMLProviderImportForm.ts:57
|
#: src/pages/providers/saml/SAMLProviderImportForm.ts:57
|
||||||
msgid "Flow used when authorizing this provider."
|
msgid "Flow used when authorizing this provider."
|
||||||
|
@ -1474,11 +1482,11 @@ msgstr "Groups"
|
||||||
msgid "HS256 (Symmetric Encryption)"
|
msgid "HS256 (Symmetric Encryption)"
|
||||||
msgstr "HS256 (Symmetric Encryption)"
|
msgstr "HS256 (Symmetric Encryption)"
|
||||||
|
|
||||||
#: src/pages/providers/proxy/ProxyProviderForm.ts:64
|
#: src/pages/providers/proxy/ProxyProviderForm.ts:66
|
||||||
msgid "HTTP-Basic Password Key"
|
msgid "HTTP-Basic Password Key"
|
||||||
msgstr "HTTP-Basic Password Key"
|
msgstr "HTTP-Basic Password Key"
|
||||||
|
|
||||||
#: src/pages/providers/proxy/ProxyProviderForm.ts:58
|
#: src/pages/providers/proxy/ProxyProviderForm.ts:60
|
||||||
msgid "HTTP-Basic Username Key"
|
msgid "HTTP-Basic Username Key"
|
||||||
msgstr "HTTP-Basic Username Key"
|
msgstr "HTTP-Basic Username Key"
|
||||||
|
|
||||||
|
@ -1587,11 +1595,11 @@ msgstr "Internal Host"
|
||||||
msgid "Internal application name, used in URLs."
|
msgid "Internal application name, used in URLs."
|
||||||
msgstr "Internal application name, used in URLs."
|
msgstr "Internal application name, used in URLs."
|
||||||
|
|
||||||
#: src/pages/providers/proxy/ProxyProviderForm.ts:103
|
#: src/pages/providers/proxy/ProxyProviderForm.ts:78
|
||||||
msgid "Internal host"
|
msgid "Internal host"
|
||||||
msgstr "Internal host"
|
msgstr "Internal host"
|
||||||
|
|
||||||
#: src/pages/providers/proxy/ProxyProviderForm.ts:113
|
#: src/pages/providers/proxy/ProxyProviderForm.ts:88
|
||||||
msgid "Internal host SSL Validation"
|
msgid "Internal host SSL Validation"
|
||||||
msgstr "Internal host SSL Validation"
|
msgstr "Internal host SSL Validation"
|
||||||
|
|
||||||
|
@ -1728,8 +1736,8 @@ msgstr "Loading"
|
||||||
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:74
|
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:74
|
||||||
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:185
|
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:185
|
||||||
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:203
|
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:203
|
||||||
#: src/pages/providers/proxy/ProxyProviderForm.ts:92
|
#: src/pages/providers/proxy/ProxyProviderForm.ts:116
|
||||||
#: src/pages/providers/proxy/ProxyProviderForm.ts:145
|
#: src/pages/providers/proxy/ProxyProviderForm.ts:168
|
||||||
#: src/pages/providers/saml/SAMLProviderForm.ts:71
|
#: src/pages/providers/saml/SAMLProviderForm.ts:71
|
||||||
#: src/pages/providers/saml/SAMLProviderForm.ts:133
|
#: src/pages/providers/saml/SAMLProviderForm.ts:133
|
||||||
#: src/pages/providers/saml/SAMLProviderForm.ts:149
|
#: src/pages/providers/saml/SAMLProviderForm.ts:149
|
||||||
|
@ -1899,7 +1907,7 @@ msgstr "Monitor"
|
||||||
#: src/pages/providers/ProviderListPage.ts:52
|
#: src/pages/providers/ProviderListPage.ts:52
|
||||||
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:56
|
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:56
|
||||||
#: src/pages/providers/oauth2/OAuth2ProviderViewPage.ts:73
|
#: src/pages/providers/oauth2/OAuth2ProviderViewPage.ts:73
|
||||||
#: src/pages/providers/proxy/ProxyProviderForm.ts:74
|
#: src/pages/providers/proxy/ProxyProviderForm.ts:98
|
||||||
#: src/pages/providers/proxy/ProxyProviderViewPage.ts:64
|
#: src/pages/providers/proxy/ProxyProviderViewPage.ts:64
|
||||||
#: src/pages/providers/saml/SAMLProviderForm.ts:53
|
#: src/pages/providers/saml/SAMLProviderForm.ts:53
|
||||||
#: src/pages/providers/saml/SAMLProviderImportForm.ts:38
|
#: src/pages/providers/saml/SAMLProviderImportForm.ts:38
|
||||||
|
@ -2400,7 +2408,7 @@ msgid "Property mappings used to user creation."
|
||||||
msgstr "Property mappings used to user creation."
|
msgstr "Property mappings used to user creation."
|
||||||
|
|
||||||
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:81
|
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:81
|
||||||
#: src/pages/providers/proxy/ProxyProviderForm.ts:99
|
#: src/pages/providers/proxy/ProxyProviderForm.ts:123
|
||||||
#: src/pages/providers/saml/SAMLProviderForm.ts:78
|
#: src/pages/providers/saml/SAMLProviderForm.ts:78
|
||||||
#: src/pages/sources/oauth/OAuthSourceForm.ts:122
|
#: src/pages/sources/oauth/OAuthSourceForm.ts:122
|
||||||
#: src/pages/sources/saml/SAMLSourceForm.ts:76
|
#: src/pages/sources/saml/SAMLSourceForm.ts:76
|
||||||
|
@ -2531,7 +2539,7 @@ msgstr "Refresh Code"
|
||||||
msgid "Register device"
|
msgid "Register device"
|
||||||
msgstr "Register device"
|
msgstr "Register device"
|
||||||
|
|
||||||
#: src/pages/providers/proxy/ProxyProviderForm.ts:153
|
#: src/pages/providers/proxy/ProxyProviderForm.ts:176
|
||||||
msgid "Regular expressions for which authentication is not required. Each new line is interpreted as a new Regular Expression."
|
msgid "Regular expressions for which authentication is not required. Each new line is interpreted as a new Regular Expression."
|
||||||
msgstr "Regular expressions for which authentication is not required. Each new line is interpreted as a new Regular Expression."
|
msgstr "Regular expressions for which authentication is not required. Each new line is interpreted as a new Regular Expression."
|
||||||
|
|
||||||
|
@ -2774,11 +2782,11 @@ msgstr "Session not valid on or after current time + this value (Format: hours=1
|
||||||
msgid "Session valid not on or after"
|
msgid "Session valid not on or after"
|
||||||
msgstr "Session valid not on or after"
|
msgstr "Session valid not on or after"
|
||||||
|
|
||||||
#: src/pages/providers/proxy/ProxyProviderForm.ts:163
|
#: src/pages/providers/proxy/ProxyProviderForm.ts:186
|
||||||
msgid "Set HTTP-Basic Authentication"
|
msgid "Set HTTP-Basic Authentication"
|
||||||
msgstr "Set HTTP-Basic Authentication"
|
msgstr "Set HTTP-Basic Authentication"
|
||||||
|
|
||||||
#: src/pages/providers/proxy/ProxyProviderForm.ts:166
|
#: src/pages/providers/proxy/ProxyProviderForm.ts:189
|
||||||
msgid "Set a custom HTTP-Basic Authentication header based on values from authentik."
|
msgid "Set a custom HTTP-Basic Authentication header based on values from authentik."
|
||||||
msgstr "Set a custom HTTP-Basic Authentication header based on values from authentik."
|
msgstr "Set a custom HTTP-Basic Authentication header based on values from authentik."
|
||||||
|
|
||||||
|
@ -2828,7 +2836,7 @@ msgstr "Signing keypair"
|
||||||
msgid "Single Prompts that can be used for Prompt Stages."
|
msgid "Single Prompts that can be used for Prompt Stages."
|
||||||
msgstr "Single Prompts that can be used for Prompt Stages."
|
msgstr "Single Prompts that can be used for Prompt Stages."
|
||||||
|
|
||||||
#: src/pages/providers/proxy/ProxyProviderForm.ts:150
|
#: src/pages/providers/proxy/ProxyProviderForm.ts:173
|
||||||
msgid "Skip path regex"
|
msgid "Skip path regex"
|
||||||
msgstr "Skip path regex"
|
msgstr "Skip path regex"
|
||||||
|
|
||||||
|
@ -3040,7 +3048,7 @@ msgid "Successfully created prompt."
|
||||||
msgstr "Successfully created prompt."
|
msgstr "Successfully created prompt."
|
||||||
|
|
||||||
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:49
|
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:49
|
||||||
#: src/pages/providers/proxy/ProxyProviderForm.ts:49
|
#: src/pages/providers/proxy/ProxyProviderForm.ts:51
|
||||||
#: src/pages/providers/saml/SAMLProviderForm.ts:46
|
#: src/pages/providers/saml/SAMLProviderForm.ts:46
|
||||||
msgid "Successfully created provider."
|
msgid "Successfully created provider."
|
||||||
msgstr "Successfully created provider."
|
msgstr "Successfully created provider."
|
||||||
|
@ -3176,7 +3184,7 @@ msgid "Successfully updated prompt."
|
||||||
msgstr "Successfully updated prompt."
|
msgstr "Successfully updated prompt."
|
||||||
|
|
||||||
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:46
|
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:46
|
||||||
#: src/pages/providers/proxy/ProxyProviderForm.ts:46
|
#: src/pages/providers/proxy/ProxyProviderForm.ts:48
|
||||||
#: src/pages/providers/saml/SAMLProviderForm.ts:43
|
#: src/pages/providers/saml/SAMLProviderForm.ts:43
|
||||||
msgid "Successfully updated provider."
|
msgid "Successfully updated provider."
|
||||||
msgstr "Successfully updated provider."
|
msgstr "Successfully updated provider."
|
||||||
|
@ -3325,7 +3333,7 @@ msgstr "Text: Simple Text input"
|
||||||
msgid "The URL \"{0}\" was not found."
|
msgid "The URL \"{0}\" was not found."
|
||||||
msgstr "The URL \"{0}\" was not found."
|
msgstr "The URL \"{0}\" was not found."
|
||||||
|
|
||||||
#: src/pages/providers/proxy/ProxyProviderForm.ts:123
|
#: src/pages/providers/proxy/ProxyProviderForm.ts:131
|
||||||
msgid "The external URL you'll access the outpost at."
|
msgid "The external URL you'll access the outpost at."
|
||||||
msgstr "The external URL you'll access the outpost at."
|
msgstr "The external URL you'll access the outpost at."
|
||||||
|
|
||||||
|
@ -3635,7 +3643,7 @@ msgstr "Update details"
|
||||||
msgid "Update {0}"
|
msgid "Update {0}"
|
||||||
msgstr "Update {0}"
|
msgstr "Update {0}"
|
||||||
|
|
||||||
#: src/pages/providers/proxy/ProxyProviderForm.ts:107
|
#: src/pages/providers/proxy/ProxyProviderForm.ts:82
|
||||||
msgid "Upstream host that the requests are forwarded to."
|
msgid "Upstream host that the requests are forwarded to."
|
||||||
msgstr "Upstream host that the requests are forwarded to."
|
msgstr "Upstream host that the requests are forwarded to."
|
||||||
|
|
||||||
|
@ -3721,11 +3729,11 @@ msgstr "User's avatar"
|
||||||
msgid "User's display name."
|
msgid "User's display name."
|
||||||
msgstr "User's display name."
|
msgstr "User's display name."
|
||||||
|
|
||||||
#: src/pages/providers/proxy/ProxyProviderForm.ts:67
|
#: src/pages/providers/proxy/ProxyProviderForm.ts:69
|
||||||
msgid "User/Group Attribute used for the password part of the HTTP-Basic Header."
|
msgid "User/Group Attribute used for the password part of the HTTP-Basic Header."
|
||||||
msgstr "User/Group Attribute used for the password part of the HTTP-Basic Header."
|
msgstr "User/Group Attribute used for the password part of the HTTP-Basic Header."
|
||||||
|
|
||||||
#: src/pages/providers/proxy/ProxyProviderForm.ts:61
|
#: src/pages/providers/proxy/ProxyProviderForm.ts:63
|
||||||
msgid "User/Group Attribute used for the user part of the HTTP-Basic Header. If not set, the user's Email address is used."
|
msgid "User/Group Attribute used for the user part of the HTTP-Basic Header. If not set, the user's Email address is used."
|
||||||
msgstr "User/Group Attribute used for the user part of the HTTP-Basic Header. If not set, the user's Email address is used."
|
msgstr "User/Group Attribute used for the user part of the HTTP-Basic Header. If not set, the user's Email address is used."
|
||||||
|
|
||||||
|
@ -3766,7 +3774,7 @@ msgstr "Using source"
|
||||||
msgid "Valid redirect URLs after a successful authorization flow. Also specify any origins here for Implicit flows."
|
msgid "Valid redirect URLs after a successful authorization flow. Also specify any origins here for Implicit flows."
|
||||||
msgstr "Valid redirect URLs after a successful authorization flow. Also specify any origins here for Implicit flows."
|
msgstr "Valid redirect URLs after a successful authorization flow. Also specify any origins here for Implicit flows."
|
||||||
|
|
||||||
#: src/pages/providers/proxy/ProxyProviderForm.ts:116
|
#: src/pages/providers/proxy/ProxyProviderForm.ts:91
|
||||||
msgid "Validate SSL Certificates of upstream servers."
|
msgid "Validate SSL Certificates of upstream servers."
|
||||||
msgstr "Validate SSL Certificates of upstream servers."
|
msgstr "Validate SSL Certificates of upstream servers."
|
||||||
|
|
||||||
|
|
|
@ -117,7 +117,7 @@ msgid "Additional user DN, prepended to the Base DN."
|
||||||
msgstr ""
|
msgstr ""
|
||||||
|
|
||||||
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:132
|
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:132
|
||||||
#: src/pages/providers/proxy/ProxyProviderForm.ts:130
|
#: src/pages/providers/proxy/ProxyProviderForm.ts:153
|
||||||
#: src/pages/providers/saml/SAMLProviderForm.ts:117
|
#: src/pages/providers/saml/SAMLProviderForm.ts:117
|
||||||
#: src/pages/sources/saml/SAMLSourceForm.ts:134
|
#: src/pages/sources/saml/SAMLSourceForm.ts:134
|
||||||
msgid "Advanced protocol settings"
|
msgid "Advanced protocol settings"
|
||||||
|
@ -301,7 +301,7 @@ msgid "Authorization URL"
|
||||||
msgstr ""
|
msgstr ""
|
||||||
|
|
||||||
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:62
|
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:62
|
||||||
#: src/pages/providers/proxy/ProxyProviderForm.ts:80
|
#: src/pages/providers/proxy/ProxyProviderForm.ts:104
|
||||||
#: src/pages/providers/saml/SAMLProviderForm.ts:59
|
#: src/pages/providers/saml/SAMLProviderForm.ts:59
|
||||||
#: src/pages/providers/saml/SAMLProviderImportForm.ts:44
|
#: src/pages/providers/saml/SAMLProviderImportForm.ts:44
|
||||||
msgid "Authorization flow"
|
msgid "Authorization flow"
|
||||||
|
@ -429,7 +429,7 @@ msgid "Case insensitive matching"
|
||||||
msgstr ""
|
msgstr ""
|
||||||
|
|
||||||
#: src/pages/crypto/CertificateKeyPairForm.ts:51
|
#: src/pages/crypto/CertificateKeyPairForm.ts:51
|
||||||
#: src/pages/providers/proxy/ProxyProviderForm.ts:134
|
#: src/pages/providers/proxy/ProxyProviderForm.ts:157
|
||||||
msgid "Certificate"
|
msgid "Certificate"
|
||||||
msgstr ""
|
msgstr ""
|
||||||
|
|
||||||
|
@ -1115,6 +1115,14 @@ msgstr ""
|
||||||
msgid "Enable TOTP"
|
msgid "Enable TOTP"
|
||||||
msgstr ""
|
msgstr ""
|
||||||
|
|
||||||
|
#: src/pages/providers/proxy/ProxyProviderForm.ts:140
|
||||||
|
msgid "Enable forward-auth mode"
|
||||||
|
msgstr ""
|
||||||
|
|
||||||
|
#: src/pages/providers/proxy/ProxyProviderForm.ts:144
|
||||||
|
msgid "Enable this if you don't want to use this provider as a proxy, and want to use it with Traefik's forwardAuth or nginx's auth_request."
|
||||||
|
msgstr ""
|
||||||
|
|
||||||
#: src/pages/policies/BoundPoliciesList.ts:41
|
#: src/pages/policies/BoundPoliciesList.ts:41
|
||||||
#: src/pages/policies/PolicyBindingForm.ts:199
|
#: src/pages/policies/PolicyBindingForm.ts:199
|
||||||
#: src/pages/sources/ldap/LDAPSourceForm.ts:69
|
#: src/pages/sources/ldap/LDAPSourceForm.ts:69
|
||||||
|
@ -1273,7 +1281,7 @@ msgstr ""
|
||||||
msgid "External Host"
|
msgid "External Host"
|
||||||
msgstr ""
|
msgstr ""
|
||||||
|
|
||||||
#: src/pages/providers/proxy/ProxyProviderForm.ts:119
|
#: src/pages/providers/proxy/ProxyProviderForm.ts:127
|
||||||
msgid "External host"
|
msgid "External host"
|
||||||
msgstr ""
|
msgstr ""
|
||||||
|
|
||||||
|
@ -1368,7 +1376,7 @@ msgid "Flow used by an authenticated user to configure this Stage. If empty, use
|
||||||
msgstr ""
|
msgstr ""
|
||||||
|
|
||||||
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:76
|
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:76
|
||||||
#: src/pages/providers/proxy/ProxyProviderForm.ts:94
|
#: src/pages/providers/proxy/ProxyProviderForm.ts:118
|
||||||
#: src/pages/providers/saml/SAMLProviderForm.ts:73
|
#: src/pages/providers/saml/SAMLProviderForm.ts:73
|
||||||
#: src/pages/providers/saml/SAMLProviderImportForm.ts:57
|
#: src/pages/providers/saml/SAMLProviderImportForm.ts:57
|
||||||
msgid "Flow used when authorizing this provider."
|
msgid "Flow used when authorizing this provider."
|
||||||
|
@ -1466,11 +1474,11 @@ msgstr ""
|
||||||
msgid "HS256 (Symmetric Encryption)"
|
msgid "HS256 (Symmetric Encryption)"
|
||||||
msgstr ""
|
msgstr ""
|
||||||
|
|
||||||
#: src/pages/providers/proxy/ProxyProviderForm.ts:64
|
#: src/pages/providers/proxy/ProxyProviderForm.ts:66
|
||||||
msgid "HTTP-Basic Password Key"
|
msgid "HTTP-Basic Password Key"
|
||||||
msgstr ""
|
msgstr ""
|
||||||
|
|
||||||
#: src/pages/providers/proxy/ProxyProviderForm.ts:58
|
#: src/pages/providers/proxy/ProxyProviderForm.ts:60
|
||||||
msgid "HTTP-Basic Username Key"
|
msgid "HTTP-Basic Username Key"
|
||||||
msgstr ""
|
msgstr ""
|
||||||
|
|
||||||
|
@ -1579,11 +1587,11 @@ msgstr ""
|
||||||
msgid "Internal application name, used in URLs."
|
msgid "Internal application name, used in URLs."
|
||||||
msgstr ""
|
msgstr ""
|
||||||
|
|
||||||
#: src/pages/providers/proxy/ProxyProviderForm.ts:103
|
#: src/pages/providers/proxy/ProxyProviderForm.ts:78
|
||||||
msgid "Internal host"
|
msgid "Internal host"
|
||||||
msgstr ""
|
msgstr ""
|
||||||
|
|
||||||
#: src/pages/providers/proxy/ProxyProviderForm.ts:113
|
#: src/pages/providers/proxy/ProxyProviderForm.ts:88
|
||||||
msgid "Internal host SSL Validation"
|
msgid "Internal host SSL Validation"
|
||||||
msgstr ""
|
msgstr ""
|
||||||
|
|
||||||
|
@ -1720,8 +1728,8 @@ msgstr ""
|
||||||
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:74
|
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:74
|
||||||
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:185
|
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:185
|
||||||
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:203
|
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:203
|
||||||
#: src/pages/providers/proxy/ProxyProviderForm.ts:92
|
#: src/pages/providers/proxy/ProxyProviderForm.ts:116
|
||||||
#: src/pages/providers/proxy/ProxyProviderForm.ts:145
|
#: src/pages/providers/proxy/ProxyProviderForm.ts:168
|
||||||
#: src/pages/providers/saml/SAMLProviderForm.ts:71
|
#: src/pages/providers/saml/SAMLProviderForm.ts:71
|
||||||
#: src/pages/providers/saml/SAMLProviderForm.ts:133
|
#: src/pages/providers/saml/SAMLProviderForm.ts:133
|
||||||
#: src/pages/providers/saml/SAMLProviderForm.ts:149
|
#: src/pages/providers/saml/SAMLProviderForm.ts:149
|
||||||
|
@ -1891,7 +1899,7 @@ msgstr ""
|
||||||
#: src/pages/providers/ProviderListPage.ts:52
|
#: src/pages/providers/ProviderListPage.ts:52
|
||||||
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:56
|
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:56
|
||||||
#: src/pages/providers/oauth2/OAuth2ProviderViewPage.ts:73
|
#: src/pages/providers/oauth2/OAuth2ProviderViewPage.ts:73
|
||||||
#: src/pages/providers/proxy/ProxyProviderForm.ts:74
|
#: src/pages/providers/proxy/ProxyProviderForm.ts:98
|
||||||
#: src/pages/providers/proxy/ProxyProviderViewPage.ts:64
|
#: src/pages/providers/proxy/ProxyProviderViewPage.ts:64
|
||||||
#: src/pages/providers/saml/SAMLProviderForm.ts:53
|
#: src/pages/providers/saml/SAMLProviderForm.ts:53
|
||||||
#: src/pages/providers/saml/SAMLProviderImportForm.ts:38
|
#: src/pages/providers/saml/SAMLProviderImportForm.ts:38
|
||||||
|
@ -2392,7 +2400,7 @@ msgid "Property mappings used to user creation."
|
||||||
msgstr ""
|
msgstr ""
|
||||||
|
|
||||||
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:81
|
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:81
|
||||||
#: src/pages/providers/proxy/ProxyProviderForm.ts:99
|
#: src/pages/providers/proxy/ProxyProviderForm.ts:123
|
||||||
#: src/pages/providers/saml/SAMLProviderForm.ts:78
|
#: src/pages/providers/saml/SAMLProviderForm.ts:78
|
||||||
#: src/pages/sources/oauth/OAuthSourceForm.ts:122
|
#: src/pages/sources/oauth/OAuthSourceForm.ts:122
|
||||||
#: src/pages/sources/saml/SAMLSourceForm.ts:76
|
#: src/pages/sources/saml/SAMLSourceForm.ts:76
|
||||||
|
@ -2523,7 +2531,7 @@ msgstr ""
|
||||||
msgid "Register device"
|
msgid "Register device"
|
||||||
msgstr ""
|
msgstr ""
|
||||||
|
|
||||||
#: src/pages/providers/proxy/ProxyProviderForm.ts:153
|
#: src/pages/providers/proxy/ProxyProviderForm.ts:176
|
||||||
msgid "Regular expressions for which authentication is not required. Each new line is interpreted as a new Regular Expression."
|
msgid "Regular expressions for which authentication is not required. Each new line is interpreted as a new Regular Expression."
|
||||||
msgstr ""
|
msgstr ""
|
||||||
|
|
||||||
|
@ -2766,11 +2774,11 @@ msgstr ""
|
||||||
msgid "Session valid not on or after"
|
msgid "Session valid not on or after"
|
||||||
msgstr ""
|
msgstr ""
|
||||||
|
|
||||||
#: src/pages/providers/proxy/ProxyProviderForm.ts:163
|
#: src/pages/providers/proxy/ProxyProviderForm.ts:186
|
||||||
msgid "Set HTTP-Basic Authentication"
|
msgid "Set HTTP-Basic Authentication"
|
||||||
msgstr ""
|
msgstr ""
|
||||||
|
|
||||||
#: src/pages/providers/proxy/ProxyProviderForm.ts:166
|
#: src/pages/providers/proxy/ProxyProviderForm.ts:189
|
||||||
msgid "Set a custom HTTP-Basic Authentication header based on values from authentik."
|
msgid "Set a custom HTTP-Basic Authentication header based on values from authentik."
|
||||||
msgstr ""
|
msgstr ""
|
||||||
|
|
||||||
|
@ -2820,7 +2828,7 @@ msgstr ""
|
||||||
msgid "Single Prompts that can be used for Prompt Stages."
|
msgid "Single Prompts that can be used for Prompt Stages."
|
||||||
msgstr ""
|
msgstr ""
|
||||||
|
|
||||||
#: src/pages/providers/proxy/ProxyProviderForm.ts:150
|
#: src/pages/providers/proxy/ProxyProviderForm.ts:173
|
||||||
msgid "Skip path regex"
|
msgid "Skip path regex"
|
||||||
msgstr ""
|
msgstr ""
|
||||||
|
|
||||||
|
@ -3032,7 +3040,7 @@ msgid "Successfully created prompt."
|
||||||
msgstr ""
|
msgstr ""
|
||||||
|
|
||||||
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:49
|
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:49
|
||||||
#: src/pages/providers/proxy/ProxyProviderForm.ts:49
|
#: src/pages/providers/proxy/ProxyProviderForm.ts:51
|
||||||
#: src/pages/providers/saml/SAMLProviderForm.ts:46
|
#: src/pages/providers/saml/SAMLProviderForm.ts:46
|
||||||
msgid "Successfully created provider."
|
msgid "Successfully created provider."
|
||||||
msgstr ""
|
msgstr ""
|
||||||
|
@ -3168,7 +3176,7 @@ msgid "Successfully updated prompt."
|
||||||
msgstr ""
|
msgstr ""
|
||||||
|
|
||||||
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:46
|
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:46
|
||||||
#: src/pages/providers/proxy/ProxyProviderForm.ts:46
|
#: src/pages/providers/proxy/ProxyProviderForm.ts:48
|
||||||
#: src/pages/providers/saml/SAMLProviderForm.ts:43
|
#: src/pages/providers/saml/SAMLProviderForm.ts:43
|
||||||
msgid "Successfully updated provider."
|
msgid "Successfully updated provider."
|
||||||
msgstr ""
|
msgstr ""
|
||||||
|
@ -3317,7 +3325,7 @@ msgstr ""
|
||||||
msgid "The URL \"{0}\" was not found."
|
msgid "The URL \"{0}\" was not found."
|
||||||
msgstr ""
|
msgstr ""
|
||||||
|
|
||||||
#: src/pages/providers/proxy/ProxyProviderForm.ts:123
|
#: src/pages/providers/proxy/ProxyProviderForm.ts:131
|
||||||
msgid "The external URL you'll access the outpost at."
|
msgid "The external URL you'll access the outpost at."
|
||||||
msgstr ""
|
msgstr ""
|
||||||
|
|
||||||
|
@ -3623,7 +3631,7 @@ msgstr ""
|
||||||
msgid "Update {0}"
|
msgid "Update {0}"
|
||||||
msgstr ""
|
msgstr ""
|
||||||
|
|
||||||
#: src/pages/providers/proxy/ProxyProviderForm.ts:107
|
#: src/pages/providers/proxy/ProxyProviderForm.ts:82
|
||||||
msgid "Upstream host that the requests are forwarded to."
|
msgid "Upstream host that the requests are forwarded to."
|
||||||
msgstr ""
|
msgstr ""
|
||||||
|
|
||||||
|
@ -3709,11 +3717,11 @@ msgstr ""
|
||||||
msgid "User's display name."
|
msgid "User's display name."
|
||||||
msgstr ""
|
msgstr ""
|
||||||
|
|
||||||
#: src/pages/providers/proxy/ProxyProviderForm.ts:67
|
#: src/pages/providers/proxy/ProxyProviderForm.ts:69
|
||||||
msgid "User/Group Attribute used for the password part of the HTTP-Basic Header."
|
msgid "User/Group Attribute used for the password part of the HTTP-Basic Header."
|
||||||
msgstr ""
|
msgstr ""
|
||||||
|
|
||||||
#: src/pages/providers/proxy/ProxyProviderForm.ts:61
|
#: src/pages/providers/proxy/ProxyProviderForm.ts:63
|
||||||
msgid "User/Group Attribute used for the user part of the HTTP-Basic Header. If not set, the user's Email address is used."
|
msgid "User/Group Attribute used for the user part of the HTTP-Basic Header. If not set, the user's Email address is used."
|
||||||
msgstr ""
|
msgstr ""
|
||||||
|
|
||||||
|
@ -3754,7 +3762,7 @@ msgstr ""
|
||||||
msgid "Valid redirect URLs after a successful authorization flow. Also specify any origins here for Implicit flows."
|
msgid "Valid redirect URLs after a successful authorization flow. Also specify any origins here for Implicit flows."
|
||||||
msgstr ""
|
msgstr ""
|
||||||
|
|
||||||
#: src/pages/providers/proxy/ProxyProviderForm.ts:116
|
#: src/pages/providers/proxy/ProxyProviderForm.ts:91
|
||||||
msgid "Validate SSL Certificates of upstream servers."
|
msgid "Validate SSL Certificates of upstream servers."
|
||||||
msgstr ""
|
msgstr ""
|
||||||
|
|
||||||
|
|
|
@ -19,6 +19,7 @@ export class ProxyProviderFormPage extends Form<ProxyProvider> {
|
||||||
}).then(provider => {
|
}).then(provider => {
|
||||||
this.provider = provider;
|
this.provider = provider;
|
||||||
this.showHttpBasic = first(provider.basicAuthEnabled, true);
|
this.showHttpBasic = first(provider.basicAuthEnabled, true);
|
||||||
|
this.showInternalServer = first(!provider.forwardAuthMode, true);
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -28,6 +29,9 @@ export class ProxyProviderFormPage extends Form<ProxyProvider> {
|
||||||
@property({type: Boolean})
|
@property({type: Boolean})
|
||||||
showHttpBasic = true;
|
showHttpBasic = true;
|
||||||
|
|
||||||
|
@property({type: Boolean})
|
||||||
|
showInternalServer = true;
|
||||||
|
|
||||||
getSuccessMessage(): string {
|
getSuccessMessage(): string {
|
||||||
if (this.provider) {
|
if (this.provider) {
|
||||||
return t`Successfully updated provider.`;
|
return t`Successfully updated provider.`;
|
||||||
|
@ -67,6 +71,28 @@ export class ProxyProviderFormPage extends Form<ProxyProvider> {
|
||||||
</ak-form-element-horizontal>`;
|
</ak-form-element-horizontal>`;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
renderInternalServer(): TemplateResult {
|
||||||
|
if (!this.showInternalServer) {
|
||||||
|
return html``;
|
||||||
|
}
|
||||||
|
return html`<ak-form-element-horizontal
|
||||||
|
label=${t`Internal host`}
|
||||||
|
?required=${true}
|
||||||
|
name="internalHost">
|
||||||
|
<input type="text" value="${ifDefined(this.provider?.internalHost)}" class="pf-c-form-control" required>
|
||||||
|
<p class="pf-c-form__helper-text">${t`Upstream host that the requests are forwarded to.`}</p>
|
||||||
|
</ak-form-element-horizontal>
|
||||||
|
<ak-form-element-horizontal name="internalHostSslValidation">
|
||||||
|
<div class="pf-c-check">
|
||||||
|
<input type="checkbox" class="pf-c-check__input" ?checked=${first(this.provider?.internalHostSslValidation, true)}>
|
||||||
|
<label class="pf-c-check__label">
|
||||||
|
${t`Internal host SSL Validation`}
|
||||||
|
</label>
|
||||||
|
</div>
|
||||||
|
<p class="pf-c-form__helper-text">${t`Validate SSL Certificates of upstream servers.`}</p>
|
||||||
|
</ak-form-element-horizontal>`;
|
||||||
|
}
|
||||||
|
|
||||||
renderForm(): TemplateResult {
|
renderForm(): TemplateResult {
|
||||||
return html`<form class="pf-c-form pf-m-horizontal">
|
return html`<form class="pf-c-form pf-m-horizontal">
|
||||||
<ak-form-element-horizontal
|
<ak-form-element-horizontal
|
||||||
|
@ -97,22 +123,6 @@ export class ProxyProviderFormPage extends Form<ProxyProvider> {
|
||||||
${t`Protocol settings`}
|
${t`Protocol settings`}
|
||||||
</span>
|
</span>
|
||||||
<div slot="body" class="pf-c-form">
|
<div slot="body" class="pf-c-form">
|
||||||
<ak-form-element-horizontal
|
|
||||||
label=${t`Internal host`}
|
|
||||||
?required=${true}
|
|
||||||
name="internalHost">
|
|
||||||
<input type="text" value="${ifDefined(this.provider?.internalHost)}" class="pf-c-form-control" required>
|
|
||||||
<p class="pf-c-form__helper-text">${t`Upstream host that the requests are forwarded to.`}</p>
|
|
||||||
</ak-form-element-horizontal>
|
|
||||||
<ak-form-element-horizontal name="internalHostSslValidation">
|
|
||||||
<div class="pf-c-check">
|
|
||||||
<input type="checkbox" class="pf-c-check__input" ?checked=${first(this.provider?.internalHostSslValidation, true)}>
|
|
||||||
<label class="pf-c-check__label">
|
|
||||||
${t`Internal host SSL Validation`}
|
|
||||||
</label>
|
|
||||||
</div>
|
|
||||||
<p class="pf-c-form__helper-text">${t`Validate SSL Certificates of upstream servers.`}</p>
|
|
||||||
</ak-form-element-horizontal>
|
|
||||||
<ak-form-element-horizontal
|
<ak-form-element-horizontal
|
||||||
label=${t`External host`}
|
label=${t`External host`}
|
||||||
?required=${true}
|
?required=${true}
|
||||||
|
@ -120,6 +130,21 @@ export class ProxyProviderFormPage extends Form<ProxyProvider> {
|
||||||
<input type="text" value="${ifDefined(this.provider?.externalHost)}" class="pf-c-form-control" required>
|
<input type="text" value="${ifDefined(this.provider?.externalHost)}" class="pf-c-form-control" required>
|
||||||
<p class="pf-c-form__helper-text">${t`The external URL you'll access the outpost at.`}</p>
|
<p class="pf-c-form__helper-text">${t`The external URL you'll access the outpost at.`}</p>
|
||||||
</ak-form-element-horizontal>
|
</ak-form-element-horizontal>
|
||||||
|
<ak-form-element-horizontal name="forwardAuthMode">
|
||||||
|
<div class="pf-c-check">
|
||||||
|
<input type="checkbox" class="pf-c-check__input" ?checked=${first(this.provider?.forwardAuthMode, false)} @change=${(ev: Event) => {
|
||||||
|
const el = ev.target as HTMLInputElement;
|
||||||
|
this.showInternalServer = !el.checked;
|
||||||
|
}}>
|
||||||
|
<label class="pf-c-check__label">
|
||||||
|
${t`Enable forward-auth mode`}
|
||||||
|
</label>
|
||||||
|
</div>
|
||||||
|
<p class="pf-c-form__helper-text">
|
||||||
|
${t`Enable this if you don't want to use this provider as a proxy, and want to use it with Traefik's forwardAuth or nginx's auth_request.`}
|
||||||
|
</p>
|
||||||
|
</ak-form-element-horizontal>
|
||||||
|
${this.renderInternalServer()}
|
||||||
</div>
|
</div>
|
||||||
</ak-form-group>
|
</ak-form-group>
|
||||||
|
|
||||||
|
|
|
@ -1,16 +0,0 @@
|
||||||
---
|
|
||||||
title: Proxy Outpost
|
|
||||||
---
|
|
||||||
|
|
||||||
The proxy outpost sets the following headers:
|
|
||||||
|
|
||||||
```
|
|
||||||
X-Auth-Username: akadmin # The username of the currently logged in user
|
|
||||||
X-Forwarded-Email: root@localhost # The email address of the currently logged in user
|
|
||||||
X-Forwarded-Preferred-Username: akadmin # The username of the currently logged in user
|
|
||||||
X-Forwarded-User: 900347b8a29876b45ca6f75722635ecfedf0e931c6022e3a29a8aa13fb5516fb # The hashed identifier of the currently logged in user.
|
|
||||||
```
|
|
||||||
|
|
||||||
Additionally, you can set `additionalHeaders` on groups or users to set additional headers.
|
|
||||||
|
|
||||||
If you enable *Set HTTP-Basic Authentication* option, the HTTP Authorization header is being set.
|
|
|
@ -0,0 +1,229 @@
|
||||||
|
---
|
||||||
|
title: Proxy Outpost
|
||||||
|
---
|
||||||
|
|
||||||
|
The proxy outpost sets the following headers:
|
||||||
|
|
||||||
|
```
|
||||||
|
X-Auth-Username: akadmin # The username of the currently logged in user
|
||||||
|
X-Forwarded-Email: root@localhost # The email address of the currently logged in user
|
||||||
|
X-Forwarded-Preferred-Username: akadmin # The username of the currently logged in user
|
||||||
|
X-Forwarded-User: 900347b8a29876b45ca6f75722635ecfedf0e931c6022e3a29a8aa13fb5516fb # The hashed identifier of the currently logged in user.
|
||||||
|
```
|
||||||
|
|
||||||
|
Additionally, you can set `additionalHeaders` on groups or users to set additional headers.
|
||||||
|
|
||||||
|
If you enable *Set HTTP-Basic Authentication* option, the HTTP Authorization header is being set.
|
||||||
|
|
||||||
|
# Forward auth
|
||||||
|
|
||||||
|
To use forward auth instead of proxying, you have to change a couple of settings. In the Proxy Provider, make sure to enable `Enable forward-auth mode` on the provider.
|
||||||
|
|
||||||
|
## Nginx
|
||||||
|
|
||||||
|
import Tabs from '@theme/Tabs';
|
||||||
|
import TabItem from '@theme/TabItem';
|
||||||
|
|
||||||
|
<Tabs
|
||||||
|
defaultValue="standalone-nginx"
|
||||||
|
values={[
|
||||||
|
{label: 'Standalone nginx', value: 'standalone-nginx'},
|
||||||
|
{label: 'Ingress', value: 'ingress'},
|
||||||
|
]}>
|
||||||
|
<TabItem value="standalone-nginx">
|
||||||
|
|
||||||
|
```
|
||||||
|
location /akprox {
|
||||||
|
proxy_pass http://*ip of your outpost*:4180;
|
||||||
|
proxy_set_header X-Forwarded-Host $http_host;
|
||||||
|
error_page 401 = @akprox_signin;
|
||||||
|
}
|
||||||
|
|
||||||
|
location @akprox_signin {
|
||||||
|
internal;
|
||||||
|
add_header Set-Cookie $auth_cookie;
|
||||||
|
return 302 /akprox/start?rd=$escaped_request_uri;
|
||||||
|
}
|
||||||
|
|
||||||
|
location / {
|
||||||
|
auth_request /akprox/auth?nginx;
|
||||||
|
# All your other options...
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
</TabItem>
|
||||||
|
<TabItem value="ingress">
|
||||||
|
Create a new ingress for the outpost
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
apiVersion: networking.k8s.io/v1beta1
|
||||||
|
kind: Ingress
|
||||||
|
metadata:
|
||||||
|
name: authentik-outpost
|
||||||
|
spec:
|
||||||
|
rules:
|
||||||
|
- host: *external host that you configured in authentik*
|
||||||
|
http:
|
||||||
|
paths:
|
||||||
|
- backend:
|
||||||
|
serviceName: authentik-outpost-*uuid of the service generated by authentik*
|
||||||
|
servicePort: 4180
|
||||||
|
path: /akprox
|
||||||
|
```
|
||||||
|
|
||||||
|
This ingress handles authentication requests, and the sign-in flow.
|
||||||
|
|
||||||
|
Add these annotations to the ingress you want to protect
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
metadata:
|
||||||
|
annotations:
|
||||||
|
nginx.ingress.kubernetes.io/auth-url: http://*external host that you configured in authentik*:4180/akprox/auth?nginx
|
||||||
|
nginx.ingress.kubernetes.io/auth-signin: http://*external host that you configured in authentik*:4180/akprox/start?rd=$escaped_request_uri
|
||||||
|
nginx.ingress.kubernetes.io/auth-snippet: |
|
||||||
|
proxy_set_header X-Forwarded-Host $http_host;
|
||||||
|
```
|
||||||
|
</TabItem>
|
||||||
|
</Tabs>
|
||||||
|
|
||||||
|
## Traefik
|
||||||
|
|
||||||
|
<Tabs
|
||||||
|
defaultValue="standalone-traefik"
|
||||||
|
values={[
|
||||||
|
{label: 'Standalone traefik', value: 'standalone-traefik'},
|
||||||
|
{label: 'docker-compose', value: 'docker-compose'},
|
||||||
|
{label: 'Ingress', value: 'ingress'},
|
||||||
|
]}>
|
||||||
|
<TabItem value="standalone-traefik">
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
http:
|
||||||
|
middlewares:
|
||||||
|
authentik:
|
||||||
|
forwardAuth:
|
||||||
|
address: http://authentik-outpost-*uuid of the service generated by authentik*:4180/akprox/auth?traefik
|
||||||
|
trustForwardHeader: true
|
||||||
|
authResponseHeaders:
|
||||||
|
- Set-Cookie
|
||||||
|
- X-Auth-Username
|
||||||
|
- X-Forwarded-Email
|
||||||
|
- X-Forwarded-Preferred-Username
|
||||||
|
- X-Forwarded-User
|
||||||
|
routers:
|
||||||
|
default-router:
|
||||||
|
rule: "Host(`*external host that you configured in authentik*`)"
|
||||||
|
middlewares:
|
||||||
|
- name: authentik
|
||||||
|
priority: 10
|
||||||
|
services: # Unchanged
|
||||||
|
default-router-auth
|
||||||
|
match: "Host(`*external host that you configured in authentik*`) && PathPrefix(`/akprox/`)"
|
||||||
|
priority: 15
|
||||||
|
services: http://*ip of your outpost*:4180/akprox
|
||||||
|
```
|
||||||
|
</TabItem>
|
||||||
|
<TabItem value="docker-compose">
|
||||||
|
```yaml
|
||||||
|
version: '3.7'
|
||||||
|
services:
|
||||||
|
traefik:
|
||||||
|
image: traefik:v2.2
|
||||||
|
container_name: traefik
|
||||||
|
volumes:
|
||||||
|
- /var/run/docker.sock:/var/run/docker.sock
|
||||||
|
labels:
|
||||||
|
traefik.enable: true
|
||||||
|
traefik.http.routers.api.rule: Host(`traefik.example.com`)
|
||||||
|
traefik.http.routers.api.entrypoints: https
|
||||||
|
traefik.http.routers.api.service: api@internal
|
||||||
|
traefik.http.routers.api.tls: true
|
||||||
|
ports:
|
||||||
|
- 80:80
|
||||||
|
- 443:443
|
||||||
|
command:
|
||||||
|
- '--api'
|
||||||
|
- '--log=true'
|
||||||
|
- '--log.level=DEBUG'
|
||||||
|
- '--log.filepath=/var/log/traefik.log'
|
||||||
|
- '--providers.docker=true'
|
||||||
|
- '--providers.docker.exposedByDefault=false'
|
||||||
|
- '--entrypoints.http=true'
|
||||||
|
- '--entrypoints.http.address=:80'
|
||||||
|
- '--entrypoints.http.http.redirections.entrypoint.to=https'
|
||||||
|
- '--entrypoints.http.http.redirections.entrypoint.scheme=https'
|
||||||
|
- '--entrypoints.https=true'
|
||||||
|
- '--entrypoints.https.address=:443'
|
||||||
|
|
||||||
|
authentik_proxy:
|
||||||
|
image: beryju/authentik-proxy:2021.4.4
|
||||||
|
ports:
|
||||||
|
- 4180:4180
|
||||||
|
- 4443:4443
|
||||||
|
environment:
|
||||||
|
AUTHENTIK_HOST: https://your-authentik.tld
|
||||||
|
AUTHENTIK_INSECURE: "false"
|
||||||
|
AUTHENTIK_TOKEN: token-generated-by-authentik
|
||||||
|
labels:
|
||||||
|
traefik.enable: true
|
||||||
|
traefik.port: 4180
|
||||||
|
traefik.http.routers.authentik.rule: Host(`*external host that you configured in authentik*`) && PathPrefix(`/akprox/`)
|
||||||
|
traefik.http.routers.authentik.entrypoints: https
|
||||||
|
traefik.http.routers.authentik.tls: true
|
||||||
|
traefik.http.middlewares.authentik.forwardauth.address: http://authentik_proxy:4180/akprox/auth?traefik
|
||||||
|
traefik.http.middlewares.authentik.forwardauth.trustForwardHeader: true
|
||||||
|
traefik.http.middlewares.authentik.forwardauth.authResponseHeaders: Set-Cookie,X-Auth-Username,X-Forwarded-Email,X-Forwarded-Preferred-Username,X-Forwarded-User
|
||||||
|
restart: unless-stopped
|
||||||
|
|
||||||
|
whoami:
|
||||||
|
image: containous/whoami
|
||||||
|
labels:
|
||||||
|
traefik.enable: true
|
||||||
|
traefik.http.routers.whoami.rule: Host(`*external host that you configured in authentik*`)
|
||||||
|
traefik.http.routers.whoami.entrypoints: https
|
||||||
|
traefik.http.routers.whoami.tls: true
|
||||||
|
traefik.http.routers.whoami.middlewares: authentik@docker
|
||||||
|
restart: unless-stopped
|
||||||
|
```
|
||||||
|
</TabItem>
|
||||||
|
<TabItem value="ingress">
|
||||||
|
Create a middleware:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
apiVersion: traefik.containo.us/v1alpha1
|
||||||
|
kind: Middleware
|
||||||
|
metadata:
|
||||||
|
name: authentik
|
||||||
|
spec:
|
||||||
|
forwardAuth:
|
||||||
|
address: http://authentik-outpost-*uuid of the service generated by authentik*:4180/akprox/auth?traefik
|
||||||
|
trustForwardHeader: true
|
||||||
|
authResponseHeaders:
|
||||||
|
- Set-Cookie
|
||||||
|
- X-Auth-Username
|
||||||
|
- X-Forwarded-Email
|
||||||
|
- X-Forwarded-Preferred-Username
|
||||||
|
- X-Forwarded-User
|
||||||
|
```
|
||||||
|
|
||||||
|
Add the following settings to your IngressRoute
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
spec:
|
||||||
|
routes:
|
||||||
|
- kind: Rule
|
||||||
|
match: "Host(`*external host that you configured in authentik*`)"
|
||||||
|
middlewares:
|
||||||
|
- name: authentik
|
||||||
|
priority: 10
|
||||||
|
services: # Unchanged
|
||||||
|
- kind: Rule
|
||||||
|
match: "Host(`*external host that you configured in authentik*`) && PathPrefix(`/akprox/`)"
|
||||||
|
priority: 15
|
||||||
|
services:
|
||||||
|
- kind: Service
|
||||||
|
name: authentik-outpost-*uuid of the service generated by authentik*
|
||||||
|
port: 4180
|
||||||
|
```
|
||||||
|
</TabItem>
|
||||||
|
</Tabs>
|
Reference in New Issue