outpost: forwardAuth mode (#790)

This commit is contained in:
Jens L 2021-04-29 18:17:10 +02:00 committed by GitHub
parent ad8ee83697
commit 2a409215d3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
12 changed files with 433 additions and 97 deletions

View File

@ -52,6 +52,7 @@ class ProxyProviderSerializer(ProviderSerializer):
"basic_auth_enabled",
"basic_auth_password_attribute",
"basic_auth_user_attribute",
"forward_auth_mode",
]
@ -86,6 +87,7 @@ class ProxyOutpostConfigSerializer(ModelSerializer):
"basic_auth_enabled",
"basic_auth_password_attribute",
"basic_auth_user_attribute",
"forward_auth_mode",
]
@swagger_serializer_method(serializer_or_field=OpenIDConnectConfigurationSerializer)

View File

@ -0,0 +1,35 @@
# Generated by Django 3.2 on 2021-04-27 18:47
from django.db import migrations, models
import authentik.lib.models
class Migration(migrations.Migration):
dependencies = [
("authentik_providers_proxy", "0010_auto_20201214_0942"),
]
operations = [
migrations.AddField(
model_name="proxyprovider",
name="forward_auth_mode",
field=models.BooleanField(
default=False,
help_text="Enable support for forwardAuth in traefik and nginx auth_request. Exclusive with internal_host.",
),
),
migrations.AlterField(
model_name="proxyprovider",
name="internal_host",
field=models.TextField(
blank=True,
validators=[
authentik.lib.models.DomainlessURLValidator(
schemes=("http", "https")
)
],
),
),
]

View File

@ -42,7 +42,8 @@ class ProxyProvider(OutpostModel, OAuth2Provider):
Protocols by using a Reverse-Proxy."""
internal_host = models.TextField(
validators=[DomainlessURLValidator(schemes=("http", "https"))]
validators=[DomainlessURLValidator(schemes=("http", "https"))],
blank=True,
)
external_host = models.TextField(
validators=[DomainlessURLValidator(schemes=("http", "https"))]
@ -52,6 +53,13 @@ class ProxyProvider(OutpostModel, OAuth2Provider):
help_text=_("Validate SSL Certificates of upstream servers"),
verbose_name=_("Internal host SSL Validation"),
)
forward_auth_mode = models.BooleanField(
default=False,
help_text=_(
"Enable support for forwardAuth in traefik and nginx auth_request. Exclusive with "
"internal_host."
),
)
skip_path_regex = models.TextField(
default="",

View File

@ -1,4 +1,4 @@
all: clean generate build
all: clean generate
generate:
go get -u github.com/go-swagger/go-swagger/cmd/swagger
@ -11,5 +11,3 @@ clean:
go mod tidy
go clean .
build:
go build -v .

View File

@ -31,6 +31,10 @@ type providerBundle struct {
log *log.Entry
}
func intToPointer(i int) *int {
return &i
}
func (pb *providerBundle) prepareOpts(provider *models.ProxyOutpostConfig) *options.Options {
externalHost, err := url.Parse(*provider.ExternalHost)
if err != nil {
@ -61,14 +65,25 @@ func (pb *providerBundle) prepareOpts(provider *models.ProxyOutpostConfig) *opti
providerOpts.SkipAuthRegex = skipRegexes
}
if provider.ForwardAuthMode {
providerOpts.UpstreamServers = []options.Upstream{
{
ID: "static",
Static: true,
StaticCode: intToPointer(202),
Path: "/",
},
}
} else {
providerOpts.UpstreamServers = []options.Upstream{
{
ID: "default",
URI: *provider.InternalHost,
URI: provider.InternalHost,
Path: "/",
InsecureSkipTLSVerify: provider.InternalHostSslValidation,
},
}
}
if provider.Certificate != nil {
pb.log.WithField("provider", provider.ClientID).Debug("Enabling TLS")

View File

@ -63,6 +63,7 @@ type OAuthProxy struct {
AuthOnlyPath string
UserInfoPath string
forwardAuthMode bool
redirectURL *url.URL // the url to receive requests at
whitelistDomains []string
provider providers.Provider
@ -132,6 +133,7 @@ func NewOAuthProxy(opts *options.Options, provider *models.ProxyOutpostConfig) (
CookieRefresh: opts.Cookie.Refresh,
CookieSameSite: opts.Cookie.SameSite,
forwardAuthMode: provider.ForwardAuthMode,
RobotsPath: "/robots.txt",
SignInPath: fmt.Sprintf("%s/sign_in", opts.ProxyPrefix),
SignOutPath: fmt.Sprintf("%s/sign_out", opts.ProxyPrefix),
@ -335,12 +337,29 @@ func (p *OAuthProxy) SignOut(rw http.ResponseWriter, req *http.Request) {
func (p *OAuthProxy) AuthenticateOnly(rw http.ResponseWriter, req *http.Request) {
session, err := p.getAuthenticatedSession(rw, req)
if err != nil {
if p.forwardAuthMode {
if _, ok := req.URL.Query()["nginx"]; ok {
rw.WriteHeader(401)
return
}
if _, ok := req.URL.Query()["traefik"]; ok {
host := getHost(req)
http.Redirect(rw, req, fmt.Sprintf("//%s%s", host, p.OAuthStartPath), http.StatusTemporaryRedirect)
return
}
}
http.Error(rw, "unauthorized request", http.StatusUnauthorized)
return
}
// we are authenticated
p.addHeadersForProxying(rw, req, session)
if p.forwardAuthMode {
for headerKey, headers := range req.Header {
for _, value := range headers {
rw.Header().Set(headerKey, value)
}
}
}
rw.WriteHeader(http.StatusAccepted)
}
@ -435,7 +454,6 @@ func (p *OAuthProxy) addHeadersForProxying(rw http.ResponseWriter, req *http.Req
authVal := b64.StdEncoding.EncodeToString([]byte(username + ":" + password))
req.Header["Authorization"] = []string{fmt.Sprintf("Basic %s", authVal)}
}
rw.Header().Set("GAP-Auth", session.PreferredUsername)
// Check if user has additional headers set that we should sent
if additionalHeaders, ok := userAttributes["additionalHeaders"].(map[string]string); ok {
if additionalHeaders == nil {

View File

@ -15764,7 +15764,6 @@ definitions:
ProxyOutpostConfig:
required:
- name
- internal_host
- external_host
type: object
properties:
@ -15779,7 +15778,6 @@ definitions:
internal_host:
title: Internal host
type: string
minLength: 1
external_host:
title: External host
type: string
@ -15828,6 +15826,11 @@ definitions:
description: User/Group Attribute used for the user part of the HTTP-Basic
Header. If not set, the user's Email address is used.
type: string
forward_auth_mode:
title: Forward auth mode
description: Enable support for forwardAuth in traefik and nginx auth_request.
Exclusive with internal_host.
type: boolean
ServiceConnection:
required:
- name
@ -16737,7 +16740,6 @@ definitions:
required:
- name
- authorization_flow
- internal_host
- external_host
type: object
properties:
@ -16783,7 +16785,6 @@ definitions:
internal_host:
title: Internal host
type: string
minLength: 1
external_host:
title: External host
type: string
@ -16817,6 +16818,11 @@ definitions:
description: User/Group Attribute used for the user part of the HTTP-Basic
Header. If not set, the user's Email address is used.
type: string
forward_auth_mode:
title: Forward auth mode
description: Enable support for forwardAuth in traefik and nginx auth_request.
Exclusive with internal_host.
type: boolean
SAMLProvider:
required:
- name

View File

@ -117,7 +117,7 @@ msgid "Additional user DN, prepended to the Base DN."
msgstr "Additional user DN, prepended to the Base DN."
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:132
#: src/pages/providers/proxy/ProxyProviderForm.ts:130
#: src/pages/providers/proxy/ProxyProviderForm.ts:153
#: src/pages/providers/saml/SAMLProviderForm.ts:117
#: src/pages/sources/saml/SAMLSourceForm.ts:134
msgid "Advanced protocol settings"
@ -305,7 +305,7 @@ msgid "Authorization URL"
msgstr "Authorization URL"
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:62
#: src/pages/providers/proxy/ProxyProviderForm.ts:80
#: src/pages/providers/proxy/ProxyProviderForm.ts:104
#: src/pages/providers/saml/SAMLProviderForm.ts:59
#: src/pages/providers/saml/SAMLProviderImportForm.ts:44
msgid "Authorization flow"
@ -433,7 +433,7 @@ msgid "Case insensitive matching"
msgstr "Case insensitive matching"
#: src/pages/crypto/CertificateKeyPairForm.ts:51
#: src/pages/providers/proxy/ProxyProviderForm.ts:134
#: src/pages/providers/proxy/ProxyProviderForm.ts:157
msgid "Certificate"
msgstr "Certificate"
@ -1123,6 +1123,14 @@ msgstr "Enable Static Tokens"
msgid "Enable TOTP"
msgstr "Enable TOTP"
#: src/pages/providers/proxy/ProxyProviderForm.ts:140
msgid "Enable forward-auth mode"
msgstr "Enable forward-auth mode"
#: src/pages/providers/proxy/ProxyProviderForm.ts:144
msgid "Enable this if you don't want to use this provider as a proxy, and want to use it with Traefik's forwardAuth or nginx's auth_request."
msgstr "Enable this if you don't want to use this provider as a proxy, and want to use it with Traefik's forwardAuth or nginx's auth_request."
#: src/pages/policies/BoundPoliciesList.ts:41
#: src/pages/policies/PolicyBindingForm.ts:199
#: src/pages/sources/ldap/LDAPSourceForm.ts:69
@ -1281,7 +1289,7 @@ msgstr "External Applications which use authentik as Identity-Provider, utilizin
msgid "External Host"
msgstr "External Host"
#: src/pages/providers/proxy/ProxyProviderForm.ts:119
#: src/pages/providers/proxy/ProxyProviderForm.ts:127
msgid "External host"
msgstr "External host"
@ -1376,7 +1384,7 @@ msgid "Flow used by an authenticated user to configure this Stage. If empty, use
msgstr "Flow used by an authenticated user to configure this Stage. If empty, user will not be able to configure this stage."
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:76
#: src/pages/providers/proxy/ProxyProviderForm.ts:94
#: src/pages/providers/proxy/ProxyProviderForm.ts:118
#: src/pages/providers/saml/SAMLProviderForm.ts:73
#: src/pages/providers/saml/SAMLProviderImportForm.ts:57
msgid "Flow used when authorizing this provider."
@ -1474,11 +1482,11 @@ msgstr "Groups"
msgid "HS256 (Symmetric Encryption)"
msgstr "HS256 (Symmetric Encryption)"
#: src/pages/providers/proxy/ProxyProviderForm.ts:64
#: src/pages/providers/proxy/ProxyProviderForm.ts:66
msgid "HTTP-Basic Password Key"
msgstr "HTTP-Basic Password Key"
#: src/pages/providers/proxy/ProxyProviderForm.ts:58
#: src/pages/providers/proxy/ProxyProviderForm.ts:60
msgid "HTTP-Basic Username Key"
msgstr "HTTP-Basic Username Key"
@ -1587,11 +1595,11 @@ msgstr "Internal Host"
msgid "Internal application name, used in URLs."
msgstr "Internal application name, used in URLs."
#: src/pages/providers/proxy/ProxyProviderForm.ts:103
#: src/pages/providers/proxy/ProxyProviderForm.ts:78
msgid "Internal host"
msgstr "Internal host"
#: src/pages/providers/proxy/ProxyProviderForm.ts:113
#: src/pages/providers/proxy/ProxyProviderForm.ts:88
msgid "Internal host SSL Validation"
msgstr "Internal host SSL Validation"
@ -1728,8 +1736,8 @@ msgstr "Loading"
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:74
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:185
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:203
#: src/pages/providers/proxy/ProxyProviderForm.ts:92
#: src/pages/providers/proxy/ProxyProviderForm.ts:145
#: src/pages/providers/proxy/ProxyProviderForm.ts:116
#: src/pages/providers/proxy/ProxyProviderForm.ts:168
#: src/pages/providers/saml/SAMLProviderForm.ts:71
#: src/pages/providers/saml/SAMLProviderForm.ts:133
#: src/pages/providers/saml/SAMLProviderForm.ts:149
@ -1899,7 +1907,7 @@ msgstr "Monitor"
#: src/pages/providers/ProviderListPage.ts:52
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:56
#: src/pages/providers/oauth2/OAuth2ProviderViewPage.ts:73
#: src/pages/providers/proxy/ProxyProviderForm.ts:74
#: src/pages/providers/proxy/ProxyProviderForm.ts:98
#: src/pages/providers/proxy/ProxyProviderViewPage.ts:64
#: src/pages/providers/saml/SAMLProviderForm.ts:53
#: src/pages/providers/saml/SAMLProviderImportForm.ts:38
@ -2400,7 +2408,7 @@ msgid "Property mappings used to user creation."
msgstr "Property mappings used to user creation."
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:81
#: src/pages/providers/proxy/ProxyProviderForm.ts:99
#: src/pages/providers/proxy/ProxyProviderForm.ts:123
#: src/pages/providers/saml/SAMLProviderForm.ts:78
#: src/pages/sources/oauth/OAuthSourceForm.ts:122
#: src/pages/sources/saml/SAMLSourceForm.ts:76
@ -2531,7 +2539,7 @@ msgstr "Refresh Code"
msgid "Register device"
msgstr "Register device"
#: src/pages/providers/proxy/ProxyProviderForm.ts:153
#: src/pages/providers/proxy/ProxyProviderForm.ts:176
msgid "Regular expressions for which authentication is not required. Each new line is interpreted as a new Regular Expression."
msgstr "Regular expressions for which authentication is not required. Each new line is interpreted as a new Regular Expression."
@ -2774,11 +2782,11 @@ msgstr "Session not valid on or after current time + this value (Format: hours=1
msgid "Session valid not on or after"
msgstr "Session valid not on or after"
#: src/pages/providers/proxy/ProxyProviderForm.ts:163
#: src/pages/providers/proxy/ProxyProviderForm.ts:186
msgid "Set HTTP-Basic Authentication"
msgstr "Set HTTP-Basic Authentication"
#: src/pages/providers/proxy/ProxyProviderForm.ts:166
#: src/pages/providers/proxy/ProxyProviderForm.ts:189
msgid "Set a custom HTTP-Basic Authentication header based on values from authentik."
msgstr "Set a custom HTTP-Basic Authentication header based on values from authentik."
@ -2828,7 +2836,7 @@ msgstr "Signing keypair"
msgid "Single Prompts that can be used for Prompt Stages."
msgstr "Single Prompts that can be used for Prompt Stages."
#: src/pages/providers/proxy/ProxyProviderForm.ts:150
#: src/pages/providers/proxy/ProxyProviderForm.ts:173
msgid "Skip path regex"
msgstr "Skip path regex"
@ -3040,7 +3048,7 @@ msgid "Successfully created prompt."
msgstr "Successfully created prompt."
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:49
#: src/pages/providers/proxy/ProxyProviderForm.ts:49
#: src/pages/providers/proxy/ProxyProviderForm.ts:51
#: src/pages/providers/saml/SAMLProviderForm.ts:46
msgid "Successfully created provider."
msgstr "Successfully created provider."
@ -3176,7 +3184,7 @@ msgid "Successfully updated prompt."
msgstr "Successfully updated prompt."
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:46
#: src/pages/providers/proxy/ProxyProviderForm.ts:46
#: src/pages/providers/proxy/ProxyProviderForm.ts:48
#: src/pages/providers/saml/SAMLProviderForm.ts:43
msgid "Successfully updated provider."
msgstr "Successfully updated provider."
@ -3325,7 +3333,7 @@ msgstr "Text: Simple Text input"
msgid "The URL \"{0}\" was not found."
msgstr "The URL \"{0}\" was not found."
#: src/pages/providers/proxy/ProxyProviderForm.ts:123
#: src/pages/providers/proxy/ProxyProviderForm.ts:131
msgid "The external URL you'll access the outpost at."
msgstr "The external URL you'll access the outpost at."
@ -3635,7 +3643,7 @@ msgstr "Update details"
msgid "Update {0}"
msgstr "Update {0}"
#: src/pages/providers/proxy/ProxyProviderForm.ts:107
#: src/pages/providers/proxy/ProxyProviderForm.ts:82
msgid "Upstream host that the requests are forwarded to."
msgstr "Upstream host that the requests are forwarded to."
@ -3721,11 +3729,11 @@ msgstr "User's avatar"
msgid "User's display name."
msgstr "User's display name."
#: src/pages/providers/proxy/ProxyProviderForm.ts:67
#: src/pages/providers/proxy/ProxyProviderForm.ts:69
msgid "User/Group Attribute used for the password part of the HTTP-Basic Header."
msgstr "User/Group Attribute used for the password part of the HTTP-Basic Header."
#: src/pages/providers/proxy/ProxyProviderForm.ts:61
#: src/pages/providers/proxy/ProxyProviderForm.ts:63
msgid "User/Group Attribute used for the user part of the HTTP-Basic Header. If not set, the user's Email address is used."
msgstr "User/Group Attribute used for the user part of the HTTP-Basic Header. If not set, the user's Email address is used."
@ -3766,7 +3774,7 @@ msgstr "Using source"
msgid "Valid redirect URLs after a successful authorization flow. Also specify any origins here for Implicit flows."
msgstr "Valid redirect URLs after a successful authorization flow. Also specify any origins here for Implicit flows."
#: src/pages/providers/proxy/ProxyProviderForm.ts:116
#: src/pages/providers/proxy/ProxyProviderForm.ts:91
msgid "Validate SSL Certificates of upstream servers."
msgstr "Validate SSL Certificates of upstream servers."

View File

@ -117,7 +117,7 @@ msgid "Additional user DN, prepended to the Base DN."
msgstr ""
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:132
#: src/pages/providers/proxy/ProxyProviderForm.ts:130
#: src/pages/providers/proxy/ProxyProviderForm.ts:153
#: src/pages/providers/saml/SAMLProviderForm.ts:117
#: src/pages/sources/saml/SAMLSourceForm.ts:134
msgid "Advanced protocol settings"
@ -301,7 +301,7 @@ msgid "Authorization URL"
msgstr ""
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:62
#: src/pages/providers/proxy/ProxyProviderForm.ts:80
#: src/pages/providers/proxy/ProxyProviderForm.ts:104
#: src/pages/providers/saml/SAMLProviderForm.ts:59
#: src/pages/providers/saml/SAMLProviderImportForm.ts:44
msgid "Authorization flow"
@ -429,7 +429,7 @@ msgid "Case insensitive matching"
msgstr ""
#: src/pages/crypto/CertificateKeyPairForm.ts:51
#: src/pages/providers/proxy/ProxyProviderForm.ts:134
#: src/pages/providers/proxy/ProxyProviderForm.ts:157
msgid "Certificate"
msgstr ""
@ -1115,6 +1115,14 @@ msgstr ""
msgid "Enable TOTP"
msgstr ""
#: src/pages/providers/proxy/ProxyProviderForm.ts:140
msgid "Enable forward-auth mode"
msgstr ""
#: src/pages/providers/proxy/ProxyProviderForm.ts:144
msgid "Enable this if you don't want to use this provider as a proxy, and want to use it with Traefik's forwardAuth or nginx's auth_request."
msgstr ""
#: src/pages/policies/BoundPoliciesList.ts:41
#: src/pages/policies/PolicyBindingForm.ts:199
#: src/pages/sources/ldap/LDAPSourceForm.ts:69
@ -1273,7 +1281,7 @@ msgstr ""
msgid "External Host"
msgstr ""
#: src/pages/providers/proxy/ProxyProviderForm.ts:119
#: src/pages/providers/proxy/ProxyProviderForm.ts:127
msgid "External host"
msgstr ""
@ -1368,7 +1376,7 @@ msgid "Flow used by an authenticated user to configure this Stage. If empty, use
msgstr ""
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:76
#: src/pages/providers/proxy/ProxyProviderForm.ts:94
#: src/pages/providers/proxy/ProxyProviderForm.ts:118
#: src/pages/providers/saml/SAMLProviderForm.ts:73
#: src/pages/providers/saml/SAMLProviderImportForm.ts:57
msgid "Flow used when authorizing this provider."
@ -1466,11 +1474,11 @@ msgstr ""
msgid "HS256 (Symmetric Encryption)"
msgstr ""
#: src/pages/providers/proxy/ProxyProviderForm.ts:64
#: src/pages/providers/proxy/ProxyProviderForm.ts:66
msgid "HTTP-Basic Password Key"
msgstr ""
#: src/pages/providers/proxy/ProxyProviderForm.ts:58
#: src/pages/providers/proxy/ProxyProviderForm.ts:60
msgid "HTTP-Basic Username Key"
msgstr ""
@ -1579,11 +1587,11 @@ msgstr ""
msgid "Internal application name, used in URLs."
msgstr ""
#: src/pages/providers/proxy/ProxyProviderForm.ts:103
#: src/pages/providers/proxy/ProxyProviderForm.ts:78
msgid "Internal host"
msgstr ""
#: src/pages/providers/proxy/ProxyProviderForm.ts:113
#: src/pages/providers/proxy/ProxyProviderForm.ts:88
msgid "Internal host SSL Validation"
msgstr ""
@ -1720,8 +1728,8 @@ msgstr ""
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:74
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:185
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:203
#: src/pages/providers/proxy/ProxyProviderForm.ts:92
#: src/pages/providers/proxy/ProxyProviderForm.ts:145
#: src/pages/providers/proxy/ProxyProviderForm.ts:116
#: src/pages/providers/proxy/ProxyProviderForm.ts:168
#: src/pages/providers/saml/SAMLProviderForm.ts:71
#: src/pages/providers/saml/SAMLProviderForm.ts:133
#: src/pages/providers/saml/SAMLProviderForm.ts:149
@ -1891,7 +1899,7 @@ msgstr ""
#: src/pages/providers/ProviderListPage.ts:52
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:56
#: src/pages/providers/oauth2/OAuth2ProviderViewPage.ts:73
#: src/pages/providers/proxy/ProxyProviderForm.ts:74
#: src/pages/providers/proxy/ProxyProviderForm.ts:98
#: src/pages/providers/proxy/ProxyProviderViewPage.ts:64
#: src/pages/providers/saml/SAMLProviderForm.ts:53
#: src/pages/providers/saml/SAMLProviderImportForm.ts:38
@ -2392,7 +2400,7 @@ msgid "Property mappings used to user creation."
msgstr ""
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:81
#: src/pages/providers/proxy/ProxyProviderForm.ts:99
#: src/pages/providers/proxy/ProxyProviderForm.ts:123
#: src/pages/providers/saml/SAMLProviderForm.ts:78
#: src/pages/sources/oauth/OAuthSourceForm.ts:122
#: src/pages/sources/saml/SAMLSourceForm.ts:76
@ -2523,7 +2531,7 @@ msgstr ""
msgid "Register device"
msgstr ""
#: src/pages/providers/proxy/ProxyProviderForm.ts:153
#: src/pages/providers/proxy/ProxyProviderForm.ts:176
msgid "Regular expressions for which authentication is not required. Each new line is interpreted as a new Regular Expression."
msgstr ""
@ -2766,11 +2774,11 @@ msgstr ""
msgid "Session valid not on or after"
msgstr ""
#: src/pages/providers/proxy/ProxyProviderForm.ts:163
#: src/pages/providers/proxy/ProxyProviderForm.ts:186
msgid "Set HTTP-Basic Authentication"
msgstr ""
#: src/pages/providers/proxy/ProxyProviderForm.ts:166
#: src/pages/providers/proxy/ProxyProviderForm.ts:189
msgid "Set a custom HTTP-Basic Authentication header based on values from authentik."
msgstr ""
@ -2820,7 +2828,7 @@ msgstr ""
msgid "Single Prompts that can be used for Prompt Stages."
msgstr ""
#: src/pages/providers/proxy/ProxyProviderForm.ts:150
#: src/pages/providers/proxy/ProxyProviderForm.ts:173
msgid "Skip path regex"
msgstr ""
@ -3032,7 +3040,7 @@ msgid "Successfully created prompt."
msgstr ""
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:49
#: src/pages/providers/proxy/ProxyProviderForm.ts:49
#: src/pages/providers/proxy/ProxyProviderForm.ts:51
#: src/pages/providers/saml/SAMLProviderForm.ts:46
msgid "Successfully created provider."
msgstr ""
@ -3168,7 +3176,7 @@ msgid "Successfully updated prompt."
msgstr ""
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:46
#: src/pages/providers/proxy/ProxyProviderForm.ts:46
#: src/pages/providers/proxy/ProxyProviderForm.ts:48
#: src/pages/providers/saml/SAMLProviderForm.ts:43
msgid "Successfully updated provider."
msgstr ""
@ -3317,7 +3325,7 @@ msgstr ""
msgid "The URL \"{0}\" was not found."
msgstr ""
#: src/pages/providers/proxy/ProxyProviderForm.ts:123
#: src/pages/providers/proxy/ProxyProviderForm.ts:131
msgid "The external URL you'll access the outpost at."
msgstr ""
@ -3623,7 +3631,7 @@ msgstr ""
msgid "Update {0}"
msgstr ""
#: src/pages/providers/proxy/ProxyProviderForm.ts:107
#: src/pages/providers/proxy/ProxyProviderForm.ts:82
msgid "Upstream host that the requests are forwarded to."
msgstr ""
@ -3709,11 +3717,11 @@ msgstr ""
msgid "User's display name."
msgstr ""
#: src/pages/providers/proxy/ProxyProviderForm.ts:67
#: src/pages/providers/proxy/ProxyProviderForm.ts:69
msgid "User/Group Attribute used for the password part of the HTTP-Basic Header."
msgstr ""
#: src/pages/providers/proxy/ProxyProviderForm.ts:61
#: src/pages/providers/proxy/ProxyProviderForm.ts:63
msgid "User/Group Attribute used for the user part of the HTTP-Basic Header. If not set, the user's Email address is used."
msgstr ""
@ -3754,7 +3762,7 @@ msgstr ""
msgid "Valid redirect URLs after a successful authorization flow. Also specify any origins here for Implicit flows."
msgstr ""
#: src/pages/providers/proxy/ProxyProviderForm.ts:116
#: src/pages/providers/proxy/ProxyProviderForm.ts:91
msgid "Validate SSL Certificates of upstream servers."
msgstr ""

View File

@ -19,6 +19,7 @@ export class ProxyProviderFormPage extends Form<ProxyProvider> {
}).then(provider => {
this.provider = provider;
this.showHttpBasic = first(provider.basicAuthEnabled, true);
this.showInternalServer = first(!provider.forwardAuthMode, true);
});
}
@ -28,6 +29,9 @@ export class ProxyProviderFormPage extends Form<ProxyProvider> {
@property({type: Boolean})
showHttpBasic = true;
@property({type: Boolean})
showInternalServer = true;
getSuccessMessage(): string {
if (this.provider) {
return t`Successfully updated provider.`;
@ -67,6 +71,28 @@ export class ProxyProviderFormPage extends Form<ProxyProvider> {
</ak-form-element-horizontal>`;
}
renderInternalServer(): TemplateResult {
if (!this.showInternalServer) {
return html``;
}
return html`<ak-form-element-horizontal
label=${t`Internal host`}
?required=${true}
name="internalHost">
<input type="text" value="${ifDefined(this.provider?.internalHost)}" class="pf-c-form-control" required>
<p class="pf-c-form__helper-text">${t`Upstream host that the requests are forwarded to.`}</p>
</ak-form-element-horizontal>
<ak-form-element-horizontal name="internalHostSslValidation">
<div class="pf-c-check">
<input type="checkbox" class="pf-c-check__input" ?checked=${first(this.provider?.internalHostSslValidation, true)}>
<label class="pf-c-check__label">
${t`Internal host SSL Validation`}
</label>
</div>
<p class="pf-c-form__helper-text">${t`Validate SSL Certificates of upstream servers.`}</p>
</ak-form-element-horizontal>`;
}
renderForm(): TemplateResult {
return html`<form class="pf-c-form pf-m-horizontal">
<ak-form-element-horizontal
@ -97,22 +123,6 @@ export class ProxyProviderFormPage extends Form<ProxyProvider> {
${t`Protocol settings`}
</span>
<div slot="body" class="pf-c-form">
<ak-form-element-horizontal
label=${t`Internal host`}
?required=${true}
name="internalHost">
<input type="text" value="${ifDefined(this.provider?.internalHost)}" class="pf-c-form-control" required>
<p class="pf-c-form__helper-text">${t`Upstream host that the requests are forwarded to.`}</p>
</ak-form-element-horizontal>
<ak-form-element-horizontal name="internalHostSslValidation">
<div class="pf-c-check">
<input type="checkbox" class="pf-c-check__input" ?checked=${first(this.provider?.internalHostSslValidation, true)}>
<label class="pf-c-check__label">
${t`Internal host SSL Validation`}
</label>
</div>
<p class="pf-c-form__helper-text">${t`Validate SSL Certificates of upstream servers.`}</p>
</ak-form-element-horizontal>
<ak-form-element-horizontal
label=${t`External host`}
?required=${true}
@ -120,6 +130,21 @@ export class ProxyProviderFormPage extends Form<ProxyProvider> {
<input type="text" value="${ifDefined(this.provider?.externalHost)}" class="pf-c-form-control" required>
<p class="pf-c-form__helper-text">${t`The external URL you'll access the outpost at.`}</p>
</ak-form-element-horizontal>
<ak-form-element-horizontal name="forwardAuthMode">
<div class="pf-c-check">
<input type="checkbox" class="pf-c-check__input" ?checked=${first(this.provider?.forwardAuthMode, false)} @change=${(ev: Event) => {
const el = ev.target as HTMLInputElement;
this.showInternalServer = !el.checked;
}}>
<label class="pf-c-check__label">
${t`Enable forward-auth mode`}
</label>
</div>
<p class="pf-c-form__helper-text">
${t`Enable this if you don't want to use this provider as a proxy, and want to use it with Traefik's forwardAuth or nginx's auth_request.`}
</p>
</ak-form-element-horizontal>
${this.renderInternalServer()}
</div>
</ak-form-group>

View File

@ -1,16 +0,0 @@
---
title: Proxy Outpost
---
The proxy outpost sets the following headers:
```
X-Auth-Username: akadmin # The username of the currently logged in user
X-Forwarded-Email: root@localhost # The email address of the currently logged in user
X-Forwarded-Preferred-Username: akadmin # The username of the currently logged in user
X-Forwarded-User: 900347b8a29876b45ca6f75722635ecfedf0e931c6022e3a29a8aa13fb5516fb # The hashed identifier of the currently logged in user.
```
Additionally, you can set `additionalHeaders` on groups or users to set additional headers.
If you enable *Set HTTP-Basic Authentication* option, the HTTP Authorization header is being set.

View File

@ -0,0 +1,229 @@
---
title: Proxy Outpost
---
The proxy outpost sets the following headers:
```
X-Auth-Username: akadmin # The username of the currently logged in user
X-Forwarded-Email: root@localhost # The email address of the currently logged in user
X-Forwarded-Preferred-Username: akadmin # The username of the currently logged in user
X-Forwarded-User: 900347b8a29876b45ca6f75722635ecfedf0e931c6022e3a29a8aa13fb5516fb # The hashed identifier of the currently logged in user.
```
Additionally, you can set `additionalHeaders` on groups or users to set additional headers.
If you enable *Set HTTP-Basic Authentication* option, the HTTP Authorization header is being set.
# Forward auth
To use forward auth instead of proxying, you have to change a couple of settings. In the Proxy Provider, make sure to enable `Enable forward-auth mode` on the provider.
## Nginx
import Tabs from '@theme/Tabs';
import TabItem from '@theme/TabItem';
<Tabs
defaultValue="standalone-nginx"
values={[
{label: 'Standalone nginx', value: 'standalone-nginx'},
{label: 'Ingress', value: 'ingress'},
]}>
<TabItem value="standalone-nginx">
```
location /akprox {
proxy_pass http://*ip of your outpost*:4180;
proxy_set_header X-Forwarded-Host $http_host;
error_page 401 = @akprox_signin;
}
location @akprox_signin {
internal;
add_header Set-Cookie $auth_cookie;
return 302 /akprox/start?rd=$escaped_request_uri;
}
location / {
auth_request /akprox/auth?nginx;
# All your other options...
}
```
</TabItem>
<TabItem value="ingress">
Create a new ingress for the outpost
```yaml
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: authentik-outpost
spec:
rules:
- host: *external host that you configured in authentik*
http:
paths:
- backend:
serviceName: authentik-outpost-*uuid of the service generated by authentik*
servicePort: 4180
path: /akprox
```
This ingress handles authentication requests, and the sign-in flow.
Add these annotations to the ingress you want to protect
```yaml
metadata:
annotations:
nginx.ingress.kubernetes.io/auth-url: http://*external host that you configured in authentik*:4180/akprox/auth?nginx
nginx.ingress.kubernetes.io/auth-signin: http://*external host that you configured in authentik*:4180/akprox/start?rd=$escaped_request_uri
nginx.ingress.kubernetes.io/auth-snippet: |
proxy_set_header X-Forwarded-Host $http_host;
```
</TabItem>
</Tabs>
## Traefik
<Tabs
defaultValue="standalone-traefik"
values={[
{label: 'Standalone traefik', value: 'standalone-traefik'},
{label: 'docker-compose', value: 'docker-compose'},
{label: 'Ingress', value: 'ingress'},
]}>
<TabItem value="standalone-traefik">
```yaml
http:
middlewares:
authentik:
forwardAuth:
address: http://authentik-outpost-*uuid of the service generated by authentik*:4180/akprox/auth?traefik
trustForwardHeader: true
authResponseHeaders:
- Set-Cookie
- X-Auth-Username
- X-Forwarded-Email
- X-Forwarded-Preferred-Username
- X-Forwarded-User
routers:
default-router:
rule: "Host(`*external host that you configured in authentik*`)"
middlewares:
- name: authentik
priority: 10
services: # Unchanged
default-router-auth
match: "Host(`*external host that you configured in authentik*`) && PathPrefix(`/akprox/`)"
priority: 15
services: http://*ip of your outpost*:4180/akprox
```
</TabItem>
<TabItem value="docker-compose">
```yaml
version: '3.7'
services:
traefik:
image: traefik:v2.2
container_name: traefik
volumes:
- /var/run/docker.sock:/var/run/docker.sock
labels:
traefik.enable: true
traefik.http.routers.api.rule: Host(`traefik.example.com`)
traefik.http.routers.api.entrypoints: https
traefik.http.routers.api.service: api@internal
traefik.http.routers.api.tls: true
ports:
- 80:80
- 443:443
command:
- '--api'
- '--log=true'
- '--log.level=DEBUG'
- '--log.filepath=/var/log/traefik.log'
- '--providers.docker=true'
- '--providers.docker.exposedByDefault=false'
- '--entrypoints.http=true'
- '--entrypoints.http.address=:80'
- '--entrypoints.http.http.redirections.entrypoint.to=https'
- '--entrypoints.http.http.redirections.entrypoint.scheme=https'
- '--entrypoints.https=true'
- '--entrypoints.https.address=:443'
authentik_proxy:
image: beryju/authentik-proxy:2021.4.4
ports:
- 4180:4180
- 4443:4443
environment:
AUTHENTIK_HOST: https://your-authentik.tld
AUTHENTIK_INSECURE: "false"
AUTHENTIK_TOKEN: token-generated-by-authentik
labels:
traefik.enable: true
traefik.port: 4180
traefik.http.routers.authentik.rule: Host(`*external host that you configured in authentik*`) && PathPrefix(`/akprox/`)
traefik.http.routers.authentik.entrypoints: https
traefik.http.routers.authentik.tls: true
traefik.http.middlewares.authentik.forwardauth.address: http://authentik_proxy:4180/akprox/auth?traefik
traefik.http.middlewares.authentik.forwardauth.trustForwardHeader: true
traefik.http.middlewares.authentik.forwardauth.authResponseHeaders: Set-Cookie,X-Auth-Username,X-Forwarded-Email,X-Forwarded-Preferred-Username,X-Forwarded-User
restart: unless-stopped
whoami:
image: containous/whoami
labels:
traefik.enable: true
traefik.http.routers.whoami.rule: Host(`*external host that you configured in authentik*`)
traefik.http.routers.whoami.entrypoints: https
traefik.http.routers.whoami.tls: true
traefik.http.routers.whoami.middlewares: authentik@docker
restart: unless-stopped
```
</TabItem>
<TabItem value="ingress">
Create a middleware:
```yaml
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: authentik
spec:
forwardAuth:
address: http://authentik-outpost-*uuid of the service generated by authentik*:4180/akprox/auth?traefik
trustForwardHeader: true
authResponseHeaders:
- Set-Cookie
- X-Auth-Username
- X-Forwarded-Email
- X-Forwarded-Preferred-Username
- X-Forwarded-User
```
Add the following settings to your IngressRoute
```yaml
spec:
routes:
- kind: Rule
match: "Host(`*external host that you configured in authentik*`)"
middlewares:
- name: authentik
priority: 10
services: # Unchanged
- kind: Rule
match: "Host(`*external host that you configured in authentik*`) && PathPrefix(`/akprox/`)"
priority: 15
services:
- kind: Service
name: authentik-outpost-*uuid of the service generated by authentik*
port: 4180
```
</TabItem>
</Tabs>