website/docs: add nginx-proxy-manager
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
parent
77e42d60cb
commit
4ce3c2341c
31
website/docs/providers/proxy/_nginx_ingress.md
Normal file
31
website/docs/providers/proxy/_nginx_ingress.md
Normal file
|
@ -0,0 +1,31 @@
|
||||||
|
Create a new ingress for the outpost
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
apiVersion: networking.k8s.io/v1beta1
|
||||||
|
kind: Ingress
|
||||||
|
metadata:
|
||||||
|
name: authentik-outpost
|
||||||
|
spec:
|
||||||
|
rules:
|
||||||
|
- host: *external host that you configured in authentik*
|
||||||
|
http:
|
||||||
|
paths:
|
||||||
|
- backend:
|
||||||
|
serviceName: authentik-outpost-example-outpost
|
||||||
|
servicePort: 9000
|
||||||
|
path: /akprox
|
||||||
|
```
|
||||||
|
|
||||||
|
This ingress handles authentication requests, and the sign-in flow.
|
||||||
|
|
||||||
|
Add these annotations to the ingress you want to protect
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
metadata:
|
||||||
|
annotations:
|
||||||
|
nginx.ingress.kubernetes.io/auth-url: https://*external host that you configured in authentik*/akprox/auth?nginx
|
||||||
|
nginx.ingress.kubernetes.io/auth-signin: https://*external host that you configured in authentik*/akprox/start?rd=$escaped_request_uri
|
||||||
|
nginx.ingress.kubernetes.io/auth-response-headers: Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid
|
||||||
|
nginx.ingress.kubernetes.io/auth-snippet: |
|
||||||
|
proxy_set_header X-Forwarded-Host $http_host;
|
||||||
|
```
|
50
website/docs/providers/proxy/_nginx_proxy_manager.md
Normal file
50
website/docs/providers/proxy/_nginx_proxy_manager.md
Normal file
|
@ -0,0 +1,50 @@
|
||||||
|
For Nginx Proxy Manager you can use this snippet
|
||||||
|
|
||||||
|
```
|
||||||
|
# Increase buffer size for large headers
|
||||||
|
# This is needed only if you get 'upstream sent too big header while reading response header from upstream' error when trying to access an application protected by goauthentik
|
||||||
|
proxy_buffers 8 16k;
|
||||||
|
proxy_buffer_size 32k;
|
||||||
|
fastcgi_buffers 16 16k;
|
||||||
|
fastcgi_buffer_size 32k;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
# Put your proxy_pass to your application here
|
||||||
|
proxy_pass $forward_scheme://$server:$port;
|
||||||
|
|
||||||
|
# authentik-specific config
|
||||||
|
auth_request /akprox/auth/nginx;
|
||||||
|
error_page 401 = @akprox_signin;
|
||||||
|
|
||||||
|
# translate headers from the outposts back to the actual upstream
|
||||||
|
auth_request_set $authentik_username $upstream_http_x_authentik_username;
|
||||||
|
auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
|
||||||
|
auth_request_set $authentik_email $upstream_http_x_authentik_email;
|
||||||
|
auth_request_set $authentik_name $upstream_http_x_authentik_name;
|
||||||
|
auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
|
||||||
|
|
||||||
|
proxy_set_header X-authentik-username $authentik_username;
|
||||||
|
proxy_set_header X-authentik-groups $authentik_groups;
|
||||||
|
proxy_set_header X-authentik-email $authentik_email;
|
||||||
|
proxy_set_header X-authentik-name $authentik_name;
|
||||||
|
proxy_set_header X-authentik-uid $authentik_uid;
|
||||||
|
}
|
||||||
|
|
||||||
|
# all requests to /akprox must be accessible without authentication
|
||||||
|
location /akprox {
|
||||||
|
proxy_pass http://*ip or hostname of the authentik OUTPOST*:9000/akprox;
|
||||||
|
# ensure the host of this vserver matches your external URL you've configured
|
||||||
|
# in authentik
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
add_header Set-Cookie $auth_cookie;
|
||||||
|
auth_request_set $auth_cookie $upstream_http_set_cookie;
|
||||||
|
}
|
||||||
|
|
||||||
|
# Special location for when the /auth endpoint returns a 401,
|
||||||
|
# redirect to the /start URL which initiates SSO
|
||||||
|
location @akprox_signin {
|
||||||
|
internal;
|
||||||
|
add_header Set-Cookie $auth_cookie;
|
||||||
|
return 302 /akprox/start?rd=$request_uri;
|
||||||
|
}
|
||||||
|
```
|
60
website/docs/providers/proxy/_nginx_standalone.md
Normal file
60
website/docs/providers/proxy/_nginx_standalone.md
Normal file
|
@ -0,0 +1,60 @@
|
||||||
|
|
||||||
|
```
|
||||||
|
server {
|
||||||
|
# SSL and VHost configuration
|
||||||
|
listen 443 ssl http2;
|
||||||
|
server_name _;
|
||||||
|
|
||||||
|
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
|
||||||
|
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
|
||||||
|
|
||||||
|
# Increase buffer size for large headers
|
||||||
|
# This is needed only if you get 'upstream sent too big header while reading response header from upstream' error when trying to access an application protected by goauthentik
|
||||||
|
proxy_buffers 8 16k;
|
||||||
|
proxy_buffer_size 32k;
|
||||||
|
fastcgi_buffers 16 16k;
|
||||||
|
fastcgi_buffer_size 32k;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
# Put your proxy_pass to your application here
|
||||||
|
# proxy_pass http://localhost:5000;
|
||||||
|
|
||||||
|
# authentik-specific config
|
||||||
|
auth_request /akprox/auth/nginx;
|
||||||
|
error_page 401 = @akprox_signin;
|
||||||
|
# For domain level, use the below error_page to redirect to your authentik server with the full redirect path
|
||||||
|
# error_page 401 =302 https://authentik.company/akprox/start?rd=$scheme://$http_host$request_uri;
|
||||||
|
|
||||||
|
# translate headers from the outposts back to the actual upstream
|
||||||
|
auth_request_set $authentik_username $upstream_http_x_authentik_username;
|
||||||
|
auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
|
||||||
|
auth_request_set $authentik_email $upstream_http_x_authentik_email;
|
||||||
|
auth_request_set $authentik_name $upstream_http_x_authentik_name;
|
||||||
|
auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
|
||||||
|
|
||||||
|
proxy_set_header X-authentik-username $authentik_username;
|
||||||
|
proxy_set_header X-authentik-groups $authentik_groups;
|
||||||
|
proxy_set_header X-authentik-email $authentik_email;
|
||||||
|
proxy_set_header X-authentik-name $authentik_name;
|
||||||
|
proxy_set_header X-authentik-uid $authentik_uid;
|
||||||
|
}
|
||||||
|
|
||||||
|
# all requests to /akprox must be accessible without authentication
|
||||||
|
location /akprox {
|
||||||
|
proxy_pass http://*ip or hostname of the authentik OUTPOST*:9000/akprox;
|
||||||
|
# ensure the host of this vserver matches your external URL you've configured
|
||||||
|
# in authentik
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
add_header Set-Cookie $auth_cookie;
|
||||||
|
auth_request_set $auth_cookie $upstream_http_set_cookie;
|
||||||
|
}
|
||||||
|
|
||||||
|
# Special location for when the /auth endpoint returns a 401,
|
||||||
|
# redirect to the /start URL which initiates SSO
|
||||||
|
location @akprox_signin {
|
||||||
|
internal;
|
||||||
|
add_header Set-Cookie $auth_cookie;
|
||||||
|
return 302 /akprox/start?rd=$request_uri;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
```
|
65
website/docs/providers/proxy/_traefik_compose.md
Normal file
65
website/docs/providers/proxy/_traefik_compose.md
Normal file
|
@ -0,0 +1,65 @@
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
version: '3.7'
|
||||||
|
services:
|
||||||
|
traefik:
|
||||||
|
image: traefik:v2.2
|
||||||
|
container_name: traefik
|
||||||
|
volumes:
|
||||||
|
- /var/run/docker.sock:/var/run/docker.sock
|
||||||
|
labels:
|
||||||
|
traefik.enable: true
|
||||||
|
traefik.http.routers.api.rule: Host(`traefik.example.com`)
|
||||||
|
traefik.http.routers.api.entrypoints: https
|
||||||
|
traefik.http.routers.api.service: api@internal
|
||||||
|
traefik.http.routers.api.tls: true
|
||||||
|
ports:
|
||||||
|
- 80:80
|
||||||
|
- 443:443
|
||||||
|
command:
|
||||||
|
- '--api'
|
||||||
|
- '--log=true'
|
||||||
|
- '--log.level=DEBUG'
|
||||||
|
- '--log.filepath=/var/log/traefik.log'
|
||||||
|
- '--providers.docker=true'
|
||||||
|
- '--providers.docker.exposedByDefault=false'
|
||||||
|
- '--entrypoints.http=true'
|
||||||
|
- '--entrypoints.http.address=:80'
|
||||||
|
- '--entrypoints.http.http.redirections.entrypoint.to=https'
|
||||||
|
- '--entrypoints.http.http.redirections.entrypoint.scheme=https'
|
||||||
|
- '--entrypoints.https=true'
|
||||||
|
- '--entrypoints.https.address=:443'
|
||||||
|
|
||||||
|
authentik_proxy:
|
||||||
|
image: goauthentik.io/proxy:2021.5.1
|
||||||
|
ports:
|
||||||
|
- 9000:9000
|
||||||
|
- 9443:9443
|
||||||
|
environment:
|
||||||
|
AUTHENTIK_HOST: https://your-authentik.tld
|
||||||
|
AUTHENTIK_INSECURE: "false"
|
||||||
|
AUTHENTIK_TOKEN: token-generated-by-authentik
|
||||||
|
# Starting with 2021.9, you can optionally set this too
|
||||||
|
# when authentik_host for internal communication doesn't match the public URL
|
||||||
|
# AUTHENTIK_HOST_BROWSER: https://external-domain.tld
|
||||||
|
labels:
|
||||||
|
traefik.enable: true
|
||||||
|
traefik.port: 9000
|
||||||
|
traefik.http.routers.authentik.rule: Host(`*external host that you configured in authentik*`) && PathPrefix(`/akprox/`)
|
||||||
|
traefik.http.routers.authentik.entrypoints: https
|
||||||
|
traefik.http.routers.authentik.tls: true
|
||||||
|
traefik.http.middlewares.authentik.forwardauth.address: http://authentik_proxy:9000/akprox/auth/traefik
|
||||||
|
traefik.http.middlewares.authentik.forwardauth.trustForwardHeader: true
|
||||||
|
traefik.http.middlewares.authentik.forwardauth.authResponseHeaders: Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid
|
||||||
|
restart: unless-stopped
|
||||||
|
|
||||||
|
whoami:
|
||||||
|
image: containous/whoami
|
||||||
|
labels:
|
||||||
|
traefik.enable: true
|
||||||
|
traefik.http.routers.whoami.rule: Host(`*external host that you configured in authentik*`)
|
||||||
|
traefik.http.routers.whoami.entrypoints: https
|
||||||
|
traefik.http.routers.whoami.tls: true
|
||||||
|
traefik.http.routers.whoami.middlewares: authentik@docker
|
||||||
|
restart: unless-stopped
|
||||||
|
```
|
47
website/docs/providers/proxy/_traefik_ingress.md
Normal file
47
website/docs/providers/proxy/_traefik_ingress.md
Normal file
|
@ -0,0 +1,47 @@
|
||||||
|
Create a middleware:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
apiVersion: traefik.containo.us/v1alpha1
|
||||||
|
kind: Middleware
|
||||||
|
metadata:
|
||||||
|
name: authentik
|
||||||
|
spec:
|
||||||
|
forwardAuth:
|
||||||
|
address: http://authentik-outpost-example-outpost:9000/akprox/auth/traefik
|
||||||
|
trustForwardHeader: true
|
||||||
|
authResponseHeaders:
|
||||||
|
- Set-Cookie
|
||||||
|
- X-authentik-username
|
||||||
|
- X-authentik-groups
|
||||||
|
- X-authentik-email
|
||||||
|
- X-authentik-name
|
||||||
|
- X-authentik-uid
|
||||||
|
```
|
||||||
|
|
||||||
|
Add the following settings to your IngressRoute
|
||||||
|
|
||||||
|
:::warning
|
||||||
|
By default traefik does not allow cross-namespace references for middlewares:
|
||||||
|
|
||||||
|
See [here](https://doc.traefik.io/traefik/v2.4/providers/kubernetes-crd/#allowcrossnamespace) to enable it.
|
||||||
|
:::
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
spec:
|
||||||
|
routes:
|
||||||
|
- kind: Rule
|
||||||
|
match: "Host(`*external host that you configured in authentik*`)"
|
||||||
|
middlewares:
|
||||||
|
- name: authentik
|
||||||
|
namespace: authentik
|
||||||
|
priority: 10
|
||||||
|
services: # Unchanged
|
||||||
|
# This part is only required for single-app setups
|
||||||
|
- kind: Rule
|
||||||
|
match: "Host(`*external host that you configured in authentik*`) && PathPrefix(`/akprox/`)"
|
||||||
|
priority: 15
|
||||||
|
services:
|
||||||
|
- kind: Service
|
||||||
|
name: authentik-outpost-example-outpost
|
||||||
|
port: 9000
|
||||||
|
```
|
26
website/docs/providers/proxy/_traefik_standalone.md
Normal file
26
website/docs/providers/proxy/_traefik_standalone.md
Normal file
|
@ -0,0 +1,26 @@
|
||||||
|
```yaml
|
||||||
|
http:
|
||||||
|
middlewares:
|
||||||
|
authentik:
|
||||||
|
forwardAuth:
|
||||||
|
address: http://authentik-outpost-example-outpost:9000/akprox/auth/traefik
|
||||||
|
trustForwardHeader: true
|
||||||
|
authResponseHeaders:
|
||||||
|
- Set-Cookie
|
||||||
|
- X-authentik-username
|
||||||
|
- X-authentik-groups
|
||||||
|
- X-authentik-email
|
||||||
|
- X-authentik-name
|
||||||
|
- X-authentik-uid
|
||||||
|
routers:
|
||||||
|
default-router:
|
||||||
|
rule: "Host(`*external host that you configured in authentik*`)"
|
||||||
|
middlewares:
|
||||||
|
- name: authentik
|
||||||
|
priority: 10
|
||||||
|
services: # Unchanged
|
||||||
|
default-router-auth
|
||||||
|
match: "Host(`*external host that you configured in authentik*`) && PathPrefix(`/akprox/`)"
|
||||||
|
priority: 15
|
||||||
|
services: http://*ip of your outpost*:9000/akprox
|
||||||
|
```
|
|
@ -47,102 +47,28 @@ import TabItem from '@theme/TabItem';
|
||||||
values={[
|
values={[
|
||||||
{label: 'Standalone nginx', value: 'standalone-nginx'},
|
{label: 'Standalone nginx', value: 'standalone-nginx'},
|
||||||
{label: 'Ingress', value: 'ingress'},
|
{label: 'Ingress', value: 'ingress'},
|
||||||
|
{label: 'Nginx Proxy Manager', value: 'proxy-manager'},
|
||||||
]}>
|
]}>
|
||||||
<TabItem value="standalone-nginx">
|
<TabItem value="standalone-nginx">
|
||||||
|
|
||||||
```
|
import NginxStandalone from './_nginx_standalone.md'
|
||||||
server {
|
|
||||||
# SSL and VHost configuration
|
|
||||||
listen 443 ssl http2;
|
|
||||||
server_name _;
|
|
||||||
|
|
||||||
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
|
<NginxStandalone />
|
||||||
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
|
|
||||||
|
|
||||||
# Increase buffer size for large headers
|
|
||||||
# This is needed only if you get 'upstream sent too big header while reading response header from upstream' error when trying to access an application protected by goauthentik
|
|
||||||
proxy_buffers 8 16k;
|
|
||||||
proxy_buffer_size 32k;
|
|
||||||
fastcgi_buffers 16 16k;
|
|
||||||
fastcgi_buffer_size 32k;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
# Put your proxy_pass to your application here
|
|
||||||
# proxy_pass http://localhost:5000;
|
|
||||||
|
|
||||||
# authentik-specific config
|
|
||||||
auth_request /akprox/auth/nginx;
|
|
||||||
error_page 401 = @akprox_signin;
|
|
||||||
# For domain level, use the below error_page to redirect to your authentik server with the full redirect path
|
|
||||||
# error_page 401 =302 https://authentik.company/akprox/start?rd=$scheme://$http_host$request_uri;
|
|
||||||
|
|
||||||
# translate headers from the outposts back to the actual upstream
|
|
||||||
auth_request_set $authentik_username $upstream_http_x_authentik_username;
|
|
||||||
auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
|
|
||||||
auth_request_set $authentik_email $upstream_http_x_authentik_email;
|
|
||||||
auth_request_set $authentik_name $upstream_http_x_authentik_name;
|
|
||||||
auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
|
|
||||||
|
|
||||||
proxy_set_header X-authentik-username $authentik_username;
|
|
||||||
proxy_set_header X-authentik-groups $authentik_groups;
|
|
||||||
proxy_set_header X-authentik-email $authentik_email;
|
|
||||||
proxy_set_header X-authentik-name $authentik_name;
|
|
||||||
proxy_set_header X-authentik-uid $authentik_uid;
|
|
||||||
}
|
|
||||||
|
|
||||||
# all requests to /akprox must be accessible without authentication
|
|
||||||
location /akprox {
|
|
||||||
proxy_pass http://*ip or hostname of the authentik OUTPOST*:9000/akprox;
|
|
||||||
# ensure the host of this vserver matches your external URL you've configured
|
|
||||||
# in authentik
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
add_header Set-Cookie $auth_cookie;
|
|
||||||
auth_request_set $auth_cookie $upstream_http_set_cookie;
|
|
||||||
}
|
|
||||||
|
|
||||||
# Special location for when the /auth endpoint returns a 401,
|
|
||||||
# redirect to the /start URL which initiates SSO
|
|
||||||
location @akprox_signin {
|
|
||||||
internal;
|
|
||||||
add_header Set-Cookie $auth_cookie;
|
|
||||||
return 302 /akprox/start?rd=$request_uri;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
```
|
|
||||||
|
|
||||||
</TabItem>
|
</TabItem>
|
||||||
<TabItem value="ingress">
|
<TabItem value="ingress">
|
||||||
Create a new ingress for the outpost
|
|
||||||
|
|
||||||
```yaml
|
import NginxIngress from './_nginx_ingress.md'
|
||||||
apiVersion: networking.k8s.io/v1beta1
|
|
||||||
kind: Ingress
|
|
||||||
metadata:
|
|
||||||
name: authentik-outpost
|
|
||||||
spec:
|
|
||||||
rules:
|
|
||||||
- host: *external host that you configured in authentik*
|
|
||||||
http:
|
|
||||||
paths:
|
|
||||||
- backend:
|
|
||||||
serviceName: authentik-outpost-example-outpost
|
|
||||||
servicePort: 9000
|
|
||||||
path: /akprox
|
|
||||||
```
|
|
||||||
|
|
||||||
This ingress handles authentication requests, and the sign-in flow.
|
<NginxIngress />
|
||||||
|
|
||||||
Add these annotations to the ingress you want to protect
|
</TabItem>
|
||||||
|
<TabItem value="proxy-manager">
|
||||||
|
|
||||||
|
import NginxProxyManager from './_nginx_proxy_manager.md'
|
||||||
|
|
||||||
|
<NginxProxyManager />
|
||||||
|
|
||||||
```yaml
|
|
||||||
metadata:
|
|
||||||
annotations:
|
|
||||||
nginx.ingress.kubernetes.io/auth-url: https://*external host that you configured in authentik*/akprox/auth?nginx
|
|
||||||
nginx.ingress.kubernetes.io/auth-signin: https://*external host that you configured in authentik*/akprox/start?rd=$escaped_request_uri
|
|
||||||
nginx.ingress.kubernetes.io/auth-response-headers: Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid
|
|
||||||
nginx.ingress.kubernetes.io/auth-snippet: |
|
|
||||||
proxy_set_header X-Forwarded-Host $http_host;
|
|
||||||
```
|
|
||||||
</TabItem>
|
</TabItem>
|
||||||
</Tabs>
|
</Tabs>
|
||||||
|
|
||||||
|
@ -157,148 +83,23 @@ metadata:
|
||||||
]}>
|
]}>
|
||||||
<TabItem value="standalone-traefik">
|
<TabItem value="standalone-traefik">
|
||||||
|
|
||||||
```yaml
|
import TraefikStandalone from './_traefik_standalone.md'
|
||||||
http:
|
|
||||||
middlewares:
|
<TraefikStandalone />
|
||||||
authentik:
|
|
||||||
forwardAuth:
|
|
||||||
address: http://authentik-outpost-example-outpost:9000/akprox/auth/traefik
|
|
||||||
trustForwardHeader: true
|
|
||||||
authResponseHeaders:
|
|
||||||
- Set-Cookie
|
|
||||||
- X-authentik-username
|
|
||||||
- X-authentik-groups
|
|
||||||
- X-authentik-email
|
|
||||||
- X-authentik-name
|
|
||||||
- X-authentik-uid
|
|
||||||
routers:
|
|
||||||
default-router:
|
|
||||||
rule: "Host(`*external host that you configured in authentik*`)"
|
|
||||||
middlewares:
|
|
||||||
- name: authentik
|
|
||||||
priority: 10
|
|
||||||
services: # Unchanged
|
|
||||||
default-router-auth
|
|
||||||
match: "Host(`*external host that you configured in authentik*`) && PathPrefix(`/akprox/`)"
|
|
||||||
priority: 15
|
|
||||||
services: http://*ip of your outpost*:9000/akprox
|
|
||||||
```
|
|
||||||
</TabItem>
|
</TabItem>
|
||||||
<TabItem value="docker-compose">
|
<TabItem value="docker-compose">
|
||||||
|
|
||||||
```yaml
|
import TraefikCompose from './_traefik_compose.md'
|
||||||
version: '3.7'
|
|
||||||
services:
|
|
||||||
traefik:
|
|
||||||
image: traefik:v2.2
|
|
||||||
container_name: traefik
|
|
||||||
volumes:
|
|
||||||
- /var/run/docker.sock:/var/run/docker.sock
|
|
||||||
labels:
|
|
||||||
traefik.enable: true
|
|
||||||
traefik.http.routers.api.rule: Host(`traefik.example.com`)
|
|
||||||
traefik.http.routers.api.entrypoints: https
|
|
||||||
traefik.http.routers.api.service: api@internal
|
|
||||||
traefik.http.routers.api.tls: true
|
|
||||||
ports:
|
|
||||||
- 80:80
|
|
||||||
- 443:443
|
|
||||||
command:
|
|
||||||
- '--api'
|
|
||||||
- '--log=true'
|
|
||||||
- '--log.level=DEBUG'
|
|
||||||
- '--log.filepath=/var/log/traefik.log'
|
|
||||||
- '--providers.docker=true'
|
|
||||||
- '--providers.docker.exposedByDefault=false'
|
|
||||||
- '--entrypoints.http=true'
|
|
||||||
- '--entrypoints.http.address=:80'
|
|
||||||
- '--entrypoints.http.http.redirections.entrypoint.to=https'
|
|
||||||
- '--entrypoints.http.http.redirections.entrypoint.scheme=https'
|
|
||||||
- '--entrypoints.https=true'
|
|
||||||
- '--entrypoints.https.address=:443'
|
|
||||||
|
|
||||||
authentik_proxy:
|
<TraefikCompose />
|
||||||
image: goauthentik.io/proxy:2021.5.1
|
|
||||||
ports:
|
|
||||||
- 9000:9000
|
|
||||||
- 9443:9443
|
|
||||||
environment:
|
|
||||||
AUTHENTIK_HOST: https://your-authentik.tld
|
|
||||||
AUTHENTIK_INSECURE: "false"
|
|
||||||
AUTHENTIK_TOKEN: token-generated-by-authentik
|
|
||||||
# Starting with 2021.9, you can optionally set this too
|
|
||||||
# when authentik_host for internal communication doesn't match the public URL
|
|
||||||
# AUTHENTIK_HOST_BROWSER: https://external-domain.tld
|
|
||||||
labels:
|
|
||||||
traefik.enable: true
|
|
||||||
traefik.port: 9000
|
|
||||||
traefik.http.routers.authentik.rule: Host(`*external host that you configured in authentik*`) && PathPrefix(`/akprox/`)
|
|
||||||
traefik.http.routers.authentik.entrypoints: https
|
|
||||||
traefik.http.routers.authentik.tls: true
|
|
||||||
traefik.http.middlewares.authentik.forwardauth.address: http://authentik_proxy:9000/akprox/auth/traefik
|
|
||||||
traefik.http.middlewares.authentik.forwardauth.trustForwardHeader: true
|
|
||||||
traefik.http.middlewares.authentik.forwardauth.authResponseHeaders: Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid
|
|
||||||
restart: unless-stopped
|
|
||||||
|
|
||||||
whoami:
|
|
||||||
image: containous/whoami
|
|
||||||
labels:
|
|
||||||
traefik.enable: true
|
|
||||||
traefik.http.routers.whoami.rule: Host(`*external host that you configured in authentik*`)
|
|
||||||
traefik.http.routers.whoami.entrypoints: https
|
|
||||||
traefik.http.routers.whoami.tls: true
|
|
||||||
traefik.http.routers.whoami.middlewares: authentik@docker
|
|
||||||
restart: unless-stopped
|
|
||||||
```
|
|
||||||
|
|
||||||
</TabItem>
|
</TabItem>
|
||||||
<TabItem value="ingress">
|
<TabItem value="ingress">
|
||||||
Create a middleware:
|
|
||||||
|
|
||||||
```yaml
|
import TraefikIngress from './_traefik_ingress.md'
|
||||||
apiVersion: traefik.containo.us/v1alpha1
|
|
||||||
kind: Middleware
|
|
||||||
metadata:
|
|
||||||
name: authentik
|
|
||||||
spec:
|
|
||||||
forwardAuth:
|
|
||||||
address: http://authentik-outpost-example-outpost:9000/akprox/auth/traefik
|
|
||||||
trustForwardHeader: true
|
|
||||||
authResponseHeaders:
|
|
||||||
- Set-Cookie
|
|
||||||
- X-authentik-username
|
|
||||||
- X-authentik-groups
|
|
||||||
- X-authentik-email
|
|
||||||
- X-authentik-name
|
|
||||||
- X-authentik-uid
|
|
||||||
```
|
|
||||||
|
|
||||||
Add the following settings to your IngressRoute
|
<TraefikIngress />
|
||||||
|
|
||||||
:::warning
|
|
||||||
By default traefik does not allow cross-namespace references for middlewares:
|
|
||||||
|
|
||||||
See [here](https://doc.traefik.io/traefik/v2.4/providers/kubernetes-crd/#allowcrossnamespace) to enable it.
|
|
||||||
:::
|
|
||||||
|
|
||||||
```yaml
|
|
||||||
spec:
|
|
||||||
routes:
|
|
||||||
- kind: Rule
|
|
||||||
match: "Host(`*external host that you configured in authentik*`)"
|
|
||||||
middlewares:
|
|
||||||
- name: authentik
|
|
||||||
namespace: authentik
|
|
||||||
priority: 10
|
|
||||||
services: # Unchanged
|
|
||||||
# This part is only required for single-app setups
|
|
||||||
- kind: Rule
|
|
||||||
match: "Host(`*external host that you configured in authentik*`) && PathPrefix(`/akprox/`)"
|
|
||||||
priority: 15
|
|
||||||
services:
|
|
||||||
- kind: Service
|
|
||||||
name: authentik-outpost-example-outpost
|
|
||||||
port: 9000
|
|
||||||
```
|
|
||||||
</TabItem>
|
</TabItem>
|
||||||
</Tabs>
|
</Tabs>
|
||||||
|
|
Reference in a new issue