This repository has been archived on 2024-05-31. You can view files and clone it, but cannot push or open issues or pull requests.
authentik/website/docs/providers/proxy/forward_auth.mdx
Jens Langhammer bc6afdf94f website/docs: use common placeholders for forward_auth
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2021-11-26 13:29:38 +01:00

108 lines
2.9 KiB
Plaintext

---
title: Forward auth
---
Using forward auth uses your existing reverse proxy to do the proxying, and only uses the
authentik outpost to check authentication and authorization.
To use forward auth instead of proxying, you have to change a couple of settings.
In the Proxy Provider, make sure to use one of the Forward auth modes.
## Single application
Single application mode works for a single application hosted on its dedicated subdomain. This
has the advantage that you can still do per-application access policies in authentik.
## Domain level
To use forward auth instead of proxying, you have to change a couple of settings.
In the Proxy Provider, make sure to use the *Forward auth (domain level)* mode.
This mode differs from the *Forward auth (single application)* mode in the following points:
- You don't have to configure an application in authentik for each domain
- Users don't have to authorize multiple times
There are however also some downsides, mainly the fact that you **can't** restrict individual
applications to different users.
The only configuration difference between single application and domain level is the host you specify.
For single application, you'd use the domain which the application is running on, and only /akprox
is redirected to the outpost.
For domain level, you'd use the same domain as authentik.
:::info
*example-outpost* is used as a placeholder for the outpost name.
*authentik.company* is used as a placeholder for the authentik install.
*app.company* is used as a placeholder for the external domain for the application.
*outpost.company* is used as a placeholder for the outpost. When using the embedded outpost, this can be the same as *authentik.company*
:::
## Nginx
import Tabs from '@theme/Tabs';
import TabItem from '@theme/TabItem';
<Tabs
defaultValue="standalone-nginx"
values={[
{label: 'Standalone nginx', value: 'standalone-nginx'},
{label: 'Ingress', value: 'ingress'},
{label: 'Nginx Proxy Manager', value: 'proxy-manager'},
]}>
<TabItem value="standalone-nginx">
import NginxStandalone from './_nginx_standalone.md'
<NginxStandalone />
</TabItem>
<TabItem value="ingress">
import NginxIngress from './_nginx_ingress.md'
<NginxIngress />
</TabItem>
<TabItem value="proxy-manager">
import NginxProxyManager from './_nginx_proxy_manager.md'
<NginxProxyManager />
</TabItem>
</Tabs>
## Traefik
<Tabs
defaultValue="standalone-traefik"
values={[
{label: 'Standalone traefik', value: 'standalone-traefik'},
{label: 'docker-compose', value: 'docker-compose'},
{label: 'Ingress', value: 'ingress'},
]}>
<TabItem value="standalone-traefik">
import TraefikStandalone from './_traefik_standalone.md'
<TraefikStandalone />
</TabItem>
<TabItem value="docker-compose">
import TraefikCompose from './_traefik_compose.md'
<TraefikCompose />
</TabItem>
<TabItem value="ingress">
import TraefikIngress from './_traefik_ingress.md'
<TraefikIngress />
</TabItem>
</Tabs>