This repository has been archived on 2024-05-31. You can view files and clone it, but cannot push or open issues or pull requests.
authentik/website/docs/outposts/proxy.mdx

243 lines
7.2 KiB
Plaintext

---
title: Proxy Outpost
---
The proxy outpost sets the following headers:
```
X-Auth-Username: akadmin # The username of the currently logged in user
X-Forwarded-Email: root@localhost # The email address of the currently logged in user
X-Forwarded-Preferred-Username: akadmin # The username of the currently logged in user
X-Forwarded-User: 900347b8a29876b45ca6f75722635ecfedf0e931c6022e3a29a8aa13fb5516fb # The hashed identifier of the currently logged in user.
```
Additionally, you can set `additionalHeaders` on groups or users to set additional headers.
If you enable *Set HTTP-Basic Authentication* option, the HTTP Authorization header is being set.
# HTTPS
The outpost listens on both 4180 for HTTP and 4443 for HTTPS.
:::warning
If your upstream host is HTTPS, and you're not using forward auth, you need to access the outpost over HTTPS too.
:::
# Forward auth
To use forward auth instead of proxying, you have to change a couple of settings. In the Proxy Provider, make sure to enable `Enable forward-auth mode` on the provider.
## Nginx
import Tabs from '@theme/Tabs';
import TabItem from '@theme/TabItem';
<Tabs
defaultValue="standalone-nginx"
values={[
{label: 'Standalone nginx', value: 'standalone-nginx'},
{label: 'Ingress', value: 'ingress'},
]}>
<TabItem value="standalone-nginx">
```
location /akprox {
proxy_pass http://*ip of your outpost*:4180;
error_page 401 = @akprox_signin;
proxy_set_header X-Forwarded-Host $http_host;
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
}
location @akprox_signin {
internal;
add_header Set-Cookie $auth_cookie;
return 302 /akprox/start?rd=$escaped_request_uri;
}
location / {
auth_request /akprox/auth?nginx;
# All your other options...
}
```
</TabItem>
<TabItem value="ingress">
Create a new ingress for the outpost
```yaml
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: authentik-outpost
spec:
rules:
- host: *external host that you configured in authentik*
http:
paths:
- backend:
serviceName: authentik-outpost-*uuid of the service generated by authentik*
servicePort: 4180
path: /akprox
```
This ingress handles authentication requests, and the sign-in flow.
Add these annotations to the ingress you want to protect
```yaml
metadata:
annotations:
nginx.ingress.kubernetes.io/auth-url: https://*external host that you configured in authentik*/akprox/auth?nginx
nginx.ingress.kubernetes.io/auth-signin: https://*external host that you configured in authentik*/akprox/start?rd=$escaped_request_uri
nginx.ingress.kubernetes.io/auth-response-headers: X-Auth-Username,X-Forwarded-Email,X-Forwarded-Preferred-Username,X-Forwarded-User
nginx.ingress.kubernetes.io/auth-snippet: |
proxy_set_header X-Forwarded-Host $http_host;
```
</TabItem>
</Tabs>
## Traefik
<Tabs
defaultValue="standalone-traefik"
values={[
{label: 'Standalone traefik', value: 'standalone-traefik'},
{label: 'docker-compose', value: 'docker-compose'},
{label: 'Ingress', value: 'ingress'},
]}>
<TabItem value="standalone-traefik">
```yaml
http:
middlewares:
authentik:
forwardAuth:
address: http://authentik-outpost-*uuid of the service generated by authentik*:4180/akprox/auth?traefik
trustForwardHeader: true
authResponseHeaders:
- Set-Cookie
- X-Auth-Username
- X-Forwarded-Email
- X-Forwarded-Preferred-Username
- X-Forwarded-User
routers:
default-router:
rule: "Host(`*external host that you configured in authentik*`)"
middlewares:
- name: authentik
priority: 10
services: # Unchanged
default-router-auth
match: "Host(`*external host that you configured in authentik*`) && PathPrefix(`/akprox/`)"
priority: 15
services: http://*ip of your outpost*:4180/akprox
```
</TabItem>
<TabItem value="docker-compose">
```yaml
version: '3.7'
services:
traefik:
image: traefik:v2.2
container_name: traefik
volumes:
- /var/run/docker.sock:/var/run/docker.sock
labels:
traefik.enable: true
traefik.http.routers.api.rule: Host(`traefik.example.com`)
traefik.http.routers.api.entrypoints: https
traefik.http.routers.api.service: api@internal
traefik.http.routers.api.tls: true
ports:
- 80:80
- 443:443
command:
- '--api'
- '--log=true'
- '--log.level=DEBUG'
- '--log.filepath=/var/log/traefik.log'
- '--providers.docker=true'
- '--providers.docker.exposedByDefault=false'
- '--entrypoints.http=true'
- '--entrypoints.http.address=:80'
- '--entrypoints.http.http.redirections.entrypoint.to=https'
- '--entrypoints.http.http.redirections.entrypoint.scheme=https'
- '--entrypoints.https=true'
- '--entrypoints.https.address=:443'
authentik_proxy:
image: ghcr.io/goauthentik/proxy:2021.5.1
ports:
- 4180:4180
- 4443:4443
environment:
AUTHENTIK_HOST: https://your-authentik.tld
AUTHENTIK_INSECURE: "false"
AUTHENTIK_TOKEN: token-generated-by-authentik
labels:
traefik.enable: true
traefik.port: 4180
traefik.http.routers.authentik.rule: Host(`*external host that you configured in authentik*`) && PathPrefix(`/akprox/`)
traefik.http.routers.authentik.entrypoints: https
traefik.http.routers.authentik.tls: true
traefik.http.middlewares.authentik.forwardauth.address: http://authentik_proxy:4180/akprox/auth?traefik
traefik.http.middlewares.authentik.forwardauth.trustForwardHeader: true
traefik.http.middlewares.authentik.forwardauth.authResponseHeaders: Set-Cookie,X-Auth-Username,X-Forwarded-Email,X-Forwarded-Preferred-Username,X-Forwarded-User
restart: unless-stopped
whoami:
image: containous/whoami
labels:
traefik.enable: true
traefik.http.routers.whoami.rule: Host(`*external host that you configured in authentik*`)
traefik.http.routers.whoami.entrypoints: https
traefik.http.routers.whoami.tls: true
traefik.http.routers.whoami.middlewares: authentik@docker
restart: unless-stopped
```
</TabItem>
<TabItem value="ingress">
Create a middleware:
```yaml
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: authentik
spec:
forwardAuth:
address: http://authentik-outpost-*uuid of the service generated by authentik*:4180/akprox/auth?traefik
trustForwardHeader: true
authResponseHeaders:
- Set-Cookie
- X-Auth-Username
- X-Forwarded-Email
- X-Forwarded-Preferred-Username
- X-Forwarded-User
```
Add the following settings to your IngressRoute
```yaml
spec:
routes:
- kind: Rule
match: "Host(`*external host that you configured in authentik*`)"
middlewares:
- name: authentik
priority: 10
services: # Unchanged
- kind: Rule
match: "Host(`*external host that you configured in authentik*`) && PathPrefix(`/akprox/`)"
priority: 15
services:
- kind: Service
name: authentik-outpost-*uuid of the service generated by authentik*
port: 4180
```
</TabItem>
</Tabs>