4ce3c2341c
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2.5 KiB
2.5 KiB
server {
# SSL and VHost configuration
listen 443 ssl http2;
server_name _;
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
# Increase buffer size for large headers
# This is needed only if you get 'upstream sent too big header while reading response header from upstream' error when trying to access an application protected by goauthentik
proxy_buffers 8 16k;
proxy_buffer_size 32k;
fastcgi_buffers 16 16k;
fastcgi_buffer_size 32k;
location / {
# Put your proxy_pass to your application here
# proxy_pass http://localhost:5000;
# authentik-specific config
auth_request /akprox/auth/nginx;
error_page 401 = @akprox_signin;
# For domain level, use the below error_page to redirect to your authentik server with the full redirect path
# error_page 401 =302 https://authentik.company/akprox/start?rd=$scheme://$http_host$request_uri;
# translate headers from the outposts back to the actual upstream
auth_request_set $authentik_username $upstream_http_x_authentik_username;
auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
auth_request_set $authentik_email $upstream_http_x_authentik_email;
auth_request_set $authentik_name $upstream_http_x_authentik_name;
auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
proxy_set_header X-authentik-username $authentik_username;
proxy_set_header X-authentik-groups $authentik_groups;
proxy_set_header X-authentik-email $authentik_email;
proxy_set_header X-authentik-name $authentik_name;
proxy_set_header X-authentik-uid $authentik_uid;
}
# all requests to /akprox must be accessible without authentication
location /akprox {
proxy_pass http://*ip or hostname of the authentik OUTPOST*:9000/akprox;
# ensure the host of this vserver matches your external URL you've configured
# in authentik
proxy_set_header Host $host;
add_header Set-Cookie $auth_cookie;
auth_request_set $auth_cookie $upstream_http_set_cookie;
}
# Special location for when the /auth endpoint returns a 401,
# redirect to the /start URL which initiates SSO
location @akprox_signin {
internal;
add_header Set-Cookie $auth_cookie;
return 302 /akprox/start?rd=$request_uri;
}
}