website/docs: update forward_auth for nginx config
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
parent
8b9ce4a745
commit
1e6c081e5c
|
@ -46,24 +46,46 @@ import TabItem from '@theme/TabItem';
|
|||
<TabItem value="standalone-nginx">
|
||||
|
||||
```
|
||||
location /akprox {
|
||||
proxy_pass http://*ip of your outpost*:4180;
|
||||
error_page 401 = @akprox_signin;
|
||||
proxy_set_header X-Forwarded-Host $http_host;
|
||||
auth_request_set $auth_cookie $upstream_http_set_cookie;
|
||||
add_header Set-Cookie $auth_cookie;
|
||||
}
|
||||
server {
|
||||
# SSL and VHost configuration
|
||||
listen 443 ssl http2;
|
||||
server_name _;
|
||||
|
||||
location @akprox_signin {
|
||||
internal;
|
||||
add_header Set-Cookie $auth_cookie;
|
||||
return 302 /akprox/start?rd=$request_uri;
|
||||
}
|
||||
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
|
||||
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
|
||||
|
||||
location / {
|
||||
auth_request /akprox/auth?nginx;
|
||||
# All your other options...
|
||||
# Put your proxy_pass to your application here
|
||||
# proxy_pass http://localhost:5000;
|
||||
|
||||
# authentik-specific config
|
||||
auth_request /akprox/auth;
|
||||
error_page 401 = @akprox_signin;
|
||||
# translate headers from the outposts back to the actual upstream
|
||||
auth_request_set $username $upstream_http_x_auth_username;
|
||||
auth_request_set $email $upstream_http_X_Forwarded_Email;
|
||||
proxy_set_header X-Auth-Username $username;
|
||||
proxy_set_header X-Forwarded-Email $email;
|
||||
}
|
||||
|
||||
# all requests to /akprox must be accessible without authentication
|
||||
location /akprox {
|
||||
proxy_pass http://*ip or hostname of the authentik OUTPOST*:4180;
|
||||
# ensure the host of this vserver matches your external URL you've configured
|
||||
# in authentik
|
||||
proxy_set_header Host $host;
|
||||
add_header Set-Cookie $auth_cookie;
|
||||
auth_request_set $auth_cookie $upstream_http_set_cookie;
|
||||
}
|
||||
|
||||
# Special location for when the /auth endpoint returns a 401,
|
||||
# redirect to the /start URL which initiates SSO
|
||||
location @akprox_signin {
|
||||
internal;
|
||||
add_header Set-Cookie $auth_cookie;
|
||||
return 302 /akprox/start?rd=$request_uri;
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
</TabItem>
|
||||
|
|
Reference in a new issue