*: rename akprox to outpost.goauthentik.io (#2266)

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens L 2022-02-08 20:25:38 +01:00 committed by GitHub
parent 3f6f83b4b6
commit 4343246a41
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
45 changed files with 355 additions and 337 deletions

View file

@ -12,4 +12,8 @@ class AuthentikProviderProxyConfig(AppConfig):
verbose_name = "authentik Providers.Proxy" verbose_name = "authentik Providers.Proxy"
def ready(self) -> None: def ready(self) -> None:
from authentik.providers.proxy.tasks import proxy_set_defaults
import_module("authentik.providers.proxy.managed") import_module("authentik.providers.proxy.managed")
proxy_set_defaults.delay()

View file

@ -28,12 +28,12 @@ class ProxyDockerController(DockerController):
labels["traefik.enable"] = "true" labels["traefik.enable"] = "true"
labels[ labels[
f"traefik.http.routers.{traefik_name}-router.rule" f"traefik.http.routers.{traefik_name}-router.rule"
] = f"Host({','.join(hosts)}) && PathPrefix(`/akprox`)" ] = f"Host({','.join(hosts)}) && PathPrefix(`/outpost.goauthentik.io`)"
labels[f"traefik.http.routers.{traefik_name}-router.tls"] = "true" labels[f"traefik.http.routers.{traefik_name}-router.tls"] = "true"
labels[f"traefik.http.routers.{traefik_name}-router.service"] = f"{traefik_name}-service" labels[f"traefik.http.routers.{traefik_name}-router.service"] = f"{traefik_name}-service"
labels[ labels[
f"traefik.http.services.{traefik_name}-service.loadbalancer.healthcheck.path" f"traefik.http.services.{traefik_name}-service.loadbalancer.healthcheck.path"
] = "/akprox/ping" ] = "/outpost.goauthentik.io/ping"
labels[ labels[
f"traefik.http.services.{traefik_name}-service.loadbalancer.healthcheck.port" f"traefik.http.services.{traefik_name}-service.loadbalancer.healthcheck.port"
] = "9300" ] = "9300"

View file

@ -126,7 +126,7 @@ class IngressReconciler(KubernetesObjectReconciler[V1Ingress]):
port=V1ServiceBackendPort(name="http"), port=V1ServiceBackendPort(name="http"),
), ),
), ),
path="/akprox", path="/outpost.goauthentik.io",
path_type="ImplementationSpecific", path_type="ImplementationSpecific",
) )
] ]

View file

@ -119,7 +119,10 @@ class TraefikMiddlewareReconciler(KubernetesObjectReconciler[TraefikMiddleware])
), ),
spec=TraefikMiddlewareSpec( spec=TraefikMiddlewareSpec(
forwardAuth=TraefikMiddlewareSpecForwardAuth( forwardAuth=TraefikMiddlewareSpecForwardAuth(
address=f"http://{self.name}.{self.namespace}:9000/akprox/auth/traefik", address=(
f"http://{self.name}.{self.namespace}:9000/"
"outpost.goauthentik.io/auth/traefik"
),
authResponseHeaders=[ authResponseHeaders=[
"X-authentik-username", "X-authentik-username",
"X-authentik-groups", "X-authentik-groups",

View file

@ -27,7 +27,7 @@ def get_cookie_secret():
def _get_callback_url(uri: str) -> str: def _get_callback_url(uri: str) -> str:
return urljoin(uri, "/akprox/callback") return urljoin(uri, "/outpost.goauthentik.io/callback")
class ProxyMode(models.TextChoices): class ProxyMode(models.TextChoices):

View file

@ -0,0 +1,11 @@
"""proxy provider tasks"""
from authentik.providers.proxy.models import ProxyProvider
from authentik.root.celery import CELERY_APP
@CELERY_APP.task()
def proxy_set_defaults():
"""Ensure correct defaults are set for all providers"""
for provider in ProxyProvider.objects.all():
provider.set_oauth_defaults()
provider.save()

View file

@ -25,7 +25,7 @@ var (
func RunServer() { func RunServer() {
m := mux.NewRouter() m := mux.NewRouter()
l := log.WithField("logger", "authentik.outpost.metrics") l := log.WithField("logger", "authentik.outpost.metrics")
m.HandleFunc("/akprox/ping", func(rw http.ResponseWriter, r *http.Request) { m.HandleFunc("/outpost.goauthentik.io/ping", func(rw http.ResponseWriter, r *http.Request) {
rw.WriteHeader(204) rw.WriteHeader(204)
}) })
m.Path("/metrics").Handler(promhttp.Handler()) m.Path("/metrics").Handler(promhttp.Handler())

View file

@ -78,7 +78,7 @@ func NewApplication(p api.ProxyOutpostConfig, c *http.Client, cs *ak.CryptoStore
oauth2Config := oauth2.Config{ oauth2Config := oauth2.Config{
ClientID: *p.ClientId, ClientID: *p.ClientId,
ClientSecret: *p.ClientSecret, ClientSecret: *p.ClientSecret,
RedirectURL: urlJoin(p.ExternalHost, "/akprox/callback"), RedirectURL: urlJoin(p.ExternalHost, "/outpost.goauthentik.io/callback"),
Endpoint: endpoint.Endpoint, Endpoint: endpoint.Endpoint,
Scopes: p.ScopesToRequest, Scopes: p.ScopesToRequest,
} }
@ -145,10 +145,10 @@ func NewApplication(p api.ProxyOutpostConfig, c *http.Client, cs *ak.CryptoStore
mux.Use(sentryhttp.New(sentryhttp.Options{}).Handle) mux.Use(sentryhttp.New(sentryhttp.Options{}).Handle)
// Support /start and /sign_in for backwards compatibility // Support /start and /sign_in for backwards compatibility
mux.HandleFunc("/akprox/start", a.handleRedirect) mux.HandleFunc("/outpost.goauthentik.io/start", a.handleRedirect)
mux.HandleFunc("/akprox/sign_in", a.handleRedirect) mux.HandleFunc("/outpost.goauthentik.io/sign_in", a.handleRedirect)
mux.HandleFunc("/akprox/callback", a.handleCallback) mux.HandleFunc("/outpost.goauthentik.io/callback", a.handleCallback)
mux.HandleFunc("/akprox/sign_out", a.handleSignOut) mux.HandleFunc("/outpost.goauthentik.io/sign_out", a.handleSignOut)
switch *p.Mode { switch *p.Mode {
case api.PROXYMODE_PROXY: case api.PROXYMODE_PROXY:
err = a.configureProxy() err = a.configureProxy()

View file

@ -18,7 +18,7 @@ func (a *Application) ErrorPage(rw http.ResponseWriter, r *http.Request, err str
data := ErrorPageData{ data := ErrorPageData{
Title: "Bad Gateway", Title: "Bad Gateway",
Message: "Error proxying to upstream server", Message: "Error proxying to upstream server",
ProxyPrefix: "/akprox", ProxyPrefix: "/outpost.goauthentik.io",
} }
if claims != nil && len(err) > 0 { if claims != nil && len(err) > 0 {
data.Message = err data.Message = err

View file

@ -12,15 +12,15 @@ import (
) )
func (a *Application) configureForward() error { func (a *Application) configureForward() error {
a.mux.HandleFunc("/akprox/auth", func(rw http.ResponseWriter, r *http.Request) { a.mux.HandleFunc("/outpost.goauthentik.io/auth", func(rw http.ResponseWriter, r *http.Request) {
if _, ok := r.URL.Query()["traefik"]; ok { if _, ok := r.URL.Query()["traefik"]; ok {
a.forwardHandleTraefik(rw, r) a.forwardHandleTraefik(rw, r)
return return
} }
a.forwardHandleNginx(rw, r) a.forwardHandleNginx(rw, r)
}) })
a.mux.HandleFunc("/akprox/auth/traefik", a.forwardHandleTraefik) a.mux.HandleFunc("/outpost.goauthentik.io/auth/traefik", a.forwardHandleTraefik)
a.mux.HandleFunc("/akprox/auth/nginx", a.forwardHandleNginx) a.mux.HandleFunc("/outpost.goauthentik.io/auth/nginx", a.forwardHandleNginx)
return nil return nil
} }
@ -49,8 +49,8 @@ func (a *Application) forwardHandleTraefik(rw http.ResponseWriter, r *http.Reque
a.log.Trace("path can be accessed without authentication") a.log.Trace("path can be accessed without authentication")
return return
} }
if strings.HasPrefix(r.Header.Get("X-Forwarded-Uri"), "/akprox") { if strings.HasPrefix(r.Header.Get("X-Forwarded-Uri"), "/outpost.goauthentik.io") {
a.log.WithField("url", r.URL.String()).Trace("path begins with /akprox, allowing access") a.log.WithField("url", r.URL.String()).Trace("path begins with /outpost.goauthentik.io, allowing access")
return return
} }
host := "" host := ""
@ -80,7 +80,7 @@ func (a *Application) forwardHandleTraefik(rw http.ResponseWriter, r *http.Reque
if proto != "" { if proto != "" {
proto = proto + ":" proto = proto + ":"
} }
rdFinal := fmt.Sprintf("%s//%s%s", proto, host, "/akprox/start") rdFinal := fmt.Sprintf("%s//%s%s", proto, host, "/outpost.goauthentik.io/start")
a.log.WithField("url", rdFinal).Debug("Redirecting to login") a.log.WithField("url", rdFinal).Debug("Redirecting to login")
http.Redirect(rw, r, rdFinal, http.StatusTemporaryRedirect) http.Redirect(rw, r, rdFinal, http.StatusTemporaryRedirect)
} }
@ -119,8 +119,8 @@ func (a *Application) forwardHandleNginx(rw http.ResponseWriter, r *http.Request
} }
if fwd.String() != r.URL.String() { if fwd.String() != r.URL.String() {
if strings.HasPrefix(fwd.Path, "/akprox") { if strings.HasPrefix(fwd.Path, "/outpost.goauthentik.io") {
a.log.WithField("url", r.URL.String()).Trace("path begins with /akprox, allowing access") a.log.WithField("url", r.URL.String()).Trace("path begins with /outpost.goauthentik.io, allowing access")
return return
} }
} }

View file

@ -12,7 +12,7 @@ import (
func TestForwardHandleNginx_Single_Blank(t *testing.T) { func TestForwardHandleNginx_Single_Blank(t *testing.T) {
a := newTestApplication() a := newTestApplication()
req, _ := http.NewRequest("GET", "/akprox/auth/nginx", nil) req, _ := http.NewRequest("GET", "/outpost.goauthentik.io/auth/nginx", nil)
rr := httptest.NewRecorder() rr := httptest.NewRecorder()
a.forwardHandleNginx(rr, req) a.forwardHandleNginx(rr, req)
@ -22,7 +22,7 @@ func TestForwardHandleNginx_Single_Blank(t *testing.T) {
func TestForwardHandleNginx_Single_Skip(t *testing.T) { func TestForwardHandleNginx_Single_Skip(t *testing.T) {
a := newTestApplication() a := newTestApplication()
req, _ := http.NewRequest("GET", "/akprox/auth/nginx", nil) req, _ := http.NewRequest("GET", "/outpost.goauthentik.io/auth/nginx", nil)
req.Header.Set("X-Original-URL", "http://test.goauthentik.io/skip") req.Header.Set("X-Original-URL", "http://test.goauthentik.io/skip")
rr := httptest.NewRecorder() rr := httptest.NewRecorder()
@ -33,7 +33,7 @@ func TestForwardHandleNginx_Single_Skip(t *testing.T) {
func TestForwardHandleNginx_Single_Headers(t *testing.T) { func TestForwardHandleNginx_Single_Headers(t *testing.T) {
a := newTestApplication() a := newTestApplication()
req, _ := http.NewRequest("GET", "/akprox/auth/nginx", nil) req, _ := http.NewRequest("GET", "/outpost.goauthentik.io/auth/nginx", nil)
req.Header.Set("X-Original-URL", "http://test.goauthentik.io/app") req.Header.Set("X-Original-URL", "http://test.goauthentik.io/app")
rr := httptest.NewRecorder() rr := httptest.NewRecorder()
@ -47,7 +47,7 @@ func TestForwardHandleNginx_Single_Headers(t *testing.T) {
func TestForwardHandleNginx_Single_URI(t *testing.T) { func TestForwardHandleNginx_Single_URI(t *testing.T) {
a := newTestApplication() a := newTestApplication()
req, _ := http.NewRequest("GET", "https://foo.bar/akprox/auth/nginx", nil) req, _ := http.NewRequest("GET", "https://foo.bar/outpost.goauthentik.io/auth/nginx", nil)
req.Header.Set("X-Original-URI", "/app") req.Header.Set("X-Original-URI", "/app")
rr := httptest.NewRecorder() rr := httptest.NewRecorder()
@ -61,7 +61,7 @@ func TestForwardHandleNginx_Single_URI(t *testing.T) {
func TestForwardHandleNginx_Single_Claims(t *testing.T) { func TestForwardHandleNginx_Single_Claims(t *testing.T) {
a := newTestApplication() a := newTestApplication()
req, _ := http.NewRequest("GET", "/akprox/auth/nginx", nil) req, _ := http.NewRequest("GET", "/outpost.goauthentik.io/auth/nginx", nil)
req.Header.Set("X-Original-URI", "/") req.Header.Set("X-Original-URI", "/")
rr := httptest.NewRecorder() rr := httptest.NewRecorder()
@ -108,7 +108,7 @@ func TestForwardHandleNginx_Domain_Blank(t *testing.T) {
a := newTestApplication() a := newTestApplication()
a.proxyConfig.Mode = api.PROXYMODE_FORWARD_DOMAIN.Ptr() a.proxyConfig.Mode = api.PROXYMODE_FORWARD_DOMAIN.Ptr()
a.proxyConfig.CookieDomain = api.PtrString("foo") a.proxyConfig.CookieDomain = api.PtrString("foo")
req, _ := http.NewRequest("GET", "/akprox/auth/nginx", nil) req, _ := http.NewRequest("GET", "/outpost.goauthentik.io/auth/nginx", nil)
rr := httptest.NewRecorder() rr := httptest.NewRecorder()
a.forwardHandleNginx(rr, req) a.forwardHandleNginx(rr, req)
@ -121,7 +121,7 @@ func TestForwardHandleNginx_Domain_Header(t *testing.T) {
a.proxyConfig.Mode = api.PROXYMODE_FORWARD_DOMAIN.Ptr() a.proxyConfig.Mode = api.PROXYMODE_FORWARD_DOMAIN.Ptr()
a.proxyConfig.CookieDomain = api.PtrString("foo") a.proxyConfig.CookieDomain = api.PtrString("foo")
a.proxyConfig.ExternalHost = "http://auth.test.goauthentik.io" a.proxyConfig.ExternalHost = "http://auth.test.goauthentik.io"
req, _ := http.NewRequest("GET", "/akprox/auth/nginx", nil) req, _ := http.NewRequest("GET", "/outpost.goauthentik.io/auth/nginx", nil)
req.Header.Set("X-Original-URL", "http://test.goauthentik.io/app") req.Header.Set("X-Original-URL", "http://test.goauthentik.io/app")
rr := httptest.NewRecorder() rr := httptest.NewRecorder()

View file

@ -12,7 +12,7 @@ import (
func TestForwardHandleTraefik_Single_Blank(t *testing.T) { func TestForwardHandleTraefik_Single_Blank(t *testing.T) {
a := newTestApplication() a := newTestApplication()
req, _ := http.NewRequest("GET", "/akprox/auth/traefik", nil) req, _ := http.NewRequest("GET", "/outpost.goauthentik.io/auth/traefik", nil)
rr := httptest.NewRecorder() rr := httptest.NewRecorder()
a.forwardHandleTraefik(rr, req) a.forwardHandleTraefik(rr, req)
@ -22,7 +22,7 @@ func TestForwardHandleTraefik_Single_Blank(t *testing.T) {
func TestForwardHandleTraefik_Single_Skip(t *testing.T) { func TestForwardHandleTraefik_Single_Skip(t *testing.T) {
a := newTestApplication() a := newTestApplication()
req, _ := http.NewRequest("GET", "/akprox/auth/traefik", nil) req, _ := http.NewRequest("GET", "/outpost.goauthentik.io/auth/traefik", nil)
req.Header.Set("X-Forwarded-Proto", "http") req.Header.Set("X-Forwarded-Proto", "http")
req.Header.Set("X-Forwarded-Host", "test.goauthentik.io") req.Header.Set("X-Forwarded-Host", "test.goauthentik.io")
req.Header.Set("X-Forwarded-Uri", "/skip") req.Header.Set("X-Forwarded-Uri", "/skip")
@ -35,7 +35,7 @@ func TestForwardHandleTraefik_Single_Skip(t *testing.T) {
func TestForwardHandleTraefik_Single_Headers(t *testing.T) { func TestForwardHandleTraefik_Single_Headers(t *testing.T) {
a := newTestApplication() a := newTestApplication()
req, _ := http.NewRequest("GET", "/akprox/auth/traefik", nil) req, _ := http.NewRequest("GET", "/outpost.goauthentik.io/auth/traefik", nil)
req.Header.Set("X-Forwarded-Proto", "http") req.Header.Set("X-Forwarded-Proto", "http")
req.Header.Set("X-Forwarded-Host", "test.goauthentik.io") req.Header.Set("X-Forwarded-Host", "test.goauthentik.io")
req.Header.Set("X-Forwarded-Uri", "/app") req.Header.Set("X-Forwarded-Uri", "/app")
@ -45,7 +45,7 @@ func TestForwardHandleTraefik_Single_Headers(t *testing.T) {
assert.Equal(t, rr.Code, http.StatusTemporaryRedirect) assert.Equal(t, rr.Code, http.StatusTemporaryRedirect)
loc, _ := rr.Result().Location() loc, _ := rr.Result().Location()
assert.Equal(t, loc.String(), "http://test.goauthentik.io/akprox/start") assert.Equal(t, loc.String(), "http://test.goauthentik.io/outpost.goauthentik.io/start")
s, _ := a.sessions.Get(req, constants.SeesionName) s, _ := a.sessions.Get(req, constants.SeesionName)
assert.Equal(t, "http://test.goauthentik.io/app", s.Values[constants.SessionRedirect]) assert.Equal(t, "http://test.goauthentik.io/app", s.Values[constants.SessionRedirect])
@ -53,7 +53,7 @@ func TestForwardHandleTraefik_Single_Headers(t *testing.T) {
func TestForwardHandleTraefik_Single_Claims(t *testing.T) { func TestForwardHandleTraefik_Single_Claims(t *testing.T) {
a := newTestApplication() a := newTestApplication()
req, _ := http.NewRequest("GET", "/akprox/auth/traefik", nil) req, _ := http.NewRequest("GET", "/outpost.goauthentik.io/auth/traefik", nil)
req.Header.Set("X-Forwarded-Proto", "http") req.Header.Set("X-Forwarded-Proto", "http")
req.Header.Set("X-Forwarded-Host", "test.goauthentik.io") req.Header.Set("X-Forwarded-Host", "test.goauthentik.io")
req.Header.Set("X-Forwarded-Uri", "/app") req.Header.Set("X-Forwarded-Uri", "/app")
@ -102,7 +102,7 @@ func TestForwardHandleTraefik_Domain_Blank(t *testing.T) {
a := newTestApplication() a := newTestApplication()
a.proxyConfig.Mode = api.PROXYMODE_FORWARD_DOMAIN.Ptr() a.proxyConfig.Mode = api.PROXYMODE_FORWARD_DOMAIN.Ptr()
a.proxyConfig.CookieDomain = api.PtrString("foo") a.proxyConfig.CookieDomain = api.PtrString("foo")
req, _ := http.NewRequest("GET", "/akprox/auth/traefik", nil) req, _ := http.NewRequest("GET", "/outpost.goauthentik.io/auth/traefik", nil)
rr := httptest.NewRecorder() rr := httptest.NewRecorder()
a.forwardHandleTraefik(rr, req) a.forwardHandleTraefik(rr, req)
@ -115,7 +115,7 @@ func TestForwardHandleTraefik_Domain_Header(t *testing.T) {
a.proxyConfig.Mode = api.PROXYMODE_FORWARD_DOMAIN.Ptr() a.proxyConfig.Mode = api.PROXYMODE_FORWARD_DOMAIN.Ptr()
a.proxyConfig.CookieDomain = api.PtrString("foo") a.proxyConfig.CookieDomain = api.PtrString("foo")
a.proxyConfig.ExternalHost = "http://auth.test.goauthentik.io" a.proxyConfig.ExternalHost = "http://auth.test.goauthentik.io"
req, _ := http.NewRequest("GET", "/akprox/auth/traefik", nil) req, _ := http.NewRequest("GET", "/outpost.goauthentik.io/auth/traefik", nil)
req.Header.Set("X-Forwarded-Proto", "http") req.Header.Set("X-Forwarded-Proto", "http")
req.Header.Set("X-Forwarded-Host", "test.goauthentik.io") req.Header.Set("X-Forwarded-Host", "test.goauthentik.io")
req.Header.Set("X-Forwarded-Uri", "/app") req.Header.Set("X-Forwarded-Uri", "/app")
@ -125,7 +125,7 @@ func TestForwardHandleTraefik_Domain_Header(t *testing.T) {
assert.Equal(t, http.StatusTemporaryRedirect, rr.Code) assert.Equal(t, http.StatusTemporaryRedirect, rr.Code)
loc, _ := rr.Result().Location() loc, _ := rr.Result().Location()
assert.Equal(t, "http://auth.test.goauthentik.io/akprox/start", loc.String()) assert.Equal(t, "http://auth.test.goauthentik.io/outpost.goauthentik.io/start", loc.String())
s, _ := a.sessions.Get(req, constants.SeesionName) s, _ := a.sessions.Get(req, constants.SeesionName)
assert.Equal(t, "http://test.goauthentik.io/app", s.Values[constants.SessionRedirect]) assert.Equal(t, "http://test.goauthentik.io/app", s.Values[constants.SessionRedirect])

View file

@ -42,7 +42,7 @@ func (a *Application) redirectToStart(rw http.ResponseWriter, r *http.Request) {
a.log.WithError(err).Warning("failed to save session before redirect") a.log.WithError(err).Warning("failed to save session before redirect")
} }
authUrl := urlJoin(a.proxyConfig.ExternalHost, "/akprox/start") authUrl := urlJoin(a.proxyConfig.ExternalHost, "/outpost.goauthentik.io/start")
http.Redirect(rw, r, authUrl, http.StatusFound) http.Redirect(rw, r, authUrl, http.StatusFound)
} }

View file

@ -21,7 +21,7 @@ func TestRedirectToStart_Proxy(t *testing.T) {
assert.Equal(t, http.StatusFound, rr.Code) assert.Equal(t, http.StatusFound, rr.Code)
loc, _ := rr.Result().Location() loc, _ := rr.Result().Location()
assert.Equal(t, "https://test.goauthentik.io/akprox/start", loc.String()) assert.Equal(t, "https://test.goauthentik.io/outpost.goauthentik.io/start", loc.String())
s, _ := a.sessions.Get(req, constants.SeesionName) s, _ := a.sessions.Get(req, constants.SeesionName)
assert.Equal(t, "https://test.goauthentik.io/foo/bar/baz", s.Values[constants.SessionRedirect]) assert.Equal(t, "https://test.goauthentik.io/foo/bar/baz", s.Values[constants.SessionRedirect])
@ -38,7 +38,7 @@ func TestRedirectToStart_Forward(t *testing.T) {
assert.Equal(t, http.StatusFound, rr.Code) assert.Equal(t, http.StatusFound, rr.Code)
loc, _ := rr.Result().Location() loc, _ := rr.Result().Location()
assert.Equal(t, "https://test.goauthentik.io/akprox/start", loc.String()) assert.Equal(t, "https://test.goauthentik.io/outpost.goauthentik.io/start", loc.String())
s, _ := a.sessions.Get(req, constants.SeesionName) s, _ := a.sessions.Get(req, constants.SeesionName)
assert.Equal(t, "https://test.goauthentik.io/foo/bar/baz", s.Values[constants.SessionRedirect]) assert.Equal(t, "https://test.goauthentik.io/foo/bar/baz", s.Values[constants.SessionRedirect])
@ -56,7 +56,7 @@ func TestRedirectToStart_Forward_Domain_Invalid(t *testing.T) {
assert.Equal(t, http.StatusFound, rr.Code) assert.Equal(t, http.StatusFound, rr.Code)
loc, _ := rr.Result().Location() loc, _ := rr.Result().Location()
assert.Equal(t, "https://test.goauthentik.io/akprox/start", loc.String()) assert.Equal(t, "https://test.goauthentik.io/outpost.goauthentik.io/start", loc.String())
s, _ := a.sessions.Get(req, constants.SeesionName) s, _ := a.sessions.Get(req, constants.SeesionName)
assert.Equal(t, "https://test.goauthentik.io", s.Values[constants.SessionRedirect]) assert.Equal(t, "https://test.goauthentik.io", s.Values[constants.SessionRedirect])
@ -74,7 +74,7 @@ func TestRedirectToStart_Forward_Domain(t *testing.T) {
assert.Equal(t, http.StatusFound, rr.Code) assert.Equal(t, http.StatusFound, rr.Code)
loc, _ := rr.Result().Location() loc, _ := rr.Result().Location()
assert.Equal(t, "https://test.goauthentik.io/akprox/start", loc.String()) assert.Equal(t, "https://test.goauthentik.io/outpost.goauthentik.io/start", loc.String())
s, _ := a.sessions.Get(req, constants.SeesionName) s, _ := a.sessions.Get(req, constants.SeesionName)
assert.Equal(t, "https://test.goauthentik.io", s.Values[constants.SessionRedirect]) assert.Equal(t, "https://test.goauthentik.io", s.Values[constants.SessionRedirect])

View file

@ -32,7 +32,7 @@ func (ps *ProxyServer) HandlePing(rw http.ResponseWriter, r *http.Request) {
func (ps *ProxyServer) HandleStatic(rw http.ResponseWriter, r *http.Request) { func (ps *ProxyServer) HandleStatic(rw http.ResponseWriter, r *http.Request) {
before := time.Now() before := time.Now()
web.DisableIndex(http.StripPrefix("/akprox/static/dist", staticWeb.StaticHandler)).ServeHTTP(rw, r) web.DisableIndex(http.StripPrefix("/outpost.goauthentik.io/static/dist", staticWeb.StaticHandler)).ServeHTTP(rw, r)
after := time.Since(before) after := time.Since(before)
metrics.Requests.With(prometheus.Labels{ metrics.Requests.With(prometheus.Labels{
"outpost_name": ps.akAPI.Outpost.Name, "outpost_name": ps.akAPI.Outpost.Name,
@ -90,11 +90,11 @@ func (ps *ProxyServer) lookupApp(r *http.Request) (*application.Application, str
} }
func (ps *ProxyServer) Handle(rw http.ResponseWriter, r *http.Request) { func (ps *ProxyServer) Handle(rw http.ResponseWriter, r *http.Request) {
if strings.HasPrefix(r.URL.Path, "/akprox/static") { if strings.HasPrefix(r.URL.Path, "/outpost.goauthentik.io/static") {
ps.HandleStatic(rw, r) ps.HandleStatic(rw, r)
return return
} }
if strings.HasPrefix(r.URL.Path, "/akprox/ping") { if strings.HasPrefix(r.URL.Path, "/outpost.goauthentik.io/ping") {
ps.HandlePing(rw, r) ps.HandlePing(rw, r)
return return
} }

View file

@ -25,7 +25,7 @@ var (
func RunServer() { func RunServer() {
m := mux.NewRouter() m := mux.NewRouter()
l := log.WithField("logger", "authentik.outpost.metrics") l := log.WithField("logger", "authentik.outpost.metrics")
m.HandleFunc("/akprox/ping", func(rw http.ResponseWriter, r *http.Request) { m.HandleFunc("/outpost.goauthentik.io/ping", func(rw http.ResponseWriter, r *http.Request) {
rw.WriteHeader(204) rw.WriteHeader(204)
}) })
m.Path("/metrics").Handler(promhttp.Handler()) m.Path("/metrics").Handler(promhttp.Handler())

View file

@ -64,8 +64,8 @@ func NewProxyServer(ac *ak.APIController, portOffset int) *ProxyServer {
akAPI: ac, akAPI: ac,
defaultCert: defaultCert, defaultCert: defaultCert,
} }
globalMux.PathPrefix("/akprox/static").HandlerFunc(s.HandleStatic) globalMux.PathPrefix("/outpost.goauthentik.io/static").HandlerFunc(s.HandleStatic)
globalMux.Path("/akprox/ping").HandlerFunc(s.HandlePing) globalMux.Path("/outpost.goauthentik.io/ping").HandlerFunc(s.HandlePing)
rootMux.PathPrefix("/").HandlerFunc(s.Handle) rootMux.PathPrefix("/").HandlerFunc(s.Handle)
return s return s
} }

View file

@ -5,12 +5,12 @@
<meta charset="UTF-8"> <meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1"> <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
<title>{{.Title}}</title> <title>{{.Title}}</title>
<link rel="shortcut icon" type="image/png" href="/akprox/static/dist/assets/icons/icon.png"> <link rel="shortcut icon" type="image/png" href="/outpost.goauthentik.io/static/dist/assets/icons/icon.png">
<link rel="stylesheet" type="text/css" href="/akprox/static/dist/patternfly.min.css"> <link rel="stylesheet" type="text/css" href="/outpost.goauthentik.io/static/dist/patternfly.min.css">
<link rel="stylesheet" type="text/css" href="/akprox/static/dist/authentik.css"> <link rel="stylesheet" type="text/css" href="/outpost.goauthentik.io/static/dist/authentik.css">
<style> <style>
.pf-c-background-image::before { .pf-c-background-image::before {
--ak-flow-background: url("/akprox/static/dist/assets/images/flow_background.jpg"); --ak-flow-background: url("/outpost.goauthentik.io/static/dist/assets/images/flow_background.jpg");
} }
</style> </style>
</head> </head>
@ -32,7 +32,7 @@
<div class="ak-login-container"> <div class="ak-login-container">
<header class="pf-c-login__header"> <header class="pf-c-login__header">
<div class="pf-c-brand ak-brand"> <div class="pf-c-brand ak-brand">
<img src="/akprox/static/dist/assets/icons/icon_left_brand.svg" alt="authentik icon" /> <img src="/outpost.goauthentik.io/static/dist/assets/icons/icon_left_brand.svg" alt="authentik icon" />
</div> </div>
</header> </header>
<main class="pf-c-login__main"> <main class="pf-c-login__main">

View file

@ -28,7 +28,7 @@ func (ws *WebServer) configureProxy() {
rp := &httputil.ReverseProxy{Director: director} rp := &httputil.ReverseProxy{Director: director}
rp.ErrorHandler = ws.proxyErrorHandler rp.ErrorHandler = ws.proxyErrorHandler
rp.ModifyResponse = ws.proxyModifyResponse rp.ModifyResponse = ws.proxyModifyResponse
ws.m.PathPrefix("/akprox").HandlerFunc(func(rw http.ResponseWriter, r *http.Request) { ws.m.PathPrefix("/outpost.goauthentik.io").HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
if ws.ProxyServer != nil { if ws.ProxyServer != nil {
before := time.Now() before := time.Now()
ws.ProxyServer.Handle(rw, r) ws.ProxyServer.Handle(rw, r)

View file

@ -19,7 +19,7 @@ ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
COPY --from=builder /go/ldap / COPY --from=builder /go/ldap /
HEALTHCHECK CMD [ "wget", "--spider", "http://localhost:9300/akprox/ping" ] HEALTHCHECK CMD [ "wget", "--spider", "http://localhost:9300/outpost.goauthentik.io/ping" ]
EXPOSE 3389 6636 9300 EXPOSE 3389 6636 9300

View file

@ -32,7 +32,7 @@ COPY --from=web-builder /static/security.txt /web/security.txt
COPY --from=web-builder /static/dist/ /web/dist/ COPY --from=web-builder /static/dist/ /web/dist/
COPY --from=web-builder /static/authentik/ /web/authentik/ COPY --from=web-builder /static/authentik/ /web/authentik/
HEALTHCHECK CMD [ "wget", "--spider", "http://localhost:9300/akprox/ping" ] HEALTHCHECK CMD [ "wget", "--spider", "http://localhost:9300/outpost.goauthentik.io/ping" ]
EXPOSE 9000 9300 9443 EXPOSE 9000 9300 9443

View file

@ -105,7 +105,7 @@ class TestProviderProxy(SeleniumTestCase):
self.assertIn(f"X-Authentik-Username: {self.user.username}", full_body_text) self.assertIn(f"X-Authentik-Username: {self.user.username}", full_body_text)
self.assertIn("X-Foo: bar", full_body_text) self.assertIn("X-Foo: bar", full_body_text)
self.driver.get("http://localhost:9000/akprox/sign_out") self.driver.get("http://localhost:9000/outpost.goauthentik.io/sign_out")
sleep(2) sleep(2)
full_body_text = self.driver.find_element(By.CSS_SELECTOR, ".pf-c-title.pf-m-3xl").text full_body_text = self.driver.find_element(By.CSS_SELECTOR, ".pf-c-title.pf-m-3xl").text
self.assertIn("You've logged out of proxy.", full_body_text) self.assertIn("You've logged out of proxy.", full_body_text)

View file

@ -5673,8 +5673,8 @@ msgid "Use the username and password below to authenticate. The password can be
msgstr "Use the username and password below to authenticate. The password can be retrieved later on the Tokens page." msgstr "Use the username and password below to authenticate. The password can be retrieved later on the Tokens page."
#: src/pages/providers/proxy/ProxyProviderForm.ts #: src/pages/providers/proxy/ProxyProviderForm.ts
msgid "Use this provider with nginx's auth_request or traefik's forwardAuth. Each application/domain needs its own provider. Additionally, on each domain, /akprox must be routed to the outpost (when using a manged outpost, this is done for you)." msgid "Use this provider with nginx's auth_request or traefik's forwardAuth. Each application/domain needs its own provider. Additionally, on each domain, /outpost.goauthentik.io must be routed to the outpost (when using a manged outpost, this is done for you)."
msgstr "Use this provider with nginx's auth_request or traefik's forwardAuth. Each application/domain needs its own provider. Additionally, on each domain, /akprox must be routed to the outpost (when using a manged outpost, this is done for you)." msgstr "Use this provider with nginx's auth_request or traefik's forwardAuth. Each application/domain needs its own provider. Additionally, on each domain, /outpost.goauthentik.io must be routed to the outpost (when using a manged outpost, this is done for you)."
#: src/pages/providers/proxy/ProxyProviderForm.ts #: src/pages/providers/proxy/ProxyProviderForm.ts
msgid "Use this provider with nginx's auth_request or traefik's forwardAuth. Only a single provider is required per root domain. You can't do per-application authorization, but you don't have to create a provider for each application." msgid "Use this provider with nginx's auth_request or traefik's forwardAuth. Only a single provider is required per root domain. You can't do per-application authorization, but you don't have to create a provider for each application."

View file

@ -5556,8 +5556,8 @@ msgid "Use the username and password below to authenticate. The password can be
msgstr "Use el nombre de usuario y la contraseña a continuación para autenticarse. La contraseña se puede recuperar más adelante en la página Tokens." msgstr "Use el nombre de usuario y la contraseña a continuación para autenticarse. La contraseña se puede recuperar más adelante en la página Tokens."
#: src/pages/providers/proxy/ProxyProviderForm.ts #: src/pages/providers/proxy/ProxyProviderForm.ts
msgid "Use this provider with nginx's auth_request or traefik's forwardAuth. Each application/domain needs its own provider. Additionally, on each domain, /akprox must be routed to the outpost (when using a manged outpost, this is done for you)." msgid "Use this provider with nginx's auth_request or traefik's forwardAuth. Each application/domain needs its own provider. Additionally, on each domain, /outpost.goauthentik.io must be routed to the outpost (when using a manged outpost, this is done for you)."
msgstr "Use este proveedor con auth_request de nginx o ForwardAuth de traefik. Cada aplicación/dominio necesita su propio proveedor. Además, en cada dominio, /akprox debe enrutarse al puesto avanzado (cuando se usa un puesto avanzado administrado, esto se hace por usted)." msgstr "Use este proveedor con auth_request de nginx o ForwardAuth de traefik. Cada aplicación/dominio necesita su propio proveedor. Además, en cada dominio, /outpost.goauthentik.io debe enrutarse al puesto avanzado (cuando se usa un puesto avanzado administrado, esto se hace por usted)."
#: src/pages/providers/proxy/ProxyProviderForm.ts #: src/pages/providers/proxy/ProxyProviderForm.ts
msgid "Use this provider with nginx's auth_request or traefik's forwardAuth. Only a single provider is required per root domain. You can't do per-application authorization, but you don't have to create a provider for each application." msgid "Use this provider with nginx's auth_request or traefik's forwardAuth. Only a single provider is required per root domain. You can't do per-application authorization, but you don't have to create a provider for each application."

View file

@ -5614,8 +5614,8 @@ msgid "Use the username and password below to authenticate. The password can be
msgstr "Utilisez le nom d'utilisateur et le mot de passe ci-dessous pour vous authentifier. Le mot de passe peut être récupéré plus tard sur la page Jetons." msgstr "Utilisez le nom d'utilisateur et le mot de passe ci-dessous pour vous authentifier. Le mot de passe peut être récupéré plus tard sur la page Jetons."
#: src/pages/providers/proxy/ProxyProviderForm.ts #: src/pages/providers/proxy/ProxyProviderForm.ts
msgid "Use this provider with nginx's auth_request or traefik's forwardAuth. Each application/domain needs its own provider. Additionally, on each domain, /akprox must be routed to the outpost (when using a manged outpost, this is done for you)." msgid "Use this provider with nginx's auth_request or traefik's forwardAuth. Each application/domain needs its own provider. Additionally, on each domain, /outpost.goauthentik.io must be routed to the outpost (when using a manged outpost, this is done for you)."
msgstr "Utilisez ce fournisseur avec auth_request de nginx ou forwardAuth de traefik. Chaque application/domaine a besoin de son propre fournisseur. De plus, sur chaque domaine, /akprox doit être routé vers l'avant-poste (si vous utilisez un avant-poste géré, cela est fait pour vous)." msgstr "Utilisez ce fournisseur avec auth_request de nginx ou forwardAuth de traefik. Chaque application/domaine a besoin de son propre fournisseur. De plus, sur chaque domaine, /outpost.goauthentik.io doit être routé vers l'avant-poste (si vous utilisez un avant-poste géré, cela est fait pour vous)."
#: src/pages/providers/proxy/ProxyProviderForm.ts #: src/pages/providers/proxy/ProxyProviderForm.ts
msgid "Use this provider with nginx's auth_request or traefik's forwardAuth. Only a single provider is required per root domain. You can't do per-application authorization, but you don't have to create a provider for each application." msgid "Use this provider with nginx's auth_request or traefik's forwardAuth. Only a single provider is required per root domain. You can't do per-application authorization, but you don't have to create a provider for each application."

View file

@ -5556,8 +5556,8 @@ msgid "Use the username and password below to authenticate. The password can be
msgstr "Użyj poniższej nazwy użytkownika i hasła do uwierzytelnienia. Hasło można później odzyskać na stronie Tokeny." msgstr "Użyj poniższej nazwy użytkownika i hasła do uwierzytelnienia. Hasło można później odzyskać na stronie Tokeny."
#: src/pages/providers/proxy/ProxyProviderForm.ts #: src/pages/providers/proxy/ProxyProviderForm.ts
msgid "Use this provider with nginx's auth_request or traefik's forwardAuth. Each application/domain needs its own provider. Additionally, on each domain, /akprox must be routed to the outpost (when using a manged outpost, this is done for you)." msgid "Use this provider with nginx's auth_request or traefik's forwardAuth. Each application/domain needs its own provider. Additionally, on each domain, /outpost.goauthentik.io must be routed to the outpost (when using a manged outpost, this is done for you)."
msgstr "Użyj tego dostawcy z auth_request nginx lub forwardAuth traefik. Każda aplikacja/domena potrzebuje własnego dostawcy. Dodatkowo w każdej domenie /akprox musi być przekierowany do placówki (w przypadku korzystania z zarządzanej placówki jest to zrobione za Ciebie)." msgstr "Użyj tego dostawcy z auth_request nginx lub forwardAuth traefik. Każda aplikacja/domena potrzebuje własnego dostawcy. Dodatkowo w każdej domenie /outpost.goauthentik.io musi być przekierowany do placówki (w przypadku korzystania z zarządzanej placówki jest to zrobione za Ciebie)."
#: src/pages/providers/proxy/ProxyProviderForm.ts #: src/pages/providers/proxy/ProxyProviderForm.ts
msgid "Use this provider with nginx's auth_request or traefik's forwardAuth. Only a single provider is required per root domain. You can't do per-application authorization, but you don't have to create a provider for each application." msgid "Use this provider with nginx's auth_request or traefik's forwardAuth. Only a single provider is required per root domain. You can't do per-application authorization, but you don't have to create a provider for each application."

View file

@ -6020,12 +6020,12 @@ msgstr ""
msgid "" msgid ""
"Use this provider with nginx's auth_request or traefik's forwardAuth. Each " "Use this provider with nginx's auth_request or traefik's forwardAuth. Each "
"application/domain needs its own provider. Additionally, on each domain, " "application/domain needs its own provider. Additionally, on each domain, "
"/akprox must be routed to the outpost (when using a manged outpost, this is " "/outpost.goauthentik.io must be routed to the outpost (when using a manged outpost, this is "
"done for you)." "done for you)."
msgstr "" msgstr ""
"Użyj tego dostawcy z auth_request nginx lub forwardAuth traefik. Każda " "Użyj tego dostawcy z auth_request nginx lub forwardAuth traefik. Każda "
"aplikacja/domena potrzebuje własnego dostawcy. Dodatkowo w każdej domenie " "aplikacja/domena potrzebuje własnego dostawcy. Dodatkowo w każdej domenie "
"/akprox musi być przekierowany do placówki (w przypadku korzystania z " "/outpost.goauthentik.io musi być przekierowany do placówki (w przypadku korzystania z "
"zarządzanej placówki jest to zrobione za Ciebie)." "zarządzanej placówki jest to zrobione za Ciebie)."
#: src/pages/providers/proxy/ProxyProviderForm.ts #: src/pages/providers/proxy/ProxyProviderForm.ts

View file

@ -5653,7 +5653,7 @@ msgid "Use the username and password below to authenticate. The password can be
msgstr "" msgstr ""
#: src/pages/providers/proxy/ProxyProviderForm.ts #: src/pages/providers/proxy/ProxyProviderForm.ts
msgid "Use this provider with nginx's auth_request or traefik's forwardAuth. Each application/domain needs its own provider. Additionally, on each domain, /akprox must be routed to the outpost (when using a manged outpost, this is done for you)." msgid "Use this provider with nginx's auth_request or traefik's forwardAuth. Each application/domain needs its own provider. Additionally, on each domain, /outpost.goauthentik.io must be routed to the outpost (when using a manged outpost, this is done for you)."
msgstr "" msgstr ""
#: src/pages/providers/proxy/ProxyProviderForm.ts #: src/pages/providers/proxy/ProxyProviderForm.ts

View file

@ -5558,8 +5558,8 @@ msgid "Use the username and password below to authenticate. The password can be
msgstr "Kimlik doğrulaması için aşağıdaki kullanıcı adı ve parolayı kullanın. Parola daha sonra Belirteçler sayfasından alınabilir." msgstr "Kimlik doğrulaması için aşağıdaki kullanıcı adı ve parolayı kullanın. Parola daha sonra Belirteçler sayfasından alınabilir."
#: src/pages/providers/proxy/ProxyProviderForm.ts #: src/pages/providers/proxy/ProxyProviderForm.ts
msgid "Use this provider with nginx's auth_request or traefik's forwardAuth. Each application/domain needs its own provider. Additionally, on each domain, /akprox must be routed to the outpost (when using a manged outpost, this is done for you)." msgid "Use this provider with nginx's auth_request or traefik's forwardAuth. Each application/domain needs its own provider. Additionally, on each domain, /outpost.goauthentik.io must be routed to the outpost (when using a manged outpost, this is done for you)."
msgstr "Bu sağlayıcıyı nginx'in auth_request veya traefik's forwardAuth ile kullanın. Her uygulama/etki alanının kendi sağlayıcısına ihtiyacı vardır. Ayrıca, her etki alanında /akprox üsse yönlendirilmelidir (manged bir üs kullanırken, bu sizin için yapılır)." msgstr "Bu sağlayıcıyı nginx'in auth_request veya traefik's forwardAuth ile kullanın. Her uygulama/etki alanının kendi sağlayıcısına ihtiyacı vardır. Ayrıca, her etki alanında /outpost.goauthentik.io üsse yönlendirilmelidir (manged bir üs kullanırken, bu sizin için yapılır)."
#: src/pages/providers/proxy/ProxyProviderForm.ts #: src/pages/providers/proxy/ProxyProviderForm.ts
msgid "Use this provider with nginx's auth_request or traefik's forwardAuth. Only a single provider is required per root domain. You can't do per-application authorization, but you don't have to create a provider for each application." msgid "Use this provider with nginx's auth_request or traefik's forwardAuth. Only a single provider is required per root domain. You can't do per-application authorization, but you don't have to create a provider for each application."

View file

@ -5691,11 +5691,11 @@ msgstr "使用下面的用户名和密码进行身份验证。稍后可以在令
msgid "" msgid ""
"Use this provider with nginx's auth_request or traefik's forwardAuth. Each " "Use this provider with nginx's auth_request or traefik's forwardAuth. Each "
"application/domain needs its own provider. Additionally, on each domain, " "application/domain needs its own provider. Additionally, on each domain, "
"/akprox must be routed to the outpost (when using a manged outpost, this is " "/outpost.goauthentik.io must be routed to the outpost (when using a manged outpost, this is "
"done for you)." "done for you)."
msgstr "" msgstr ""
"将此提供程序与 nginx 的 auth_request 或 traefik 的 ForwardAuth " "将此提供程序与 nginx 的 auth_request 或 traefik 的 ForwardAuth "
"一起使用。每个应用程序/域都需要自己的提供商。此外,在每个域上,/akprox必须路由到 Outpost使用托管 Outpost " "一起使用。每个应用程序/域都需要自己的提供商。此外,在每个域上,/outpost.goauthentik.io必须路由到 Outpost使用托管 Outpost "
"时,这是为您完成的)。" "时,这是为您完成的)。"
#: src/pages/providers/proxy/ProxyProviderForm.ts #: src/pages/providers/proxy/ProxyProviderForm.ts

View file

@ -5691,11 +5691,11 @@ msgstr "使用下面的用户名和密码进行身份验证。稍后可以在令
msgid "" msgid ""
"Use this provider with nginx's auth_request or traefik's forwardAuth. Each " "Use this provider with nginx's auth_request or traefik's forwardAuth. Each "
"application/domain needs its own provider. Additionally, on each domain, " "application/domain needs its own provider. Additionally, on each domain, "
"/akprox must be routed to the outpost (when using a manged outpost, this is " "/outpost.goauthentik.io must be routed to the outpost (when using a manged outpost, this is "
"done for you)." "done for you)."
msgstr "" msgstr ""
"将此提供程序与 nginx 的 auth_request 或 traefik 的 ForwardAuth " "将此提供程序与 nginx 的 auth_request 或 traefik 的 ForwardAuth "
"一起使用。每个应用程序/域都需要自己的提供商。此外,在每个域上,/akprox必须路由到 Outpost使用托管 Outpost " "一起使用。每个应用程序/域都需要自己的提供商。此外,在每个域上,/outpost.goauthentik.io必须路由到 Outpost使用托管 Outpost "
"时,这是为您完成的)。" "时,这是为您完成的)。"
#: src/pages/providers/proxy/ProxyProviderForm.ts #: src/pages/providers/proxy/ProxyProviderForm.ts

View file

@ -5691,11 +5691,11 @@ msgstr "使用下面的用户名和密码进行身份验证。稍后可以在令
msgid "" msgid ""
"Use this provider with nginx's auth_request or traefik's forwardAuth. Each " "Use this provider with nginx's auth_request or traefik's forwardAuth. Each "
"application/domain needs its own provider. Additionally, on each domain, " "application/domain needs its own provider. Additionally, on each domain, "
"/akprox must be routed to the outpost (when using a manged outpost, this is " "/outpost.goauthentik.io must be routed to the outpost (when using a manged outpost, this is "
"done for you)." "done for you)."
msgstr "" msgstr ""
"将此提供程序与 nginx 的 auth_request 或 traefik 的 ForwardAuth " "将此提供程序与 nginx 的 auth_request 或 traefik 的 ForwardAuth "
"一起使用。每个应用程序/域都需要自己的提供商。此外,在每个域上,/akprox必须路由到 Outpost使用托管 Outpost " "一起使用。每个应用程序/域都需要自己的提供商。此外,在每个域上,/outpost.goauthentik.io必须路由到 Outpost使用托管 Outpost "
"时,这是为您完成的)。" "时,这是为您完成的)。"
#: src/pages/providers/proxy/ProxyProviderForm.ts #: src/pages/providers/proxy/ProxyProviderForm.ts

View file

@ -214,7 +214,7 @@ export class ProxyProviderFormPage extends ModelForm<ProxyProvider, number> {
</ak-form-element-horizontal>`; </ak-form-element-horizontal>`;
case ProxyMode.ForwardSingle: case ProxyMode.ForwardSingle:
return html`<p class="pf-u-mb-xl"> return html`<p class="pf-u-mb-xl">
${t`Use this provider with nginx's auth_request or traefik's forwardAuth. Each application/domain needs its own provider. Additionally, on each domain, /akprox must be routed to the outpost (when using a manged outpost, this is done for you).`} ${t`Use this provider with nginx's auth_request or traefik's forwardAuth. Each application/domain needs its own provider. Additionally, on each domain, /outpost.goauthentik.io must be routed to the outpost (when using a manged outpost, this is done for you).`}
</p> </p>
<ak-form-element-horizontal <ak-form-element-horizontal
label=${t`External host`} label=${t`External host`}

View file

@ -26,7 +26,7 @@ Make sure to set it to full URL, only configuring a hostname or FQDN will not wo
Routing is handled like this: Routing is handled like this:
1. Paths starting with `/static`, `/media` and `/help` return packaged CSS/JS files, and user-uploaded media files. 1. Paths starting with `/static`, `/media` and `/help` return packaged CSS/JS files, and user-uploaded media files.
2. Paths starting with `/akprox` are sent to the embedded outpost. 2. Paths starting with `/outpost.goauthentik.io` are sent to the embedded outpost.
3. Any hosts configured in the providers assigned to the embedded outpost are sent to the outpost. 3. Any hosts configured in the providers assigned to the embedded outpost are sent to the outpost.
4. Everything remaining is sent to the authentik backend server. 4. Everything remaining is sent to the authentik backend server.

View file

@ -26,7 +26,7 @@ The container is created with the following hardcoded properties:
- `traefik.http.routers.ak-outpost-<outpost-name>-router.rule`: `Host(...)` - `traefik.http.routers.ak-outpost-<outpost-name>-router.rule`: `Host(...)`
- `traefik.http.routers.ak-outpost-<outpost-name>-router.service`: `ak-outpost-<outpost-name>-service` - `traefik.http.routers.ak-outpost-<outpost-name>-router.service`: `ak-outpost-<outpost-name>-service`
- `traefik.http.routers.ak-outpost-<outpost-name>-router.tls`: "true" - `traefik.http.routers.ak-outpost-<outpost-name>-router.tls`: "true"
- `traefik.http.services.ak-outpost-<outpost-name>-service.loadbalancer.healthcheck.path`: "/akprox/ping" - `traefik.http.services.ak-outpost-<outpost-name>-service.loadbalancer.healthcheck.path`: "/outpost.goauthentik.io/ping"
- `traefik.http.services.ak-outpost-<outpost-name>-service.loadbalancer.healthcheck.port`: "9300" - `traefik.http.services.ak-outpost-<outpost-name>-service.loadbalancer.healthcheck.port`: "9300"
- `traefik.http.services.ak-outpost-<outpost-name>-service.loadbalancer.server.port`: "9000" - `traefik.http.services.ak-outpost-<outpost-name>-service.loadbalancer.server.port`: "9000"

View file

@ -15,7 +15,7 @@ spec:
# See https://kubernetes.io/docs/concepts/services-networking/service/#externalname # See https://kubernetes.io/docs/concepts/services-networking/service/#externalname
serviceName: ak-outpost-example-outpost serviceName: ak-outpost-example-outpost
servicePort: 9000 servicePort: 9000
path: /akprox path: /outpost.goauthentik.io
``` ```
This ingress handles authentication requests, and the sign-in flow. This ingress handles authentication requests, and the sign-in flow.
@ -26,9 +26,9 @@ Add these annotations to the ingress you want to protect
metadata: metadata:
annotations: annotations:
nginx.ingress.kubernetes.io/auth-url: | nginx.ingress.kubernetes.io/auth-url: |
https://outpost.company/akprox/auth/nginx https://outpost.company/outpost.goauthentik.io/auth/nginx
nginx.ingress.kubernetes.io/auth-signin: | nginx.ingress.kubernetes.io/auth-signin: |
https://outpost.company/akprox/start?rd=$escaped_request_uri https://outpost.company/outpost.goauthentik.io/start?rd=$escaped_request_uri
nginx.ingress.kubernetes.io/auth-response-headers: | nginx.ingress.kubernetes.io/auth-response-headers: |
Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid
nginx.ingress.kubernetes.io/auth-snippet: | nginx.ingress.kubernetes.io/auth-snippet: |

View file

@ -12,8 +12,8 @@ location / {
proxy_pass $forward_scheme://$server:$port; proxy_pass $forward_scheme://$server:$port;
# authentik-specific config # authentik-specific config
auth_request /akprox/auth/nginx; auth_request /outpost.goauthentik.io/auth/nginx;
error_page 401 = @akprox_signin; error_page 401 = @goauthentik_proxy_signin;
auth_request_set $auth_cookie $upstream_http_set_cookie; auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie; add_header Set-Cookie $auth_cookie;
@ -31,9 +31,9 @@ location / {
proxy_set_header X-authentik-uid $authentik_uid; proxy_set_header X-authentik-uid $authentik_uid;
} }
# all requests to /akprox must be accessible without authentication # all requests to /outpost.goauthentik.io must be accessible without authentication
location /akprox { location /outpost.goauthentik.io {
proxy_pass http://outpost.company:9000/akprox; proxy_pass http://outpost.company:9000/outpost.goauthentik.io;
# ensure the host of this vserver matches your external URL you've configured # ensure the host of this vserver matches your external URL you've configured
# in authentik # in authentik
proxy_set_header Host $host; proxy_set_header Host $host;
@ -44,9 +44,9 @@ location /akprox {
# Special location for when the /auth endpoint returns a 401, # Special location for when the /auth endpoint returns a 401,
# redirect to the /start URL which initiates SSO # redirect to the /start URL which initiates SSO
location @akprox_signin { location @goauthentik_proxy_signin {
internal; internal;
add_header Set-Cookie $auth_cookie; add_header Set-Cookie $auth_cookie;
return 302 /akprox/start?rd=$request_uri; return 302 /outpost.goauthentik.io/start?rd=$request_uri;
} }
``` ```

View file

@ -19,10 +19,10 @@ server {
# proxy_pass http://localhost:5000; # proxy_pass http://localhost:5000;
# authentik-specific config # authentik-specific config
auth_request /akprox/auth/nginx; auth_request /outpost.goauthentik.io/auth/nginx;
error_page 401 = @akprox_signin; error_page 401 = @goauthentik_proxy_signin;
# For domain level, use the below error_page to redirect to your authentik server with the full redirect path # For domain level, use the below error_page to redirect to your authentik server with the full redirect path
# error_page 401 =302 https://authentik.company/akprox/start?rd=$scheme://$http_host$request_uri; # error_page 401 =302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
auth_request_set $auth_cookie $upstream_http_set_cookie; auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie; add_header Set-Cookie $auth_cookie;
@ -40,9 +40,9 @@ server {
proxy_set_header X-authentik-uid $authentik_uid; proxy_set_header X-authentik-uid $authentik_uid;
} }
# all requests to /akprox must be accessible without authentication # all requests to /outpost.goauthentik.io must be accessible without authentication
location /akprox { location /outpost.goauthentik.io {
proxy_pass http://outpost.company:9000/akprox; proxy_pass http://outpost.company:9000/outpost.goauthentik.io;
# ensure the host of this vserver matches your external URL you've configured # ensure the host of this vserver matches your external URL you've configured
# in authentik # in authentik
proxy_set_header Host $host; proxy_set_header Host $host;
@ -53,10 +53,10 @@ server {
# Special location for when the /auth endpoint returns a 401, # Special location for when the /auth endpoint returns a 401,
# redirect to the /start URL which initiates SSO # redirect to the /start URL which initiates SSO
location @akprox_signin { location @goauthentik_proxy_signin {
internal; internal;
add_header Set-Cookie $auth_cookie; add_header Set-Cookie $auth_cookie;
return 302 /akprox/start?rd=$request_uri; return 302 /outpost.goauthentik.io/start?rd=$request_uri;
} }
} }
``` ```

View file

@ -30,9 +30,9 @@ services:
labels: labels:
traefik.enable: true traefik.enable: true
traefik.port: 9000 traefik.port: 9000
traefik.http.routers.authentik.rule: Host(`app.company`) && PathPrefix(`/akprox/`) traefik.http.routers.authentik.rule: Host(`app.company`) && PathPrefix(`/outpost.goauthentik.io/`)
# `authentik-proxy` refers to the service name in the compose file. # `authentik-proxy` refers to the service name in the compose file.
traefik.http.middlewares.authentik.forwardauth.address: http://authentik-proxy:9000/akprox/auth/traefik traefik.http.middlewares.authentik.forwardauth.address: http://authentik-proxy:9000/outpost.goauthentik.io/auth/traefik
traefik.http.middlewares.authentik.forwardauth.trustForwardHeader: true traefik.http.middlewares.authentik.forwardauth.trustForwardHeader: true
traefik.http.middlewares.authentik.forwardauth.authResponseHeaders: X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version traefik.http.middlewares.authentik.forwardauth.authResponseHeaders: X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version
restart: unless-stopped restart: unless-stopped

View file

@ -7,7 +7,7 @@ metadata:
name: authentik name: authentik
spec: spec:
forwardAuth: forwardAuth:
address: http://outpost.company:9000/akprox/auth/traefik address: http://outpost.company:9000/outpost.goauthentik.io/auth/traefik
trustForwardHeader: true trustForwardHeader: true
authResponseHeaders: authResponseHeaders:
- X-authentik-username - X-authentik-username
@ -41,7 +41,7 @@ spec:
services: # Unchanged services: # Unchanged
# This part is only required for single-app setups # This part is only required for single-app setups
- kind: Rule - kind: Rule
match: "Host(`app.company`) && PathPrefix(`/akprox/`)" match: "Host(`app.company`) && PathPrefix(`/outpost.goauthentik.io/`)"
priority: 15 priority: 15
services: services:
- kind: Service - kind: Service

View file

@ -3,7 +3,7 @@ http:
middlewares: middlewares:
authentik: authentik:
forwardAuth: forwardAuth:
address: http://outpost.company:9000/akprox/auth/traefik address: http://outpost.company:9000/outpost.goauthentik.io/auth/traefik
trustForwardHeader: true trustForwardHeader: true
authResponseHeaders: authResponseHeaders:
- X-authentik-username - X-authentik-username
@ -25,7 +25,7 @@ http:
priority: 10 priority: 10
services: # Unchanged services: # Unchanged
default-router-auth: default-router-auth:
match: "Host(`app.company`) && PathPrefix(`/akprox/`)" match: "Host(`app.company`) && PathPrefix(`/outpost.goauthentik.io/`)"
priority: 15 priority: 15
services: http://outpost.company:9000/akprox services: http://outpost.company:9000/outpost.goauthentik.io
``` ```

View file

@ -27,7 +27,7 @@ applications to different users.
The only configuration difference between single application and domain level is the host you specify. The only configuration difference between single application and domain level is the host you specify.
For single application, you'd use the domain which the application is running on, and only /akprox For single application, you'd use the domain which the application is running on, and only /outpost.goauthentik.io
is redirected to the outpost. is redirected to the outpost.
For domain level, you'd use the same domain as authentik. For domain level, you'd use the same domain as authentik.

View file

@ -58,11 +58,11 @@ If your upstream host is HTTPS, and you're not using forward auth, you need to a
Login is done automatically when you visit the domain without a valid cookie. Login is done automatically when you visit the domain without a valid cookie.
When using single-application mode, navigate to `app.domain.tld/akprox/sign_out`. When using single-application mode, navigate to `app.domain.tld/outpost.goauthentik.io/sign_out`.
When using domain-level mode, navigate to `auth.domain.tld/akprox/sign_out`, where auth.domain.tld is the external host configured for the provider. When using domain-level mode, navigate to `auth.domain.tld/outpost.goauthentik.io/sign_out`, where auth.domain.tld is the external host configured for the provider.
To log out, navigate to `/akprox/sign_out`. To log out, navigate to `/outpost.goauthentik.io/sign_out`.
## Allowing unauthenticated requests ## Allowing unauthenticated requests

View file

@ -10,7 +10,7 @@ slug: "2021.8"
To simplify the setup, an embedded outpost has been added. This outpost runs as part of the main authentik server, and requires no additional setup. To simplify the setup, an embedded outpost has been added. This outpost runs as part of the main authentik server, and requires no additional setup.
You can simply assign providers to the embedded outpost, and either use the integrations to configure reverse proxies, or point your traffic to the main authentik server. You can simply assign providers to the embedded outpost, and either use the integrations to configure reverse proxies, or point your traffic to the main authentik server.
Traffic is routed based on host-header, meaning every host that has been configured as a provider and is assigned to the embedded proxy will be sent to the outpost, and every sub-path under `/akprox` is sent to the outpost too. The rest is sent to authentik itself. Traffic is routed based on host-header, meaning every host that has been configured as a provider and is assigned to the embedded proxy will be sent to the outpost, and every sub-path under `/outpost.goauthentik.io` is sent to the outpost too. The rest is sent to authentik itself.
- App passwords - App passwords

View file

@ -43,7 +43,7 @@ This release mostly removes legacy fields and features that have been deprecated
- internal: route traffic to proxy providers based on cookie domain when multiple domain-level providers exist - internal: route traffic to proxy providers based on cookie domain when multiple domain-level providers exist
- internal: use math.MaxInt for compatibility - internal: use math.MaxInt for compatibility
- lifecycle: add early check for missing/invalid secret key - lifecycle: add early check for missing/invalid secret key
- outposts/proxyv2: allow access to /akprox urls in forward auth mode to make routing in nginx/traefik easier - outposts/proxyv2: allow access to /outpost.goauthentik.io urls in forward auth mode to make routing in nginx/traefik easier
- outposts/proxyv2: fix before-redirect url not being saved in proxy mode - outposts/proxyv2: fix before-redirect url not being saved in proxy mode
- outposts/proxyv2: fix JWKS url pointing to localhost on embedded outpost - outposts/proxyv2: fix JWKS url pointing to localhost on embedded outpost
- providers/oauth2: change default redirect uri behaviour; set first used url when blank and use star for wildcard - providers/oauth2: change default redirect uri behaviour; set first used url when blank and use star for wildcard
@ -60,7 +60,7 @@ This release mostly removes legacy fields and features that have been deprecated
## Fixed in 2022.1.2 ## Fixed in 2022.1.2
- internal/proxyv2: only allow access to /akprox in nginx mode when forward url could be extracted - internal/proxyv2: only allow access to /outpost.goauthentik.io in nginx mode when forward url could be extracted
- lib: disable backup by default, add note to configuration - lib: disable backup by default, add note to configuration
- lifecycle: replace lowercase, deprecated prometheus_multiproc_dir - lifecycle: replace lowercase, deprecated prometheus_multiproc_dir
- outposts: allow custom label for docker containers - outposts: allow custom label for docker containers