*: rename akprox to outpost.goauthentik.io (#2266)
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
parent
3f6f83b4b6
commit
4343246a41
|
@ -12,4 +12,8 @@ class AuthentikProviderProxyConfig(AppConfig):
|
||||||
verbose_name = "authentik Providers.Proxy"
|
verbose_name = "authentik Providers.Proxy"
|
||||||
|
|
||||||
def ready(self) -> None:
|
def ready(self) -> None:
|
||||||
|
from authentik.providers.proxy.tasks import proxy_set_defaults
|
||||||
|
|
||||||
import_module("authentik.providers.proxy.managed")
|
import_module("authentik.providers.proxy.managed")
|
||||||
|
|
||||||
|
proxy_set_defaults.delay()
|
||||||
|
|
|
@ -28,12 +28,12 @@ class ProxyDockerController(DockerController):
|
||||||
labels["traefik.enable"] = "true"
|
labels["traefik.enable"] = "true"
|
||||||
labels[
|
labels[
|
||||||
f"traefik.http.routers.{traefik_name}-router.rule"
|
f"traefik.http.routers.{traefik_name}-router.rule"
|
||||||
] = f"Host({','.join(hosts)}) && PathPrefix(`/akprox`)"
|
] = f"Host({','.join(hosts)}) && PathPrefix(`/outpost.goauthentik.io`)"
|
||||||
labels[f"traefik.http.routers.{traefik_name}-router.tls"] = "true"
|
labels[f"traefik.http.routers.{traefik_name}-router.tls"] = "true"
|
||||||
labels[f"traefik.http.routers.{traefik_name}-router.service"] = f"{traefik_name}-service"
|
labels[f"traefik.http.routers.{traefik_name}-router.service"] = f"{traefik_name}-service"
|
||||||
labels[
|
labels[
|
||||||
f"traefik.http.services.{traefik_name}-service.loadbalancer.healthcheck.path"
|
f"traefik.http.services.{traefik_name}-service.loadbalancer.healthcheck.path"
|
||||||
] = "/akprox/ping"
|
] = "/outpost.goauthentik.io/ping"
|
||||||
labels[
|
labels[
|
||||||
f"traefik.http.services.{traefik_name}-service.loadbalancer.healthcheck.port"
|
f"traefik.http.services.{traefik_name}-service.loadbalancer.healthcheck.port"
|
||||||
] = "9300"
|
] = "9300"
|
||||||
|
|
|
@ -126,7 +126,7 @@ class IngressReconciler(KubernetesObjectReconciler[V1Ingress]):
|
||||||
port=V1ServiceBackendPort(name="http"),
|
port=V1ServiceBackendPort(name="http"),
|
||||||
),
|
),
|
||||||
),
|
),
|
||||||
path="/akprox",
|
path="/outpost.goauthentik.io",
|
||||||
path_type="ImplementationSpecific",
|
path_type="ImplementationSpecific",
|
||||||
)
|
)
|
||||||
]
|
]
|
||||||
|
|
|
@ -119,7 +119,10 @@ class TraefikMiddlewareReconciler(KubernetesObjectReconciler[TraefikMiddleware])
|
||||||
),
|
),
|
||||||
spec=TraefikMiddlewareSpec(
|
spec=TraefikMiddlewareSpec(
|
||||||
forwardAuth=TraefikMiddlewareSpecForwardAuth(
|
forwardAuth=TraefikMiddlewareSpecForwardAuth(
|
||||||
address=f"http://{self.name}.{self.namespace}:9000/akprox/auth/traefik",
|
address=(
|
||||||
|
f"http://{self.name}.{self.namespace}:9000/"
|
||||||
|
"outpost.goauthentik.io/auth/traefik"
|
||||||
|
),
|
||||||
authResponseHeaders=[
|
authResponseHeaders=[
|
||||||
"X-authentik-username",
|
"X-authentik-username",
|
||||||
"X-authentik-groups",
|
"X-authentik-groups",
|
||||||
|
|
|
@ -27,7 +27,7 @@ def get_cookie_secret():
|
||||||
|
|
||||||
|
|
||||||
def _get_callback_url(uri: str) -> str:
|
def _get_callback_url(uri: str) -> str:
|
||||||
return urljoin(uri, "/akprox/callback")
|
return urljoin(uri, "/outpost.goauthentik.io/callback")
|
||||||
|
|
||||||
|
|
||||||
class ProxyMode(models.TextChoices):
|
class ProxyMode(models.TextChoices):
|
||||||
|
|
11
authentik/providers/proxy/tasks.py
Normal file
11
authentik/providers/proxy/tasks.py
Normal file
|
@ -0,0 +1,11 @@
|
||||||
|
"""proxy provider tasks"""
|
||||||
|
from authentik.providers.proxy.models import ProxyProvider
|
||||||
|
from authentik.root.celery import CELERY_APP
|
||||||
|
|
||||||
|
|
||||||
|
@CELERY_APP.task()
|
||||||
|
def proxy_set_defaults():
|
||||||
|
"""Ensure correct defaults are set for all providers"""
|
||||||
|
for provider in ProxyProvider.objects.all():
|
||||||
|
provider.set_oauth_defaults()
|
||||||
|
provider.save()
|
|
@ -25,7 +25,7 @@ var (
|
||||||
func RunServer() {
|
func RunServer() {
|
||||||
m := mux.NewRouter()
|
m := mux.NewRouter()
|
||||||
l := log.WithField("logger", "authentik.outpost.metrics")
|
l := log.WithField("logger", "authentik.outpost.metrics")
|
||||||
m.HandleFunc("/akprox/ping", func(rw http.ResponseWriter, r *http.Request) {
|
m.HandleFunc("/outpost.goauthentik.io/ping", func(rw http.ResponseWriter, r *http.Request) {
|
||||||
rw.WriteHeader(204)
|
rw.WriteHeader(204)
|
||||||
})
|
})
|
||||||
m.Path("/metrics").Handler(promhttp.Handler())
|
m.Path("/metrics").Handler(promhttp.Handler())
|
||||||
|
|
|
@ -78,7 +78,7 @@ func NewApplication(p api.ProxyOutpostConfig, c *http.Client, cs *ak.CryptoStore
|
||||||
oauth2Config := oauth2.Config{
|
oauth2Config := oauth2.Config{
|
||||||
ClientID: *p.ClientId,
|
ClientID: *p.ClientId,
|
||||||
ClientSecret: *p.ClientSecret,
|
ClientSecret: *p.ClientSecret,
|
||||||
RedirectURL: urlJoin(p.ExternalHost, "/akprox/callback"),
|
RedirectURL: urlJoin(p.ExternalHost, "/outpost.goauthentik.io/callback"),
|
||||||
Endpoint: endpoint.Endpoint,
|
Endpoint: endpoint.Endpoint,
|
||||||
Scopes: p.ScopesToRequest,
|
Scopes: p.ScopesToRequest,
|
||||||
}
|
}
|
||||||
|
@ -145,10 +145,10 @@ func NewApplication(p api.ProxyOutpostConfig, c *http.Client, cs *ak.CryptoStore
|
||||||
mux.Use(sentryhttp.New(sentryhttp.Options{}).Handle)
|
mux.Use(sentryhttp.New(sentryhttp.Options{}).Handle)
|
||||||
|
|
||||||
// Support /start and /sign_in for backwards compatibility
|
// Support /start and /sign_in for backwards compatibility
|
||||||
mux.HandleFunc("/akprox/start", a.handleRedirect)
|
mux.HandleFunc("/outpost.goauthentik.io/start", a.handleRedirect)
|
||||||
mux.HandleFunc("/akprox/sign_in", a.handleRedirect)
|
mux.HandleFunc("/outpost.goauthentik.io/sign_in", a.handleRedirect)
|
||||||
mux.HandleFunc("/akprox/callback", a.handleCallback)
|
mux.HandleFunc("/outpost.goauthentik.io/callback", a.handleCallback)
|
||||||
mux.HandleFunc("/akprox/sign_out", a.handleSignOut)
|
mux.HandleFunc("/outpost.goauthentik.io/sign_out", a.handleSignOut)
|
||||||
switch *p.Mode {
|
switch *p.Mode {
|
||||||
case api.PROXYMODE_PROXY:
|
case api.PROXYMODE_PROXY:
|
||||||
err = a.configureProxy()
|
err = a.configureProxy()
|
||||||
|
|
|
@ -18,7 +18,7 @@ func (a *Application) ErrorPage(rw http.ResponseWriter, r *http.Request, err str
|
||||||
data := ErrorPageData{
|
data := ErrorPageData{
|
||||||
Title: "Bad Gateway",
|
Title: "Bad Gateway",
|
||||||
Message: "Error proxying to upstream server",
|
Message: "Error proxying to upstream server",
|
||||||
ProxyPrefix: "/akprox",
|
ProxyPrefix: "/outpost.goauthentik.io",
|
||||||
}
|
}
|
||||||
if claims != nil && len(err) > 0 {
|
if claims != nil && len(err) > 0 {
|
||||||
data.Message = err
|
data.Message = err
|
||||||
|
|
|
@ -12,15 +12,15 @@ import (
|
||||||
)
|
)
|
||||||
|
|
||||||
func (a *Application) configureForward() error {
|
func (a *Application) configureForward() error {
|
||||||
a.mux.HandleFunc("/akprox/auth", func(rw http.ResponseWriter, r *http.Request) {
|
a.mux.HandleFunc("/outpost.goauthentik.io/auth", func(rw http.ResponseWriter, r *http.Request) {
|
||||||
if _, ok := r.URL.Query()["traefik"]; ok {
|
if _, ok := r.URL.Query()["traefik"]; ok {
|
||||||
a.forwardHandleTraefik(rw, r)
|
a.forwardHandleTraefik(rw, r)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
a.forwardHandleNginx(rw, r)
|
a.forwardHandleNginx(rw, r)
|
||||||
})
|
})
|
||||||
a.mux.HandleFunc("/akprox/auth/traefik", a.forwardHandleTraefik)
|
a.mux.HandleFunc("/outpost.goauthentik.io/auth/traefik", a.forwardHandleTraefik)
|
||||||
a.mux.HandleFunc("/akprox/auth/nginx", a.forwardHandleNginx)
|
a.mux.HandleFunc("/outpost.goauthentik.io/auth/nginx", a.forwardHandleNginx)
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -49,8 +49,8 @@ func (a *Application) forwardHandleTraefik(rw http.ResponseWriter, r *http.Reque
|
||||||
a.log.Trace("path can be accessed without authentication")
|
a.log.Trace("path can be accessed without authentication")
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
if strings.HasPrefix(r.Header.Get("X-Forwarded-Uri"), "/akprox") {
|
if strings.HasPrefix(r.Header.Get("X-Forwarded-Uri"), "/outpost.goauthentik.io") {
|
||||||
a.log.WithField("url", r.URL.String()).Trace("path begins with /akprox, allowing access")
|
a.log.WithField("url", r.URL.String()).Trace("path begins with /outpost.goauthentik.io, allowing access")
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
host := ""
|
host := ""
|
||||||
|
@ -80,7 +80,7 @@ func (a *Application) forwardHandleTraefik(rw http.ResponseWriter, r *http.Reque
|
||||||
if proto != "" {
|
if proto != "" {
|
||||||
proto = proto + ":"
|
proto = proto + ":"
|
||||||
}
|
}
|
||||||
rdFinal := fmt.Sprintf("%s//%s%s", proto, host, "/akprox/start")
|
rdFinal := fmt.Sprintf("%s//%s%s", proto, host, "/outpost.goauthentik.io/start")
|
||||||
a.log.WithField("url", rdFinal).Debug("Redirecting to login")
|
a.log.WithField("url", rdFinal).Debug("Redirecting to login")
|
||||||
http.Redirect(rw, r, rdFinal, http.StatusTemporaryRedirect)
|
http.Redirect(rw, r, rdFinal, http.StatusTemporaryRedirect)
|
||||||
}
|
}
|
||||||
|
@ -119,8 +119,8 @@ func (a *Application) forwardHandleNginx(rw http.ResponseWriter, r *http.Request
|
||||||
}
|
}
|
||||||
|
|
||||||
if fwd.String() != r.URL.String() {
|
if fwd.String() != r.URL.String() {
|
||||||
if strings.HasPrefix(fwd.Path, "/akprox") {
|
if strings.HasPrefix(fwd.Path, "/outpost.goauthentik.io") {
|
||||||
a.log.WithField("url", r.URL.String()).Trace("path begins with /akprox, allowing access")
|
a.log.WithField("url", r.URL.String()).Trace("path begins with /outpost.goauthentik.io, allowing access")
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -12,7 +12,7 @@ import (
|
||||||
|
|
||||||
func TestForwardHandleNginx_Single_Blank(t *testing.T) {
|
func TestForwardHandleNginx_Single_Blank(t *testing.T) {
|
||||||
a := newTestApplication()
|
a := newTestApplication()
|
||||||
req, _ := http.NewRequest("GET", "/akprox/auth/nginx", nil)
|
req, _ := http.NewRequest("GET", "/outpost.goauthentik.io/auth/nginx", nil)
|
||||||
|
|
||||||
rr := httptest.NewRecorder()
|
rr := httptest.NewRecorder()
|
||||||
a.forwardHandleNginx(rr, req)
|
a.forwardHandleNginx(rr, req)
|
||||||
|
@ -22,7 +22,7 @@ func TestForwardHandleNginx_Single_Blank(t *testing.T) {
|
||||||
|
|
||||||
func TestForwardHandleNginx_Single_Skip(t *testing.T) {
|
func TestForwardHandleNginx_Single_Skip(t *testing.T) {
|
||||||
a := newTestApplication()
|
a := newTestApplication()
|
||||||
req, _ := http.NewRequest("GET", "/akprox/auth/nginx", nil)
|
req, _ := http.NewRequest("GET", "/outpost.goauthentik.io/auth/nginx", nil)
|
||||||
req.Header.Set("X-Original-URL", "http://test.goauthentik.io/skip")
|
req.Header.Set("X-Original-URL", "http://test.goauthentik.io/skip")
|
||||||
|
|
||||||
rr := httptest.NewRecorder()
|
rr := httptest.NewRecorder()
|
||||||
|
@ -33,7 +33,7 @@ func TestForwardHandleNginx_Single_Skip(t *testing.T) {
|
||||||
|
|
||||||
func TestForwardHandleNginx_Single_Headers(t *testing.T) {
|
func TestForwardHandleNginx_Single_Headers(t *testing.T) {
|
||||||
a := newTestApplication()
|
a := newTestApplication()
|
||||||
req, _ := http.NewRequest("GET", "/akprox/auth/nginx", nil)
|
req, _ := http.NewRequest("GET", "/outpost.goauthentik.io/auth/nginx", nil)
|
||||||
req.Header.Set("X-Original-URL", "http://test.goauthentik.io/app")
|
req.Header.Set("X-Original-URL", "http://test.goauthentik.io/app")
|
||||||
|
|
||||||
rr := httptest.NewRecorder()
|
rr := httptest.NewRecorder()
|
||||||
|
@ -47,7 +47,7 @@ func TestForwardHandleNginx_Single_Headers(t *testing.T) {
|
||||||
|
|
||||||
func TestForwardHandleNginx_Single_URI(t *testing.T) {
|
func TestForwardHandleNginx_Single_URI(t *testing.T) {
|
||||||
a := newTestApplication()
|
a := newTestApplication()
|
||||||
req, _ := http.NewRequest("GET", "https://foo.bar/akprox/auth/nginx", nil)
|
req, _ := http.NewRequest("GET", "https://foo.bar/outpost.goauthentik.io/auth/nginx", nil)
|
||||||
req.Header.Set("X-Original-URI", "/app")
|
req.Header.Set("X-Original-URI", "/app")
|
||||||
|
|
||||||
rr := httptest.NewRecorder()
|
rr := httptest.NewRecorder()
|
||||||
|
@ -61,7 +61,7 @@ func TestForwardHandleNginx_Single_URI(t *testing.T) {
|
||||||
|
|
||||||
func TestForwardHandleNginx_Single_Claims(t *testing.T) {
|
func TestForwardHandleNginx_Single_Claims(t *testing.T) {
|
||||||
a := newTestApplication()
|
a := newTestApplication()
|
||||||
req, _ := http.NewRequest("GET", "/akprox/auth/nginx", nil)
|
req, _ := http.NewRequest("GET", "/outpost.goauthentik.io/auth/nginx", nil)
|
||||||
req.Header.Set("X-Original-URI", "/")
|
req.Header.Set("X-Original-URI", "/")
|
||||||
|
|
||||||
rr := httptest.NewRecorder()
|
rr := httptest.NewRecorder()
|
||||||
|
@ -108,7 +108,7 @@ func TestForwardHandleNginx_Domain_Blank(t *testing.T) {
|
||||||
a := newTestApplication()
|
a := newTestApplication()
|
||||||
a.proxyConfig.Mode = api.PROXYMODE_FORWARD_DOMAIN.Ptr()
|
a.proxyConfig.Mode = api.PROXYMODE_FORWARD_DOMAIN.Ptr()
|
||||||
a.proxyConfig.CookieDomain = api.PtrString("foo")
|
a.proxyConfig.CookieDomain = api.PtrString("foo")
|
||||||
req, _ := http.NewRequest("GET", "/akprox/auth/nginx", nil)
|
req, _ := http.NewRequest("GET", "/outpost.goauthentik.io/auth/nginx", nil)
|
||||||
|
|
||||||
rr := httptest.NewRecorder()
|
rr := httptest.NewRecorder()
|
||||||
a.forwardHandleNginx(rr, req)
|
a.forwardHandleNginx(rr, req)
|
||||||
|
@ -121,7 +121,7 @@ func TestForwardHandleNginx_Domain_Header(t *testing.T) {
|
||||||
a.proxyConfig.Mode = api.PROXYMODE_FORWARD_DOMAIN.Ptr()
|
a.proxyConfig.Mode = api.PROXYMODE_FORWARD_DOMAIN.Ptr()
|
||||||
a.proxyConfig.CookieDomain = api.PtrString("foo")
|
a.proxyConfig.CookieDomain = api.PtrString("foo")
|
||||||
a.proxyConfig.ExternalHost = "http://auth.test.goauthentik.io"
|
a.proxyConfig.ExternalHost = "http://auth.test.goauthentik.io"
|
||||||
req, _ := http.NewRequest("GET", "/akprox/auth/nginx", nil)
|
req, _ := http.NewRequest("GET", "/outpost.goauthentik.io/auth/nginx", nil)
|
||||||
req.Header.Set("X-Original-URL", "http://test.goauthentik.io/app")
|
req.Header.Set("X-Original-URL", "http://test.goauthentik.io/app")
|
||||||
|
|
||||||
rr := httptest.NewRecorder()
|
rr := httptest.NewRecorder()
|
||||||
|
|
|
@ -12,7 +12,7 @@ import (
|
||||||
|
|
||||||
func TestForwardHandleTraefik_Single_Blank(t *testing.T) {
|
func TestForwardHandleTraefik_Single_Blank(t *testing.T) {
|
||||||
a := newTestApplication()
|
a := newTestApplication()
|
||||||
req, _ := http.NewRequest("GET", "/akprox/auth/traefik", nil)
|
req, _ := http.NewRequest("GET", "/outpost.goauthentik.io/auth/traefik", nil)
|
||||||
|
|
||||||
rr := httptest.NewRecorder()
|
rr := httptest.NewRecorder()
|
||||||
a.forwardHandleTraefik(rr, req)
|
a.forwardHandleTraefik(rr, req)
|
||||||
|
@ -22,7 +22,7 @@ func TestForwardHandleTraefik_Single_Blank(t *testing.T) {
|
||||||
|
|
||||||
func TestForwardHandleTraefik_Single_Skip(t *testing.T) {
|
func TestForwardHandleTraefik_Single_Skip(t *testing.T) {
|
||||||
a := newTestApplication()
|
a := newTestApplication()
|
||||||
req, _ := http.NewRequest("GET", "/akprox/auth/traefik", nil)
|
req, _ := http.NewRequest("GET", "/outpost.goauthentik.io/auth/traefik", nil)
|
||||||
req.Header.Set("X-Forwarded-Proto", "http")
|
req.Header.Set("X-Forwarded-Proto", "http")
|
||||||
req.Header.Set("X-Forwarded-Host", "test.goauthentik.io")
|
req.Header.Set("X-Forwarded-Host", "test.goauthentik.io")
|
||||||
req.Header.Set("X-Forwarded-Uri", "/skip")
|
req.Header.Set("X-Forwarded-Uri", "/skip")
|
||||||
|
@ -35,7 +35,7 @@ func TestForwardHandleTraefik_Single_Skip(t *testing.T) {
|
||||||
|
|
||||||
func TestForwardHandleTraefik_Single_Headers(t *testing.T) {
|
func TestForwardHandleTraefik_Single_Headers(t *testing.T) {
|
||||||
a := newTestApplication()
|
a := newTestApplication()
|
||||||
req, _ := http.NewRequest("GET", "/akprox/auth/traefik", nil)
|
req, _ := http.NewRequest("GET", "/outpost.goauthentik.io/auth/traefik", nil)
|
||||||
req.Header.Set("X-Forwarded-Proto", "http")
|
req.Header.Set("X-Forwarded-Proto", "http")
|
||||||
req.Header.Set("X-Forwarded-Host", "test.goauthentik.io")
|
req.Header.Set("X-Forwarded-Host", "test.goauthentik.io")
|
||||||
req.Header.Set("X-Forwarded-Uri", "/app")
|
req.Header.Set("X-Forwarded-Uri", "/app")
|
||||||
|
@ -45,7 +45,7 @@ func TestForwardHandleTraefik_Single_Headers(t *testing.T) {
|
||||||
|
|
||||||
assert.Equal(t, rr.Code, http.StatusTemporaryRedirect)
|
assert.Equal(t, rr.Code, http.StatusTemporaryRedirect)
|
||||||
loc, _ := rr.Result().Location()
|
loc, _ := rr.Result().Location()
|
||||||
assert.Equal(t, loc.String(), "http://test.goauthentik.io/akprox/start")
|
assert.Equal(t, loc.String(), "http://test.goauthentik.io/outpost.goauthentik.io/start")
|
||||||
|
|
||||||
s, _ := a.sessions.Get(req, constants.SeesionName)
|
s, _ := a.sessions.Get(req, constants.SeesionName)
|
||||||
assert.Equal(t, "http://test.goauthentik.io/app", s.Values[constants.SessionRedirect])
|
assert.Equal(t, "http://test.goauthentik.io/app", s.Values[constants.SessionRedirect])
|
||||||
|
@ -53,7 +53,7 @@ func TestForwardHandleTraefik_Single_Headers(t *testing.T) {
|
||||||
|
|
||||||
func TestForwardHandleTraefik_Single_Claims(t *testing.T) {
|
func TestForwardHandleTraefik_Single_Claims(t *testing.T) {
|
||||||
a := newTestApplication()
|
a := newTestApplication()
|
||||||
req, _ := http.NewRequest("GET", "/akprox/auth/traefik", nil)
|
req, _ := http.NewRequest("GET", "/outpost.goauthentik.io/auth/traefik", nil)
|
||||||
req.Header.Set("X-Forwarded-Proto", "http")
|
req.Header.Set("X-Forwarded-Proto", "http")
|
||||||
req.Header.Set("X-Forwarded-Host", "test.goauthentik.io")
|
req.Header.Set("X-Forwarded-Host", "test.goauthentik.io")
|
||||||
req.Header.Set("X-Forwarded-Uri", "/app")
|
req.Header.Set("X-Forwarded-Uri", "/app")
|
||||||
|
@ -102,7 +102,7 @@ func TestForwardHandleTraefik_Domain_Blank(t *testing.T) {
|
||||||
a := newTestApplication()
|
a := newTestApplication()
|
||||||
a.proxyConfig.Mode = api.PROXYMODE_FORWARD_DOMAIN.Ptr()
|
a.proxyConfig.Mode = api.PROXYMODE_FORWARD_DOMAIN.Ptr()
|
||||||
a.proxyConfig.CookieDomain = api.PtrString("foo")
|
a.proxyConfig.CookieDomain = api.PtrString("foo")
|
||||||
req, _ := http.NewRequest("GET", "/akprox/auth/traefik", nil)
|
req, _ := http.NewRequest("GET", "/outpost.goauthentik.io/auth/traefik", nil)
|
||||||
|
|
||||||
rr := httptest.NewRecorder()
|
rr := httptest.NewRecorder()
|
||||||
a.forwardHandleTraefik(rr, req)
|
a.forwardHandleTraefik(rr, req)
|
||||||
|
@ -115,7 +115,7 @@ func TestForwardHandleTraefik_Domain_Header(t *testing.T) {
|
||||||
a.proxyConfig.Mode = api.PROXYMODE_FORWARD_DOMAIN.Ptr()
|
a.proxyConfig.Mode = api.PROXYMODE_FORWARD_DOMAIN.Ptr()
|
||||||
a.proxyConfig.CookieDomain = api.PtrString("foo")
|
a.proxyConfig.CookieDomain = api.PtrString("foo")
|
||||||
a.proxyConfig.ExternalHost = "http://auth.test.goauthentik.io"
|
a.proxyConfig.ExternalHost = "http://auth.test.goauthentik.io"
|
||||||
req, _ := http.NewRequest("GET", "/akprox/auth/traefik", nil)
|
req, _ := http.NewRequest("GET", "/outpost.goauthentik.io/auth/traefik", nil)
|
||||||
req.Header.Set("X-Forwarded-Proto", "http")
|
req.Header.Set("X-Forwarded-Proto", "http")
|
||||||
req.Header.Set("X-Forwarded-Host", "test.goauthentik.io")
|
req.Header.Set("X-Forwarded-Host", "test.goauthentik.io")
|
||||||
req.Header.Set("X-Forwarded-Uri", "/app")
|
req.Header.Set("X-Forwarded-Uri", "/app")
|
||||||
|
@ -125,7 +125,7 @@ func TestForwardHandleTraefik_Domain_Header(t *testing.T) {
|
||||||
|
|
||||||
assert.Equal(t, http.StatusTemporaryRedirect, rr.Code)
|
assert.Equal(t, http.StatusTemporaryRedirect, rr.Code)
|
||||||
loc, _ := rr.Result().Location()
|
loc, _ := rr.Result().Location()
|
||||||
assert.Equal(t, "http://auth.test.goauthentik.io/akprox/start", loc.String())
|
assert.Equal(t, "http://auth.test.goauthentik.io/outpost.goauthentik.io/start", loc.String())
|
||||||
|
|
||||||
s, _ := a.sessions.Get(req, constants.SeesionName)
|
s, _ := a.sessions.Get(req, constants.SeesionName)
|
||||||
assert.Equal(t, "http://test.goauthentik.io/app", s.Values[constants.SessionRedirect])
|
assert.Equal(t, "http://test.goauthentik.io/app", s.Values[constants.SessionRedirect])
|
||||||
|
|
|
@ -42,7 +42,7 @@ func (a *Application) redirectToStart(rw http.ResponseWriter, r *http.Request) {
|
||||||
a.log.WithError(err).Warning("failed to save session before redirect")
|
a.log.WithError(err).Warning("failed to save session before redirect")
|
||||||
}
|
}
|
||||||
|
|
||||||
authUrl := urlJoin(a.proxyConfig.ExternalHost, "/akprox/start")
|
authUrl := urlJoin(a.proxyConfig.ExternalHost, "/outpost.goauthentik.io/start")
|
||||||
http.Redirect(rw, r, authUrl, http.StatusFound)
|
http.Redirect(rw, r, authUrl, http.StatusFound)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -21,7 +21,7 @@ func TestRedirectToStart_Proxy(t *testing.T) {
|
||||||
|
|
||||||
assert.Equal(t, http.StatusFound, rr.Code)
|
assert.Equal(t, http.StatusFound, rr.Code)
|
||||||
loc, _ := rr.Result().Location()
|
loc, _ := rr.Result().Location()
|
||||||
assert.Equal(t, "https://test.goauthentik.io/akprox/start", loc.String())
|
assert.Equal(t, "https://test.goauthentik.io/outpost.goauthentik.io/start", loc.String())
|
||||||
|
|
||||||
s, _ := a.sessions.Get(req, constants.SeesionName)
|
s, _ := a.sessions.Get(req, constants.SeesionName)
|
||||||
assert.Equal(t, "https://test.goauthentik.io/foo/bar/baz", s.Values[constants.SessionRedirect])
|
assert.Equal(t, "https://test.goauthentik.io/foo/bar/baz", s.Values[constants.SessionRedirect])
|
||||||
|
@ -38,7 +38,7 @@ func TestRedirectToStart_Forward(t *testing.T) {
|
||||||
|
|
||||||
assert.Equal(t, http.StatusFound, rr.Code)
|
assert.Equal(t, http.StatusFound, rr.Code)
|
||||||
loc, _ := rr.Result().Location()
|
loc, _ := rr.Result().Location()
|
||||||
assert.Equal(t, "https://test.goauthentik.io/akprox/start", loc.String())
|
assert.Equal(t, "https://test.goauthentik.io/outpost.goauthentik.io/start", loc.String())
|
||||||
|
|
||||||
s, _ := a.sessions.Get(req, constants.SeesionName)
|
s, _ := a.sessions.Get(req, constants.SeesionName)
|
||||||
assert.Equal(t, "https://test.goauthentik.io/foo/bar/baz", s.Values[constants.SessionRedirect])
|
assert.Equal(t, "https://test.goauthentik.io/foo/bar/baz", s.Values[constants.SessionRedirect])
|
||||||
|
@ -56,7 +56,7 @@ func TestRedirectToStart_Forward_Domain_Invalid(t *testing.T) {
|
||||||
|
|
||||||
assert.Equal(t, http.StatusFound, rr.Code)
|
assert.Equal(t, http.StatusFound, rr.Code)
|
||||||
loc, _ := rr.Result().Location()
|
loc, _ := rr.Result().Location()
|
||||||
assert.Equal(t, "https://test.goauthentik.io/akprox/start", loc.String())
|
assert.Equal(t, "https://test.goauthentik.io/outpost.goauthentik.io/start", loc.String())
|
||||||
|
|
||||||
s, _ := a.sessions.Get(req, constants.SeesionName)
|
s, _ := a.sessions.Get(req, constants.SeesionName)
|
||||||
assert.Equal(t, "https://test.goauthentik.io", s.Values[constants.SessionRedirect])
|
assert.Equal(t, "https://test.goauthentik.io", s.Values[constants.SessionRedirect])
|
||||||
|
@ -74,7 +74,7 @@ func TestRedirectToStart_Forward_Domain(t *testing.T) {
|
||||||
|
|
||||||
assert.Equal(t, http.StatusFound, rr.Code)
|
assert.Equal(t, http.StatusFound, rr.Code)
|
||||||
loc, _ := rr.Result().Location()
|
loc, _ := rr.Result().Location()
|
||||||
assert.Equal(t, "https://test.goauthentik.io/akprox/start", loc.String())
|
assert.Equal(t, "https://test.goauthentik.io/outpost.goauthentik.io/start", loc.String())
|
||||||
|
|
||||||
s, _ := a.sessions.Get(req, constants.SeesionName)
|
s, _ := a.sessions.Get(req, constants.SeesionName)
|
||||||
assert.Equal(t, "https://test.goauthentik.io", s.Values[constants.SessionRedirect])
|
assert.Equal(t, "https://test.goauthentik.io", s.Values[constants.SessionRedirect])
|
||||||
|
|
|
@ -32,7 +32,7 @@ func (ps *ProxyServer) HandlePing(rw http.ResponseWriter, r *http.Request) {
|
||||||
|
|
||||||
func (ps *ProxyServer) HandleStatic(rw http.ResponseWriter, r *http.Request) {
|
func (ps *ProxyServer) HandleStatic(rw http.ResponseWriter, r *http.Request) {
|
||||||
before := time.Now()
|
before := time.Now()
|
||||||
web.DisableIndex(http.StripPrefix("/akprox/static/dist", staticWeb.StaticHandler)).ServeHTTP(rw, r)
|
web.DisableIndex(http.StripPrefix("/outpost.goauthentik.io/static/dist", staticWeb.StaticHandler)).ServeHTTP(rw, r)
|
||||||
after := time.Since(before)
|
after := time.Since(before)
|
||||||
metrics.Requests.With(prometheus.Labels{
|
metrics.Requests.With(prometheus.Labels{
|
||||||
"outpost_name": ps.akAPI.Outpost.Name,
|
"outpost_name": ps.akAPI.Outpost.Name,
|
||||||
|
@ -90,11 +90,11 @@ func (ps *ProxyServer) lookupApp(r *http.Request) (*application.Application, str
|
||||||
}
|
}
|
||||||
|
|
||||||
func (ps *ProxyServer) Handle(rw http.ResponseWriter, r *http.Request) {
|
func (ps *ProxyServer) Handle(rw http.ResponseWriter, r *http.Request) {
|
||||||
if strings.HasPrefix(r.URL.Path, "/akprox/static") {
|
if strings.HasPrefix(r.URL.Path, "/outpost.goauthentik.io/static") {
|
||||||
ps.HandleStatic(rw, r)
|
ps.HandleStatic(rw, r)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
if strings.HasPrefix(r.URL.Path, "/akprox/ping") {
|
if strings.HasPrefix(r.URL.Path, "/outpost.goauthentik.io/ping") {
|
||||||
ps.HandlePing(rw, r)
|
ps.HandlePing(rw, r)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
|
@ -25,7 +25,7 @@ var (
|
||||||
func RunServer() {
|
func RunServer() {
|
||||||
m := mux.NewRouter()
|
m := mux.NewRouter()
|
||||||
l := log.WithField("logger", "authentik.outpost.metrics")
|
l := log.WithField("logger", "authentik.outpost.metrics")
|
||||||
m.HandleFunc("/akprox/ping", func(rw http.ResponseWriter, r *http.Request) {
|
m.HandleFunc("/outpost.goauthentik.io/ping", func(rw http.ResponseWriter, r *http.Request) {
|
||||||
rw.WriteHeader(204)
|
rw.WriteHeader(204)
|
||||||
})
|
})
|
||||||
m.Path("/metrics").Handler(promhttp.Handler())
|
m.Path("/metrics").Handler(promhttp.Handler())
|
||||||
|
|
|
@ -64,8 +64,8 @@ func NewProxyServer(ac *ak.APIController, portOffset int) *ProxyServer {
|
||||||
akAPI: ac,
|
akAPI: ac,
|
||||||
defaultCert: defaultCert,
|
defaultCert: defaultCert,
|
||||||
}
|
}
|
||||||
globalMux.PathPrefix("/akprox/static").HandlerFunc(s.HandleStatic)
|
globalMux.PathPrefix("/outpost.goauthentik.io/static").HandlerFunc(s.HandleStatic)
|
||||||
globalMux.Path("/akprox/ping").HandlerFunc(s.HandlePing)
|
globalMux.Path("/outpost.goauthentik.io/ping").HandlerFunc(s.HandlePing)
|
||||||
rootMux.PathPrefix("/").HandlerFunc(s.Handle)
|
rootMux.PathPrefix("/").HandlerFunc(s.Handle)
|
||||||
return s
|
return s
|
||||||
}
|
}
|
||||||
|
|
|
@ -5,12 +5,12 @@
|
||||||
<meta charset="UTF-8">
|
<meta charset="UTF-8">
|
||||||
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
|
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
|
||||||
<title>{{.Title}}</title>
|
<title>{{.Title}}</title>
|
||||||
<link rel="shortcut icon" type="image/png" href="/akprox/static/dist/assets/icons/icon.png">
|
<link rel="shortcut icon" type="image/png" href="/outpost.goauthentik.io/static/dist/assets/icons/icon.png">
|
||||||
<link rel="stylesheet" type="text/css" href="/akprox/static/dist/patternfly.min.css">
|
<link rel="stylesheet" type="text/css" href="/outpost.goauthentik.io/static/dist/patternfly.min.css">
|
||||||
<link rel="stylesheet" type="text/css" href="/akprox/static/dist/authentik.css">
|
<link rel="stylesheet" type="text/css" href="/outpost.goauthentik.io/static/dist/authentik.css">
|
||||||
<style>
|
<style>
|
||||||
.pf-c-background-image::before {
|
.pf-c-background-image::before {
|
||||||
--ak-flow-background: url("/akprox/static/dist/assets/images/flow_background.jpg");
|
--ak-flow-background: url("/outpost.goauthentik.io/static/dist/assets/images/flow_background.jpg");
|
||||||
}
|
}
|
||||||
</style>
|
</style>
|
||||||
</head>
|
</head>
|
||||||
|
@ -32,7 +32,7 @@
|
||||||
<div class="ak-login-container">
|
<div class="ak-login-container">
|
||||||
<header class="pf-c-login__header">
|
<header class="pf-c-login__header">
|
||||||
<div class="pf-c-brand ak-brand">
|
<div class="pf-c-brand ak-brand">
|
||||||
<img src="/akprox/static/dist/assets/icons/icon_left_brand.svg" alt="authentik icon" />
|
<img src="/outpost.goauthentik.io/static/dist/assets/icons/icon_left_brand.svg" alt="authentik icon" />
|
||||||
</div>
|
</div>
|
||||||
</header>
|
</header>
|
||||||
<main class="pf-c-login__main">
|
<main class="pf-c-login__main">
|
||||||
|
|
|
@ -28,7 +28,7 @@ func (ws *WebServer) configureProxy() {
|
||||||
rp := &httputil.ReverseProxy{Director: director}
|
rp := &httputil.ReverseProxy{Director: director}
|
||||||
rp.ErrorHandler = ws.proxyErrorHandler
|
rp.ErrorHandler = ws.proxyErrorHandler
|
||||||
rp.ModifyResponse = ws.proxyModifyResponse
|
rp.ModifyResponse = ws.proxyModifyResponse
|
||||||
ws.m.PathPrefix("/akprox").HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
|
ws.m.PathPrefix("/outpost.goauthentik.io").HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
|
||||||
if ws.ProxyServer != nil {
|
if ws.ProxyServer != nil {
|
||||||
before := time.Now()
|
before := time.Now()
|
||||||
ws.ProxyServer.Handle(rw, r)
|
ws.ProxyServer.Handle(rw, r)
|
||||||
|
|
|
@ -19,7 +19,7 @@ ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
|
||||||
|
|
||||||
COPY --from=builder /go/ldap /
|
COPY --from=builder /go/ldap /
|
||||||
|
|
||||||
HEALTHCHECK CMD [ "wget", "--spider", "http://localhost:9300/akprox/ping" ]
|
HEALTHCHECK CMD [ "wget", "--spider", "http://localhost:9300/outpost.goauthentik.io/ping" ]
|
||||||
|
|
||||||
EXPOSE 3389 6636 9300
|
EXPOSE 3389 6636 9300
|
||||||
|
|
||||||
|
|
|
@ -32,7 +32,7 @@ COPY --from=web-builder /static/security.txt /web/security.txt
|
||||||
COPY --from=web-builder /static/dist/ /web/dist/
|
COPY --from=web-builder /static/dist/ /web/dist/
|
||||||
COPY --from=web-builder /static/authentik/ /web/authentik/
|
COPY --from=web-builder /static/authentik/ /web/authentik/
|
||||||
|
|
||||||
HEALTHCHECK CMD [ "wget", "--spider", "http://localhost:9300/akprox/ping" ]
|
HEALTHCHECK CMD [ "wget", "--spider", "http://localhost:9300/outpost.goauthentik.io/ping" ]
|
||||||
|
|
||||||
EXPOSE 9000 9300 9443
|
EXPOSE 9000 9300 9443
|
||||||
|
|
||||||
|
|
|
@ -105,7 +105,7 @@ class TestProviderProxy(SeleniumTestCase):
|
||||||
self.assertIn(f"X-Authentik-Username: {self.user.username}", full_body_text)
|
self.assertIn(f"X-Authentik-Username: {self.user.username}", full_body_text)
|
||||||
self.assertIn("X-Foo: bar", full_body_text)
|
self.assertIn("X-Foo: bar", full_body_text)
|
||||||
|
|
||||||
self.driver.get("http://localhost:9000/akprox/sign_out")
|
self.driver.get("http://localhost:9000/outpost.goauthentik.io/sign_out")
|
||||||
sleep(2)
|
sleep(2)
|
||||||
full_body_text = self.driver.find_element(By.CSS_SELECTOR, ".pf-c-title.pf-m-3xl").text
|
full_body_text = self.driver.find_element(By.CSS_SELECTOR, ".pf-c-title.pf-m-3xl").text
|
||||||
self.assertIn("You've logged out of proxy.", full_body_text)
|
self.assertIn("You've logged out of proxy.", full_body_text)
|
||||||
|
|
|
@ -5673,8 +5673,8 @@ msgid "Use the username and password below to authenticate. The password can be
|
||||||
msgstr "Use the username and password below to authenticate. The password can be retrieved later on the Tokens page."
|
msgstr "Use the username and password below to authenticate. The password can be retrieved later on the Tokens page."
|
||||||
|
|
||||||
#: src/pages/providers/proxy/ProxyProviderForm.ts
|
#: src/pages/providers/proxy/ProxyProviderForm.ts
|
||||||
msgid "Use this provider with nginx's auth_request or traefik's forwardAuth. Each application/domain needs its own provider. Additionally, on each domain, /akprox must be routed to the outpost (when using a manged outpost, this is done for you)."
|
msgid "Use this provider with nginx's auth_request or traefik's forwardAuth. Each application/domain needs its own provider. Additionally, on each domain, /outpost.goauthentik.io must be routed to the outpost (when using a manged outpost, this is done for you)."
|
||||||
msgstr "Use this provider with nginx's auth_request or traefik's forwardAuth. Each application/domain needs its own provider. Additionally, on each domain, /akprox must be routed to the outpost (when using a manged outpost, this is done for you)."
|
msgstr "Use this provider with nginx's auth_request or traefik's forwardAuth. Each application/domain needs its own provider. Additionally, on each domain, /outpost.goauthentik.io must be routed to the outpost (when using a manged outpost, this is done for you)."
|
||||||
|
|
||||||
#: src/pages/providers/proxy/ProxyProviderForm.ts
|
#: src/pages/providers/proxy/ProxyProviderForm.ts
|
||||||
msgid "Use this provider with nginx's auth_request or traefik's forwardAuth. Only a single provider is required per root domain. You can't do per-application authorization, but you don't have to create a provider for each application."
|
msgid "Use this provider with nginx's auth_request or traefik's forwardAuth. Only a single provider is required per root domain. You can't do per-application authorization, but you don't have to create a provider for each application."
|
||||||
|
|
|
@ -5556,8 +5556,8 @@ msgid "Use the username and password below to authenticate. The password can be
|
||||||
msgstr "Use el nombre de usuario y la contraseña a continuación para autenticarse. La contraseña se puede recuperar más adelante en la página Tokens."
|
msgstr "Use el nombre de usuario y la contraseña a continuación para autenticarse. La contraseña se puede recuperar más adelante en la página Tokens."
|
||||||
|
|
||||||
#: src/pages/providers/proxy/ProxyProviderForm.ts
|
#: src/pages/providers/proxy/ProxyProviderForm.ts
|
||||||
msgid "Use this provider with nginx's auth_request or traefik's forwardAuth. Each application/domain needs its own provider. Additionally, on each domain, /akprox must be routed to the outpost (when using a manged outpost, this is done for you)."
|
msgid "Use this provider with nginx's auth_request or traefik's forwardAuth. Each application/domain needs its own provider. Additionally, on each domain, /outpost.goauthentik.io must be routed to the outpost (when using a manged outpost, this is done for you)."
|
||||||
msgstr "Use este proveedor con auth_request de nginx o ForwardAuth de traefik. Cada aplicación/dominio necesita su propio proveedor. Además, en cada dominio, /akprox debe enrutarse al puesto avanzado (cuando se usa un puesto avanzado administrado, esto se hace por usted)."
|
msgstr "Use este proveedor con auth_request de nginx o ForwardAuth de traefik. Cada aplicación/dominio necesita su propio proveedor. Además, en cada dominio, /outpost.goauthentik.io debe enrutarse al puesto avanzado (cuando se usa un puesto avanzado administrado, esto se hace por usted)."
|
||||||
|
|
||||||
#: src/pages/providers/proxy/ProxyProviderForm.ts
|
#: src/pages/providers/proxy/ProxyProviderForm.ts
|
||||||
msgid "Use this provider with nginx's auth_request or traefik's forwardAuth. Only a single provider is required per root domain. You can't do per-application authorization, but you don't have to create a provider for each application."
|
msgid "Use this provider with nginx's auth_request or traefik's forwardAuth. Only a single provider is required per root domain. You can't do per-application authorization, but you don't have to create a provider for each application."
|
||||||
|
|
|
@ -5614,8 +5614,8 @@ msgid "Use the username and password below to authenticate. The password can be
|
||||||
msgstr "Utilisez le nom d'utilisateur et le mot de passe ci-dessous pour vous authentifier. Le mot de passe peut être récupéré plus tard sur la page Jetons."
|
msgstr "Utilisez le nom d'utilisateur et le mot de passe ci-dessous pour vous authentifier. Le mot de passe peut être récupéré plus tard sur la page Jetons."
|
||||||
|
|
||||||
#: src/pages/providers/proxy/ProxyProviderForm.ts
|
#: src/pages/providers/proxy/ProxyProviderForm.ts
|
||||||
msgid "Use this provider with nginx's auth_request or traefik's forwardAuth. Each application/domain needs its own provider. Additionally, on each domain, /akprox must be routed to the outpost (when using a manged outpost, this is done for you)."
|
msgid "Use this provider with nginx's auth_request or traefik's forwardAuth. Each application/domain needs its own provider. Additionally, on each domain, /outpost.goauthentik.io must be routed to the outpost (when using a manged outpost, this is done for you)."
|
||||||
msgstr "Utilisez ce fournisseur avec auth_request de nginx ou forwardAuth de traefik. Chaque application/domaine a besoin de son propre fournisseur. De plus, sur chaque domaine, /akprox doit être routé vers l'avant-poste (si vous utilisez un avant-poste géré, cela est fait pour vous)."
|
msgstr "Utilisez ce fournisseur avec auth_request de nginx ou forwardAuth de traefik. Chaque application/domaine a besoin de son propre fournisseur. De plus, sur chaque domaine, /outpost.goauthentik.io doit être routé vers l'avant-poste (si vous utilisez un avant-poste géré, cela est fait pour vous)."
|
||||||
|
|
||||||
#: src/pages/providers/proxy/ProxyProviderForm.ts
|
#: src/pages/providers/proxy/ProxyProviderForm.ts
|
||||||
msgid "Use this provider with nginx's auth_request or traefik's forwardAuth. Only a single provider is required per root domain. You can't do per-application authorization, but you don't have to create a provider for each application."
|
msgid "Use this provider with nginx's auth_request or traefik's forwardAuth. Only a single provider is required per root domain. You can't do per-application authorization, but you don't have to create a provider for each application."
|
||||||
|
|
|
@ -5556,8 +5556,8 @@ msgid "Use the username and password below to authenticate. The password can be
|
||||||
msgstr "Użyj poniższej nazwy użytkownika i hasła do uwierzytelnienia. Hasło można później odzyskać na stronie Tokeny."
|
msgstr "Użyj poniższej nazwy użytkownika i hasła do uwierzytelnienia. Hasło można później odzyskać na stronie Tokeny."
|
||||||
|
|
||||||
#: src/pages/providers/proxy/ProxyProviderForm.ts
|
#: src/pages/providers/proxy/ProxyProviderForm.ts
|
||||||
msgid "Use this provider with nginx's auth_request or traefik's forwardAuth. Each application/domain needs its own provider. Additionally, on each domain, /akprox must be routed to the outpost (when using a manged outpost, this is done for you)."
|
msgid "Use this provider with nginx's auth_request or traefik's forwardAuth. Each application/domain needs its own provider. Additionally, on each domain, /outpost.goauthentik.io must be routed to the outpost (when using a manged outpost, this is done for you)."
|
||||||
msgstr "Użyj tego dostawcy z auth_request nginx lub forwardAuth traefik. Każda aplikacja/domena potrzebuje własnego dostawcy. Dodatkowo w każdej domenie /akprox musi być przekierowany do placówki (w przypadku korzystania z zarządzanej placówki jest to zrobione za Ciebie)."
|
msgstr "Użyj tego dostawcy z auth_request nginx lub forwardAuth traefik. Każda aplikacja/domena potrzebuje własnego dostawcy. Dodatkowo w każdej domenie /outpost.goauthentik.io musi być przekierowany do placówki (w przypadku korzystania z zarządzanej placówki jest to zrobione za Ciebie)."
|
||||||
|
|
||||||
#: src/pages/providers/proxy/ProxyProviderForm.ts
|
#: src/pages/providers/proxy/ProxyProviderForm.ts
|
||||||
msgid "Use this provider with nginx's auth_request or traefik's forwardAuth. Only a single provider is required per root domain. You can't do per-application authorization, but you don't have to create a provider for each application."
|
msgid "Use this provider with nginx's auth_request or traefik's forwardAuth. Only a single provider is required per root domain. You can't do per-application authorization, but you don't have to create a provider for each application."
|
||||||
|
|
|
@ -6020,12 +6020,12 @@ msgstr ""
|
||||||
msgid ""
|
msgid ""
|
||||||
"Use this provider with nginx's auth_request or traefik's forwardAuth. Each "
|
"Use this provider with nginx's auth_request or traefik's forwardAuth. Each "
|
||||||
"application/domain needs its own provider. Additionally, on each domain, "
|
"application/domain needs its own provider. Additionally, on each domain, "
|
||||||
"/akprox must be routed to the outpost (when using a manged outpost, this is "
|
"/outpost.goauthentik.io must be routed to the outpost (when using a manged outpost, this is "
|
||||||
"done for you)."
|
"done for you)."
|
||||||
msgstr ""
|
msgstr ""
|
||||||
"Użyj tego dostawcy z auth_request nginx lub forwardAuth traefik. Każda "
|
"Użyj tego dostawcy z auth_request nginx lub forwardAuth traefik. Każda "
|
||||||
"aplikacja/domena potrzebuje własnego dostawcy. Dodatkowo w każdej domenie "
|
"aplikacja/domena potrzebuje własnego dostawcy. Dodatkowo w każdej domenie "
|
||||||
"/akprox musi być przekierowany do placówki (w przypadku korzystania z "
|
"/outpost.goauthentik.io musi być przekierowany do placówki (w przypadku korzystania z "
|
||||||
"zarządzanej placówki jest to zrobione za Ciebie)."
|
"zarządzanej placówki jest to zrobione za Ciebie)."
|
||||||
|
|
||||||
#: src/pages/providers/proxy/ProxyProviderForm.ts
|
#: src/pages/providers/proxy/ProxyProviderForm.ts
|
||||||
|
|
|
@ -5653,7 +5653,7 @@ msgid "Use the username and password below to authenticate. The password can be
|
||||||
msgstr ""
|
msgstr ""
|
||||||
|
|
||||||
#: src/pages/providers/proxy/ProxyProviderForm.ts
|
#: src/pages/providers/proxy/ProxyProviderForm.ts
|
||||||
msgid "Use this provider with nginx's auth_request or traefik's forwardAuth. Each application/domain needs its own provider. Additionally, on each domain, /akprox must be routed to the outpost (when using a manged outpost, this is done for you)."
|
msgid "Use this provider with nginx's auth_request or traefik's forwardAuth. Each application/domain needs its own provider. Additionally, on each domain, /outpost.goauthentik.io must be routed to the outpost (when using a manged outpost, this is done for you)."
|
||||||
msgstr ""
|
msgstr ""
|
||||||
|
|
||||||
#: src/pages/providers/proxy/ProxyProviderForm.ts
|
#: src/pages/providers/proxy/ProxyProviderForm.ts
|
||||||
|
|
|
@ -5558,8 +5558,8 @@ msgid "Use the username and password below to authenticate. The password can be
|
||||||
msgstr "Kimlik doğrulaması için aşağıdaki kullanıcı adı ve parolayı kullanın. Parola daha sonra Belirteçler sayfasından alınabilir."
|
msgstr "Kimlik doğrulaması için aşağıdaki kullanıcı adı ve parolayı kullanın. Parola daha sonra Belirteçler sayfasından alınabilir."
|
||||||
|
|
||||||
#: src/pages/providers/proxy/ProxyProviderForm.ts
|
#: src/pages/providers/proxy/ProxyProviderForm.ts
|
||||||
msgid "Use this provider with nginx's auth_request or traefik's forwardAuth. Each application/domain needs its own provider. Additionally, on each domain, /akprox must be routed to the outpost (when using a manged outpost, this is done for you)."
|
msgid "Use this provider with nginx's auth_request or traefik's forwardAuth. Each application/domain needs its own provider. Additionally, on each domain, /outpost.goauthentik.io must be routed to the outpost (when using a manged outpost, this is done for you)."
|
||||||
msgstr "Bu sağlayıcıyı nginx'in auth_request veya traefik's forwardAuth ile kullanın. Her uygulama/etki alanının kendi sağlayıcısına ihtiyacı vardır. Ayrıca, her etki alanında /akprox üsse yönlendirilmelidir (manged bir üs kullanırken, bu sizin için yapılır)."
|
msgstr "Bu sağlayıcıyı nginx'in auth_request veya traefik's forwardAuth ile kullanın. Her uygulama/etki alanının kendi sağlayıcısına ihtiyacı vardır. Ayrıca, her etki alanında /outpost.goauthentik.io üsse yönlendirilmelidir (manged bir üs kullanırken, bu sizin için yapılır)."
|
||||||
|
|
||||||
#: src/pages/providers/proxy/ProxyProviderForm.ts
|
#: src/pages/providers/proxy/ProxyProviderForm.ts
|
||||||
msgid "Use this provider with nginx's auth_request or traefik's forwardAuth. Only a single provider is required per root domain. You can't do per-application authorization, but you don't have to create a provider for each application."
|
msgid "Use this provider with nginx's auth_request or traefik's forwardAuth. Only a single provider is required per root domain. You can't do per-application authorization, but you don't have to create a provider for each application."
|
||||||
|
|
|
@ -5691,11 +5691,11 @@ msgstr "使用下面的用户名和密码进行身份验证。稍后可以在令
|
||||||
msgid ""
|
msgid ""
|
||||||
"Use this provider with nginx's auth_request or traefik's forwardAuth. Each "
|
"Use this provider with nginx's auth_request or traefik's forwardAuth. Each "
|
||||||
"application/domain needs its own provider. Additionally, on each domain, "
|
"application/domain needs its own provider. Additionally, on each domain, "
|
||||||
"/akprox must be routed to the outpost (when using a manged outpost, this is "
|
"/outpost.goauthentik.io must be routed to the outpost (when using a manged outpost, this is "
|
||||||
"done for you)."
|
"done for you)."
|
||||||
msgstr ""
|
msgstr ""
|
||||||
"将此提供程序与 nginx 的 auth_request 或 traefik 的 ForwardAuth "
|
"将此提供程序与 nginx 的 auth_request 或 traefik 的 ForwardAuth "
|
||||||
"一起使用。每个应用程序/域都需要自己的提供商。此外,在每个域上,/akprox必须路由到 Outpost(使用托管 Outpost "
|
"一起使用。每个应用程序/域都需要自己的提供商。此外,在每个域上,/outpost.goauthentik.io必须路由到 Outpost(使用托管 Outpost "
|
||||||
"时,这是为您完成的)。"
|
"时,这是为您完成的)。"
|
||||||
|
|
||||||
#: src/pages/providers/proxy/ProxyProviderForm.ts
|
#: src/pages/providers/proxy/ProxyProviderForm.ts
|
||||||
|
|
|
@ -5691,11 +5691,11 @@ msgstr "使用下面的用户名和密码进行身份验证。稍后可以在令
|
||||||
msgid ""
|
msgid ""
|
||||||
"Use this provider with nginx's auth_request or traefik's forwardAuth. Each "
|
"Use this provider with nginx's auth_request or traefik's forwardAuth. Each "
|
||||||
"application/domain needs its own provider. Additionally, on each domain, "
|
"application/domain needs its own provider. Additionally, on each domain, "
|
||||||
"/akprox must be routed to the outpost (when using a manged outpost, this is "
|
"/outpost.goauthentik.io must be routed to the outpost (when using a manged outpost, this is "
|
||||||
"done for you)."
|
"done for you)."
|
||||||
msgstr ""
|
msgstr ""
|
||||||
"将此提供程序与 nginx 的 auth_request 或 traefik 的 ForwardAuth "
|
"将此提供程序与 nginx 的 auth_request 或 traefik 的 ForwardAuth "
|
||||||
"一起使用。每个应用程序/域都需要自己的提供商。此外,在每个域上,/akprox必须路由到 Outpost(使用托管 Outpost "
|
"一起使用。每个应用程序/域都需要自己的提供商。此外,在每个域上,/outpost.goauthentik.io必须路由到 Outpost(使用托管 Outpost "
|
||||||
"时,这是为您完成的)。"
|
"时,这是为您完成的)。"
|
||||||
|
|
||||||
#: src/pages/providers/proxy/ProxyProviderForm.ts
|
#: src/pages/providers/proxy/ProxyProviderForm.ts
|
||||||
|
|
|
@ -5691,11 +5691,11 @@ msgstr "使用下面的用户名和密码进行身份验证。稍后可以在令
|
||||||
msgid ""
|
msgid ""
|
||||||
"Use this provider with nginx's auth_request or traefik's forwardAuth. Each "
|
"Use this provider with nginx's auth_request or traefik's forwardAuth. Each "
|
||||||
"application/domain needs its own provider. Additionally, on each domain, "
|
"application/domain needs its own provider. Additionally, on each domain, "
|
||||||
"/akprox must be routed to the outpost (when using a manged outpost, this is "
|
"/outpost.goauthentik.io must be routed to the outpost (when using a manged outpost, this is "
|
||||||
"done for you)."
|
"done for you)."
|
||||||
msgstr ""
|
msgstr ""
|
||||||
"将此提供程序与 nginx 的 auth_request 或 traefik 的 ForwardAuth "
|
"将此提供程序与 nginx 的 auth_request 或 traefik 的 ForwardAuth "
|
||||||
"一起使用。每个应用程序/域都需要自己的提供商。此外,在每个域上,/akprox必须路由到 Outpost(使用托管 Outpost "
|
"一起使用。每个应用程序/域都需要自己的提供商。此外,在每个域上,/outpost.goauthentik.io必须路由到 Outpost(使用托管 Outpost "
|
||||||
"时,这是为您完成的)。"
|
"时,这是为您完成的)。"
|
||||||
|
|
||||||
#: src/pages/providers/proxy/ProxyProviderForm.ts
|
#: src/pages/providers/proxy/ProxyProviderForm.ts
|
||||||
|
|
|
@ -214,7 +214,7 @@ export class ProxyProviderFormPage extends ModelForm<ProxyProvider, number> {
|
||||||
</ak-form-element-horizontal>`;
|
</ak-form-element-horizontal>`;
|
||||||
case ProxyMode.ForwardSingle:
|
case ProxyMode.ForwardSingle:
|
||||||
return html`<p class="pf-u-mb-xl">
|
return html`<p class="pf-u-mb-xl">
|
||||||
${t`Use this provider with nginx's auth_request or traefik's forwardAuth. Each application/domain needs its own provider. Additionally, on each domain, /akprox must be routed to the outpost (when using a manged outpost, this is done for you).`}
|
${t`Use this provider with nginx's auth_request or traefik's forwardAuth. Each application/domain needs its own provider. Additionally, on each domain, /outpost.goauthentik.io must be routed to the outpost (when using a manged outpost, this is done for you).`}
|
||||||
</p>
|
</p>
|
||||||
<ak-form-element-horizontal
|
<ak-form-element-horizontal
|
||||||
label=${t`External host`}
|
label=${t`External host`}
|
||||||
|
|
|
@ -26,7 +26,7 @@ Make sure to set it to full URL, only configuring a hostname or FQDN will not wo
|
||||||
Routing is handled like this:
|
Routing is handled like this:
|
||||||
|
|
||||||
1. Paths starting with `/static`, `/media` and `/help` return packaged CSS/JS files, and user-uploaded media files.
|
1. Paths starting with `/static`, `/media` and `/help` return packaged CSS/JS files, and user-uploaded media files.
|
||||||
2. Paths starting with `/akprox` are sent to the embedded outpost.
|
2. Paths starting with `/outpost.goauthentik.io` are sent to the embedded outpost.
|
||||||
3. Any hosts configured in the providers assigned to the embedded outpost are sent to the outpost.
|
3. Any hosts configured in the providers assigned to the embedded outpost are sent to the outpost.
|
||||||
4. Everything remaining is sent to the authentik backend server.
|
4. Everything remaining is sent to the authentik backend server.
|
||||||
|
|
||||||
|
|
|
@ -26,7 +26,7 @@ The container is created with the following hardcoded properties:
|
||||||
- `traefik.http.routers.ak-outpost-<outpost-name>-router.rule`: `Host(...)`
|
- `traefik.http.routers.ak-outpost-<outpost-name>-router.rule`: `Host(...)`
|
||||||
- `traefik.http.routers.ak-outpost-<outpost-name>-router.service`: `ak-outpost-<outpost-name>-service`
|
- `traefik.http.routers.ak-outpost-<outpost-name>-router.service`: `ak-outpost-<outpost-name>-service`
|
||||||
- `traefik.http.routers.ak-outpost-<outpost-name>-router.tls`: "true"
|
- `traefik.http.routers.ak-outpost-<outpost-name>-router.tls`: "true"
|
||||||
- `traefik.http.services.ak-outpost-<outpost-name>-service.loadbalancer.healthcheck.path`: "/akprox/ping"
|
- `traefik.http.services.ak-outpost-<outpost-name>-service.loadbalancer.healthcheck.path`: "/outpost.goauthentik.io/ping"
|
||||||
- `traefik.http.services.ak-outpost-<outpost-name>-service.loadbalancer.healthcheck.port`: "9300"
|
- `traefik.http.services.ak-outpost-<outpost-name>-service.loadbalancer.healthcheck.port`: "9300"
|
||||||
- `traefik.http.services.ak-outpost-<outpost-name>-service.loadbalancer.server.port`: "9000"
|
- `traefik.http.services.ak-outpost-<outpost-name>-service.loadbalancer.server.port`: "9000"
|
||||||
|
|
||||||
|
|
|
@ -15,7 +15,7 @@ spec:
|
||||||
# See https://kubernetes.io/docs/concepts/services-networking/service/#externalname
|
# See https://kubernetes.io/docs/concepts/services-networking/service/#externalname
|
||||||
serviceName: ak-outpost-example-outpost
|
serviceName: ak-outpost-example-outpost
|
||||||
servicePort: 9000
|
servicePort: 9000
|
||||||
path: /akprox
|
path: /outpost.goauthentik.io
|
||||||
```
|
```
|
||||||
|
|
||||||
This ingress handles authentication requests, and the sign-in flow.
|
This ingress handles authentication requests, and the sign-in flow.
|
||||||
|
@ -26,9 +26,9 @@ Add these annotations to the ingress you want to protect
|
||||||
metadata:
|
metadata:
|
||||||
annotations:
|
annotations:
|
||||||
nginx.ingress.kubernetes.io/auth-url: |
|
nginx.ingress.kubernetes.io/auth-url: |
|
||||||
https://outpost.company/akprox/auth/nginx
|
https://outpost.company/outpost.goauthentik.io/auth/nginx
|
||||||
nginx.ingress.kubernetes.io/auth-signin: |
|
nginx.ingress.kubernetes.io/auth-signin: |
|
||||||
https://outpost.company/akprox/start?rd=$escaped_request_uri
|
https://outpost.company/outpost.goauthentik.io/start?rd=$escaped_request_uri
|
||||||
nginx.ingress.kubernetes.io/auth-response-headers: |
|
nginx.ingress.kubernetes.io/auth-response-headers: |
|
||||||
Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid
|
Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid
|
||||||
nginx.ingress.kubernetes.io/auth-snippet: |
|
nginx.ingress.kubernetes.io/auth-snippet: |
|
||||||
|
|
|
@ -12,8 +12,8 @@ location / {
|
||||||
proxy_pass $forward_scheme://$server:$port;
|
proxy_pass $forward_scheme://$server:$port;
|
||||||
|
|
||||||
# authentik-specific config
|
# authentik-specific config
|
||||||
auth_request /akprox/auth/nginx;
|
auth_request /outpost.goauthentik.io/auth/nginx;
|
||||||
error_page 401 = @akprox_signin;
|
error_page 401 = @goauthentik_proxy_signin;
|
||||||
auth_request_set $auth_cookie $upstream_http_set_cookie;
|
auth_request_set $auth_cookie $upstream_http_set_cookie;
|
||||||
add_header Set-Cookie $auth_cookie;
|
add_header Set-Cookie $auth_cookie;
|
||||||
|
|
||||||
|
@ -31,9 +31,9 @@ location / {
|
||||||
proxy_set_header X-authentik-uid $authentik_uid;
|
proxy_set_header X-authentik-uid $authentik_uid;
|
||||||
}
|
}
|
||||||
|
|
||||||
# all requests to /akprox must be accessible without authentication
|
# all requests to /outpost.goauthentik.io must be accessible without authentication
|
||||||
location /akprox {
|
location /outpost.goauthentik.io {
|
||||||
proxy_pass http://outpost.company:9000/akprox;
|
proxy_pass http://outpost.company:9000/outpost.goauthentik.io;
|
||||||
# ensure the host of this vserver matches your external URL you've configured
|
# ensure the host of this vserver matches your external URL you've configured
|
||||||
# in authentik
|
# in authentik
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
|
@ -44,9 +44,9 @@ location /akprox {
|
||||||
|
|
||||||
# Special location for when the /auth endpoint returns a 401,
|
# Special location for when the /auth endpoint returns a 401,
|
||||||
# redirect to the /start URL which initiates SSO
|
# redirect to the /start URL which initiates SSO
|
||||||
location @akprox_signin {
|
location @goauthentik_proxy_signin {
|
||||||
internal;
|
internal;
|
||||||
add_header Set-Cookie $auth_cookie;
|
add_header Set-Cookie $auth_cookie;
|
||||||
return 302 /akprox/start?rd=$request_uri;
|
return 302 /outpost.goauthentik.io/start?rd=$request_uri;
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
|
@ -19,10 +19,10 @@ server {
|
||||||
# proxy_pass http://localhost:5000;
|
# proxy_pass http://localhost:5000;
|
||||||
|
|
||||||
# authentik-specific config
|
# authentik-specific config
|
||||||
auth_request /akprox/auth/nginx;
|
auth_request /outpost.goauthentik.io/auth/nginx;
|
||||||
error_page 401 = @akprox_signin;
|
error_page 401 = @goauthentik_proxy_signin;
|
||||||
# For domain level, use the below error_page to redirect to your authentik server with the full redirect path
|
# For domain level, use the below error_page to redirect to your authentik server with the full redirect path
|
||||||
# error_page 401 =302 https://authentik.company/akprox/start?rd=$scheme://$http_host$request_uri;
|
# error_page 401 =302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
|
||||||
auth_request_set $auth_cookie $upstream_http_set_cookie;
|
auth_request_set $auth_cookie $upstream_http_set_cookie;
|
||||||
add_header Set-Cookie $auth_cookie;
|
add_header Set-Cookie $auth_cookie;
|
||||||
|
|
||||||
|
@ -40,9 +40,9 @@ server {
|
||||||
proxy_set_header X-authentik-uid $authentik_uid;
|
proxy_set_header X-authentik-uid $authentik_uid;
|
||||||
}
|
}
|
||||||
|
|
||||||
# all requests to /akprox must be accessible without authentication
|
# all requests to /outpost.goauthentik.io must be accessible without authentication
|
||||||
location /akprox {
|
location /outpost.goauthentik.io {
|
||||||
proxy_pass http://outpost.company:9000/akprox;
|
proxy_pass http://outpost.company:9000/outpost.goauthentik.io;
|
||||||
# ensure the host of this vserver matches your external URL you've configured
|
# ensure the host of this vserver matches your external URL you've configured
|
||||||
# in authentik
|
# in authentik
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
|
@ -53,10 +53,10 @@ server {
|
||||||
|
|
||||||
# Special location for when the /auth endpoint returns a 401,
|
# Special location for when the /auth endpoint returns a 401,
|
||||||
# redirect to the /start URL which initiates SSO
|
# redirect to the /start URL which initiates SSO
|
||||||
location @akprox_signin {
|
location @goauthentik_proxy_signin {
|
||||||
internal;
|
internal;
|
||||||
add_header Set-Cookie $auth_cookie;
|
add_header Set-Cookie $auth_cookie;
|
||||||
return 302 /akprox/start?rd=$request_uri;
|
return 302 /outpost.goauthentik.io/start?rd=$request_uri;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
|
@ -30,9 +30,9 @@ services:
|
||||||
labels:
|
labels:
|
||||||
traefik.enable: true
|
traefik.enable: true
|
||||||
traefik.port: 9000
|
traefik.port: 9000
|
||||||
traefik.http.routers.authentik.rule: Host(`app.company`) && PathPrefix(`/akprox/`)
|
traefik.http.routers.authentik.rule: Host(`app.company`) && PathPrefix(`/outpost.goauthentik.io/`)
|
||||||
# `authentik-proxy` refers to the service name in the compose file.
|
# `authentik-proxy` refers to the service name in the compose file.
|
||||||
traefik.http.middlewares.authentik.forwardauth.address: http://authentik-proxy:9000/akprox/auth/traefik
|
traefik.http.middlewares.authentik.forwardauth.address: http://authentik-proxy:9000/outpost.goauthentik.io/auth/traefik
|
||||||
traefik.http.middlewares.authentik.forwardauth.trustForwardHeader: true
|
traefik.http.middlewares.authentik.forwardauth.trustForwardHeader: true
|
||||||
traefik.http.middlewares.authentik.forwardauth.authResponseHeaders: X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version
|
traefik.http.middlewares.authentik.forwardauth.authResponseHeaders: X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version
|
||||||
restart: unless-stopped
|
restart: unless-stopped
|
||||||
|
|
|
@ -7,7 +7,7 @@ metadata:
|
||||||
name: authentik
|
name: authentik
|
||||||
spec:
|
spec:
|
||||||
forwardAuth:
|
forwardAuth:
|
||||||
address: http://outpost.company:9000/akprox/auth/traefik
|
address: http://outpost.company:9000/outpost.goauthentik.io/auth/traefik
|
||||||
trustForwardHeader: true
|
trustForwardHeader: true
|
||||||
authResponseHeaders:
|
authResponseHeaders:
|
||||||
- X-authentik-username
|
- X-authentik-username
|
||||||
|
@ -41,7 +41,7 @@ spec:
|
||||||
services: # Unchanged
|
services: # Unchanged
|
||||||
# This part is only required for single-app setups
|
# This part is only required for single-app setups
|
||||||
- kind: Rule
|
- kind: Rule
|
||||||
match: "Host(`app.company`) && PathPrefix(`/akprox/`)"
|
match: "Host(`app.company`) && PathPrefix(`/outpost.goauthentik.io/`)"
|
||||||
priority: 15
|
priority: 15
|
||||||
services:
|
services:
|
||||||
- kind: Service
|
- kind: Service
|
||||||
|
|
|
@ -3,7 +3,7 @@ http:
|
||||||
middlewares:
|
middlewares:
|
||||||
authentik:
|
authentik:
|
||||||
forwardAuth:
|
forwardAuth:
|
||||||
address: http://outpost.company:9000/akprox/auth/traefik
|
address: http://outpost.company:9000/outpost.goauthentik.io/auth/traefik
|
||||||
trustForwardHeader: true
|
trustForwardHeader: true
|
||||||
authResponseHeaders:
|
authResponseHeaders:
|
||||||
- X-authentik-username
|
- X-authentik-username
|
||||||
|
@ -25,7 +25,7 @@ http:
|
||||||
priority: 10
|
priority: 10
|
||||||
services: # Unchanged
|
services: # Unchanged
|
||||||
default-router-auth:
|
default-router-auth:
|
||||||
match: "Host(`app.company`) && PathPrefix(`/akprox/`)"
|
match: "Host(`app.company`) && PathPrefix(`/outpost.goauthentik.io/`)"
|
||||||
priority: 15
|
priority: 15
|
||||||
services: http://outpost.company:9000/akprox
|
services: http://outpost.company:9000/outpost.goauthentik.io
|
||||||
```
|
```
|
||||||
|
|
|
@ -27,7 +27,7 @@ applications to different users.
|
||||||
|
|
||||||
The only configuration difference between single application and domain level is the host you specify.
|
The only configuration difference between single application and domain level is the host you specify.
|
||||||
|
|
||||||
For single application, you'd use the domain which the application is running on, and only /akprox
|
For single application, you'd use the domain which the application is running on, and only /outpost.goauthentik.io
|
||||||
is redirected to the outpost.
|
is redirected to the outpost.
|
||||||
|
|
||||||
For domain level, you'd use the same domain as authentik.
|
For domain level, you'd use the same domain as authentik.
|
||||||
|
|
|
@ -58,11 +58,11 @@ If your upstream host is HTTPS, and you're not using forward auth, you need to a
|
||||||
|
|
||||||
Login is done automatically when you visit the domain without a valid cookie.
|
Login is done automatically when you visit the domain without a valid cookie.
|
||||||
|
|
||||||
When using single-application mode, navigate to `app.domain.tld/akprox/sign_out`.
|
When using single-application mode, navigate to `app.domain.tld/outpost.goauthentik.io/sign_out`.
|
||||||
|
|
||||||
When using domain-level mode, navigate to `auth.domain.tld/akprox/sign_out`, where auth.domain.tld is the external host configured for the provider.
|
When using domain-level mode, navigate to `auth.domain.tld/outpost.goauthentik.io/sign_out`, where auth.domain.tld is the external host configured for the provider.
|
||||||
|
|
||||||
To log out, navigate to `/akprox/sign_out`.
|
To log out, navigate to `/outpost.goauthentik.io/sign_out`.
|
||||||
|
|
||||||
## Allowing unauthenticated requests
|
## Allowing unauthenticated requests
|
||||||
|
|
||||||
|
|
|
@ -10,7 +10,7 @@ slug: "2021.8"
|
||||||
To simplify the setup, an embedded outpost has been added. This outpost runs as part of the main authentik server, and requires no additional setup.
|
To simplify the setup, an embedded outpost has been added. This outpost runs as part of the main authentik server, and requires no additional setup.
|
||||||
|
|
||||||
You can simply assign providers to the embedded outpost, and either use the integrations to configure reverse proxies, or point your traffic to the main authentik server.
|
You can simply assign providers to the embedded outpost, and either use the integrations to configure reverse proxies, or point your traffic to the main authentik server.
|
||||||
Traffic is routed based on host-header, meaning every host that has been configured as a provider and is assigned to the embedded proxy will be sent to the outpost, and every sub-path under `/akprox` is sent to the outpost too. The rest is sent to authentik itself.
|
Traffic is routed based on host-header, meaning every host that has been configured as a provider and is assigned to the embedded proxy will be sent to the outpost, and every sub-path under `/outpost.goauthentik.io` is sent to the outpost too. The rest is sent to authentik itself.
|
||||||
|
|
||||||
- App passwords
|
- App passwords
|
||||||
|
|
||||||
|
|
|
@ -43,7 +43,7 @@ This release mostly removes legacy fields and features that have been deprecated
|
||||||
- internal: route traffic to proxy providers based on cookie domain when multiple domain-level providers exist
|
- internal: route traffic to proxy providers based on cookie domain when multiple domain-level providers exist
|
||||||
- internal: use math.MaxInt for compatibility
|
- internal: use math.MaxInt for compatibility
|
||||||
- lifecycle: add early check for missing/invalid secret key
|
- lifecycle: add early check for missing/invalid secret key
|
||||||
- outposts/proxyv2: allow access to /akprox urls in forward auth mode to make routing in nginx/traefik easier
|
- outposts/proxyv2: allow access to /outpost.goauthentik.io urls in forward auth mode to make routing in nginx/traefik easier
|
||||||
- outposts/proxyv2: fix before-redirect url not being saved in proxy mode
|
- outposts/proxyv2: fix before-redirect url not being saved in proxy mode
|
||||||
- outposts/proxyv2: fix JWKS url pointing to localhost on embedded outpost
|
- outposts/proxyv2: fix JWKS url pointing to localhost on embedded outpost
|
||||||
- providers/oauth2: change default redirect uri behaviour; set first used url when blank and use star for wildcard
|
- providers/oauth2: change default redirect uri behaviour; set first used url when blank and use star for wildcard
|
||||||
|
@ -60,7 +60,7 @@ This release mostly removes legacy fields and features that have been deprecated
|
||||||
|
|
||||||
## Fixed in 2022.1.2
|
## Fixed in 2022.1.2
|
||||||
|
|
||||||
- internal/proxyv2: only allow access to /akprox in nginx mode when forward url could be extracted
|
- internal/proxyv2: only allow access to /outpost.goauthentik.io in nginx mode when forward url could be extracted
|
||||||
- lib: disable backup by default, add note to configuration
|
- lib: disable backup by default, add note to configuration
|
||||||
- lifecycle: replace lowercase, deprecated prometheus_multiproc_dir
|
- lifecycle: replace lowercase, deprecated prometheus_multiproc_dir
|
||||||
- outposts: allow custom label for docker containers
|
- outposts: allow custom label for docker containers
|
||||||
|
|
Reference in a new issue