website/docs: add nginx-proxy-manager
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
parent
77e42d60cb
commit
4ce3c2341c
31
website/docs/providers/proxy/_nginx_ingress.md
Normal file
31
website/docs/providers/proxy/_nginx_ingress.md
Normal file
|
@ -0,0 +1,31 @@
|
|||
Create a new ingress for the outpost
|
||||
|
||||
```yaml
|
||||
apiVersion: networking.k8s.io/v1beta1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: authentik-outpost
|
||||
spec:
|
||||
rules:
|
||||
- host: *external host that you configured in authentik*
|
||||
http:
|
||||
paths:
|
||||
- backend:
|
||||
serviceName: authentik-outpost-example-outpost
|
||||
servicePort: 9000
|
||||
path: /akprox
|
||||
```
|
||||
|
||||
This ingress handles authentication requests, and the sign-in flow.
|
||||
|
||||
Add these annotations to the ingress you want to protect
|
||||
|
||||
```yaml
|
||||
metadata:
|
||||
annotations:
|
||||
nginx.ingress.kubernetes.io/auth-url: https://*external host that you configured in authentik*/akprox/auth?nginx
|
||||
nginx.ingress.kubernetes.io/auth-signin: https://*external host that you configured in authentik*/akprox/start?rd=$escaped_request_uri
|
||||
nginx.ingress.kubernetes.io/auth-response-headers: Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid
|
||||
nginx.ingress.kubernetes.io/auth-snippet: |
|
||||
proxy_set_header X-Forwarded-Host $http_host;
|
||||
```
|
50
website/docs/providers/proxy/_nginx_proxy_manager.md
Normal file
50
website/docs/providers/proxy/_nginx_proxy_manager.md
Normal file
|
@ -0,0 +1,50 @@
|
|||
For Nginx Proxy Manager you can use this snippet
|
||||
|
||||
```
|
||||
# Increase buffer size for large headers
|
||||
# This is needed only if you get 'upstream sent too big header while reading response header from upstream' error when trying to access an application protected by goauthentik
|
||||
proxy_buffers 8 16k;
|
||||
proxy_buffer_size 32k;
|
||||
fastcgi_buffers 16 16k;
|
||||
fastcgi_buffer_size 32k;
|
||||
|
||||
location / {
|
||||
# Put your proxy_pass to your application here
|
||||
proxy_pass $forward_scheme://$server:$port;
|
||||
|
||||
# authentik-specific config
|
||||
auth_request /akprox/auth/nginx;
|
||||
error_page 401 = @akprox_signin;
|
||||
|
||||
# translate headers from the outposts back to the actual upstream
|
||||
auth_request_set $authentik_username $upstream_http_x_authentik_username;
|
||||
auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
|
||||
auth_request_set $authentik_email $upstream_http_x_authentik_email;
|
||||
auth_request_set $authentik_name $upstream_http_x_authentik_name;
|
||||
auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
|
||||
|
||||
proxy_set_header X-authentik-username $authentik_username;
|
||||
proxy_set_header X-authentik-groups $authentik_groups;
|
||||
proxy_set_header X-authentik-email $authentik_email;
|
||||
proxy_set_header X-authentik-name $authentik_name;
|
||||
proxy_set_header X-authentik-uid $authentik_uid;
|
||||
}
|
||||
|
||||
# all requests to /akprox must be accessible without authentication
|
||||
location /akprox {
|
||||
proxy_pass http://*ip or hostname of the authentik OUTPOST*:9000/akprox;
|
||||
# ensure the host of this vserver matches your external URL you've configured
|
||||
# in authentik
|
||||
proxy_set_header Host $host;
|
||||
add_header Set-Cookie $auth_cookie;
|
||||
auth_request_set $auth_cookie $upstream_http_set_cookie;
|
||||
}
|
||||
|
||||
# Special location for when the /auth endpoint returns a 401,
|
||||
# redirect to the /start URL which initiates SSO
|
||||
location @akprox_signin {
|
||||
internal;
|
||||
add_header Set-Cookie $auth_cookie;
|
||||
return 302 /akprox/start?rd=$request_uri;
|
||||
}
|
||||
```
|
60
website/docs/providers/proxy/_nginx_standalone.md
Normal file
60
website/docs/providers/proxy/_nginx_standalone.md
Normal file
|
@ -0,0 +1,60 @@
|
|||
|
||||
```
|
||||
server {
|
||||
# SSL and VHost configuration
|
||||
listen 443 ssl http2;
|
||||
server_name _;
|
||||
|
||||
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
|
||||
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
|
||||
|
||||
# Increase buffer size for large headers
|
||||
# This is needed only if you get 'upstream sent too big header while reading response header from upstream' error when trying to access an application protected by goauthentik
|
||||
proxy_buffers 8 16k;
|
||||
proxy_buffer_size 32k;
|
||||
fastcgi_buffers 16 16k;
|
||||
fastcgi_buffer_size 32k;
|
||||
|
||||
location / {
|
||||
# Put your proxy_pass to your application here
|
||||
# proxy_pass http://localhost:5000;
|
||||
|
||||
# authentik-specific config
|
||||
auth_request /akprox/auth/nginx;
|
||||
error_page 401 = @akprox_signin;
|
||||
# For domain level, use the below error_page to redirect to your authentik server with the full redirect path
|
||||
# error_page 401 =302 https://authentik.company/akprox/start?rd=$scheme://$http_host$request_uri;
|
||||
|
||||
# translate headers from the outposts back to the actual upstream
|
||||
auth_request_set $authentik_username $upstream_http_x_authentik_username;
|
||||
auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
|
||||
auth_request_set $authentik_email $upstream_http_x_authentik_email;
|
||||
auth_request_set $authentik_name $upstream_http_x_authentik_name;
|
||||
auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
|
||||
|
||||
proxy_set_header X-authentik-username $authentik_username;
|
||||
proxy_set_header X-authentik-groups $authentik_groups;
|
||||
proxy_set_header X-authentik-email $authentik_email;
|
||||
proxy_set_header X-authentik-name $authentik_name;
|
||||
proxy_set_header X-authentik-uid $authentik_uid;
|
||||
}
|
||||
|
||||
# all requests to /akprox must be accessible without authentication
|
||||
location /akprox {
|
||||
proxy_pass http://*ip or hostname of the authentik OUTPOST*:9000/akprox;
|
||||
# ensure the host of this vserver matches your external URL you've configured
|
||||
# in authentik
|
||||
proxy_set_header Host $host;
|
||||
add_header Set-Cookie $auth_cookie;
|
||||
auth_request_set $auth_cookie $upstream_http_set_cookie;
|
||||
}
|
||||
|
||||
# Special location for when the /auth endpoint returns a 401,
|
||||
# redirect to the /start URL which initiates SSO
|
||||
location @akprox_signin {
|
||||
internal;
|
||||
add_header Set-Cookie $auth_cookie;
|
||||
return 302 /akprox/start?rd=$request_uri;
|
||||
}
|
||||
}
|
||||
```
|
65
website/docs/providers/proxy/_traefik_compose.md
Normal file
65
website/docs/providers/proxy/_traefik_compose.md
Normal file
|
@ -0,0 +1,65 @@
|
|||
|
||||
```yaml
|
||||
version: '3.7'
|
||||
services:
|
||||
traefik:
|
||||
image: traefik:v2.2
|
||||
container_name: traefik
|
||||
volumes:
|
||||
- /var/run/docker.sock:/var/run/docker.sock
|
||||
labels:
|
||||
traefik.enable: true
|
||||
traefik.http.routers.api.rule: Host(`traefik.example.com`)
|
||||
traefik.http.routers.api.entrypoints: https
|
||||
traefik.http.routers.api.service: api@internal
|
||||
traefik.http.routers.api.tls: true
|
||||
ports:
|
||||
- 80:80
|
||||
- 443:443
|
||||
command:
|
||||
- '--api'
|
||||
- '--log=true'
|
||||
- '--log.level=DEBUG'
|
||||
- '--log.filepath=/var/log/traefik.log'
|
||||
- '--providers.docker=true'
|
||||
- '--providers.docker.exposedByDefault=false'
|
||||
- '--entrypoints.http=true'
|
||||
- '--entrypoints.http.address=:80'
|
||||
- '--entrypoints.http.http.redirections.entrypoint.to=https'
|
||||
- '--entrypoints.http.http.redirections.entrypoint.scheme=https'
|
||||
- '--entrypoints.https=true'
|
||||
- '--entrypoints.https.address=:443'
|
||||
|
||||
authentik_proxy:
|
||||
image: goauthentik.io/proxy:2021.5.1
|
||||
ports:
|
||||
- 9000:9000
|
||||
- 9443:9443
|
||||
environment:
|
||||
AUTHENTIK_HOST: https://your-authentik.tld
|
||||
AUTHENTIK_INSECURE: "false"
|
||||
AUTHENTIK_TOKEN: token-generated-by-authentik
|
||||
# Starting with 2021.9, you can optionally set this too
|
||||
# when authentik_host for internal communication doesn't match the public URL
|
||||
# AUTHENTIK_HOST_BROWSER: https://external-domain.tld
|
||||
labels:
|
||||
traefik.enable: true
|
||||
traefik.port: 9000
|
||||
traefik.http.routers.authentik.rule: Host(`*external host that you configured in authentik*`) && PathPrefix(`/akprox/`)
|
||||
traefik.http.routers.authentik.entrypoints: https
|
||||
traefik.http.routers.authentik.tls: true
|
||||
traefik.http.middlewares.authentik.forwardauth.address: http://authentik_proxy:9000/akprox/auth/traefik
|
||||
traefik.http.middlewares.authentik.forwardauth.trustForwardHeader: true
|
||||
traefik.http.middlewares.authentik.forwardauth.authResponseHeaders: Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid
|
||||
restart: unless-stopped
|
||||
|
||||
whoami:
|
||||
image: containous/whoami
|
||||
labels:
|
||||
traefik.enable: true
|
||||
traefik.http.routers.whoami.rule: Host(`*external host that you configured in authentik*`)
|
||||
traefik.http.routers.whoami.entrypoints: https
|
||||
traefik.http.routers.whoami.tls: true
|
||||
traefik.http.routers.whoami.middlewares: authentik@docker
|
||||
restart: unless-stopped
|
||||
```
|
47
website/docs/providers/proxy/_traefik_ingress.md
Normal file
47
website/docs/providers/proxy/_traefik_ingress.md
Normal file
|
@ -0,0 +1,47 @@
|
|||
Create a middleware:
|
||||
|
||||
```yaml
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: Middleware
|
||||
metadata:
|
||||
name: authentik
|
||||
spec:
|
||||
forwardAuth:
|
||||
address: http://authentik-outpost-example-outpost:9000/akprox/auth/traefik
|
||||
trustForwardHeader: true
|
||||
authResponseHeaders:
|
||||
- Set-Cookie
|
||||
- X-authentik-username
|
||||
- X-authentik-groups
|
||||
- X-authentik-email
|
||||
- X-authentik-name
|
||||
- X-authentik-uid
|
||||
```
|
||||
|
||||
Add the following settings to your IngressRoute
|
||||
|
||||
:::warning
|
||||
By default traefik does not allow cross-namespace references for middlewares:
|
||||
|
||||
See [here](https://doc.traefik.io/traefik/v2.4/providers/kubernetes-crd/#allowcrossnamespace) to enable it.
|
||||
:::
|
||||
|
||||
```yaml
|
||||
spec:
|
||||
routes:
|
||||
- kind: Rule
|
||||
match: "Host(`*external host that you configured in authentik*`)"
|
||||
middlewares:
|
||||
- name: authentik
|
||||
namespace: authentik
|
||||
priority: 10
|
||||
services: # Unchanged
|
||||
# This part is only required for single-app setups
|
||||
- kind: Rule
|
||||
match: "Host(`*external host that you configured in authentik*`) && PathPrefix(`/akprox/`)"
|
||||
priority: 15
|
||||
services:
|
||||
- kind: Service
|
||||
name: authentik-outpost-example-outpost
|
||||
port: 9000
|
||||
```
|
26
website/docs/providers/proxy/_traefik_standalone.md
Normal file
26
website/docs/providers/proxy/_traefik_standalone.md
Normal file
|
@ -0,0 +1,26 @@
|
|||
```yaml
|
||||
http:
|
||||
middlewares:
|
||||
authentik:
|
||||
forwardAuth:
|
||||
address: http://authentik-outpost-example-outpost:9000/akprox/auth/traefik
|
||||
trustForwardHeader: true
|
||||
authResponseHeaders:
|
||||
- Set-Cookie
|
||||
- X-authentik-username
|
||||
- X-authentik-groups
|
||||
- X-authentik-email
|
||||
- X-authentik-name
|
||||
- X-authentik-uid
|
||||
routers:
|
||||
default-router:
|
||||
rule: "Host(`*external host that you configured in authentik*`)"
|
||||
middlewares:
|
||||
- name: authentik
|
||||
priority: 10
|
||||
services: # Unchanged
|
||||
default-router-auth
|
||||
match: "Host(`*external host that you configured in authentik*`) && PathPrefix(`/akprox/`)"
|
||||
priority: 15
|
||||
services: http://*ip of your outpost*:9000/akprox
|
||||
```
|
|
@ -47,102 +47,28 @@ import TabItem from '@theme/TabItem';
|
|||
values={[
|
||||
{label: 'Standalone nginx', value: 'standalone-nginx'},
|
||||
{label: 'Ingress', value: 'ingress'},
|
||||
{label: 'Nginx Proxy Manager', value: 'proxy-manager'},
|
||||
]}>
|
||||
<TabItem value="standalone-nginx">
|
||||
|
||||
```
|
||||
server {
|
||||
# SSL and VHost configuration
|
||||
listen 443 ssl http2;
|
||||
server_name _;
|
||||
import NginxStandalone from './_nginx_standalone.md'
|
||||
|
||||
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
|
||||
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
|
||||
|
||||
# Increase buffer size for large headers
|
||||
# This is needed only if you get 'upstream sent too big header while reading response header from upstream' error when trying to access an application protected by goauthentik
|
||||
proxy_buffers 8 16k;
|
||||
proxy_buffer_size 32k;
|
||||
fastcgi_buffers 16 16k;
|
||||
fastcgi_buffer_size 32k;
|
||||
|
||||
location / {
|
||||
# Put your proxy_pass to your application here
|
||||
# proxy_pass http://localhost:5000;
|
||||
|
||||
# authentik-specific config
|
||||
auth_request /akprox/auth/nginx;
|
||||
error_page 401 = @akprox_signin;
|
||||
# For domain level, use the below error_page to redirect to your authentik server with the full redirect path
|
||||
# error_page 401 =302 https://authentik.company/akprox/start?rd=$scheme://$http_host$request_uri;
|
||||
|
||||
# translate headers from the outposts back to the actual upstream
|
||||
auth_request_set $authentik_username $upstream_http_x_authentik_username;
|
||||
auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
|
||||
auth_request_set $authentik_email $upstream_http_x_authentik_email;
|
||||
auth_request_set $authentik_name $upstream_http_x_authentik_name;
|
||||
auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
|
||||
|
||||
proxy_set_header X-authentik-username $authentik_username;
|
||||
proxy_set_header X-authentik-groups $authentik_groups;
|
||||
proxy_set_header X-authentik-email $authentik_email;
|
||||
proxy_set_header X-authentik-name $authentik_name;
|
||||
proxy_set_header X-authentik-uid $authentik_uid;
|
||||
}
|
||||
|
||||
# all requests to /akprox must be accessible without authentication
|
||||
location /akprox {
|
||||
proxy_pass http://*ip or hostname of the authentik OUTPOST*:9000/akprox;
|
||||
# ensure the host of this vserver matches your external URL you've configured
|
||||
# in authentik
|
||||
proxy_set_header Host $host;
|
||||
add_header Set-Cookie $auth_cookie;
|
||||
auth_request_set $auth_cookie $upstream_http_set_cookie;
|
||||
}
|
||||
|
||||
# Special location for when the /auth endpoint returns a 401,
|
||||
# redirect to the /start URL which initiates SSO
|
||||
location @akprox_signin {
|
||||
internal;
|
||||
add_header Set-Cookie $auth_cookie;
|
||||
return 302 /akprox/start?rd=$request_uri;
|
||||
}
|
||||
}
|
||||
```
|
||||
<NginxStandalone />
|
||||
|
||||
</TabItem>
|
||||
<TabItem value="ingress">
|
||||
Create a new ingress for the outpost
|
||||
|
||||
```yaml
|
||||
apiVersion: networking.k8s.io/v1beta1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: authentik-outpost
|
||||
spec:
|
||||
rules:
|
||||
- host: *external host that you configured in authentik*
|
||||
http:
|
||||
paths:
|
||||
- backend:
|
||||
serviceName: authentik-outpost-example-outpost
|
||||
servicePort: 9000
|
||||
path: /akprox
|
||||
```
|
||||
import NginxIngress from './_nginx_ingress.md'
|
||||
|
||||
This ingress handles authentication requests, and the sign-in flow.
|
||||
<NginxIngress />
|
||||
|
||||
Add these annotations to the ingress you want to protect
|
||||
</TabItem>
|
||||
<TabItem value="proxy-manager">
|
||||
|
||||
import NginxProxyManager from './_nginx_proxy_manager.md'
|
||||
|
||||
<NginxProxyManager />
|
||||
|
||||
```yaml
|
||||
metadata:
|
||||
annotations:
|
||||
nginx.ingress.kubernetes.io/auth-url: https://*external host that you configured in authentik*/akprox/auth?nginx
|
||||
nginx.ingress.kubernetes.io/auth-signin: https://*external host that you configured in authentik*/akprox/start?rd=$escaped_request_uri
|
||||
nginx.ingress.kubernetes.io/auth-response-headers: Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid
|
||||
nginx.ingress.kubernetes.io/auth-snippet: |
|
||||
proxy_set_header X-Forwarded-Host $http_host;
|
||||
```
|
||||
</TabItem>
|
||||
</Tabs>
|
||||
|
||||
|
@ -157,148 +83,23 @@ metadata:
|
|||
]}>
|
||||
<TabItem value="standalone-traefik">
|
||||
|
||||
```yaml
|
||||
http:
|
||||
middlewares:
|
||||
authentik:
|
||||
forwardAuth:
|
||||
address: http://authentik-outpost-example-outpost:9000/akprox/auth/traefik
|
||||
trustForwardHeader: true
|
||||
authResponseHeaders:
|
||||
- Set-Cookie
|
||||
- X-authentik-username
|
||||
- X-authentik-groups
|
||||
- X-authentik-email
|
||||
- X-authentik-name
|
||||
- X-authentik-uid
|
||||
routers:
|
||||
default-router:
|
||||
rule: "Host(`*external host that you configured in authentik*`)"
|
||||
middlewares:
|
||||
- name: authentik
|
||||
priority: 10
|
||||
services: # Unchanged
|
||||
default-router-auth
|
||||
match: "Host(`*external host that you configured in authentik*`) && PathPrefix(`/akprox/`)"
|
||||
priority: 15
|
||||
services: http://*ip of your outpost*:9000/akprox
|
||||
```
|
||||
import TraefikStandalone from './_traefik_standalone.md'
|
||||
|
||||
<TraefikStandalone />
|
||||
|
||||
</TabItem>
|
||||
<TabItem value="docker-compose">
|
||||
|
||||
```yaml
|
||||
version: '3.7'
|
||||
services:
|
||||
traefik:
|
||||
image: traefik:v2.2
|
||||
container_name: traefik
|
||||
volumes:
|
||||
- /var/run/docker.sock:/var/run/docker.sock
|
||||
labels:
|
||||
traefik.enable: true
|
||||
traefik.http.routers.api.rule: Host(`traefik.example.com`)
|
||||
traefik.http.routers.api.entrypoints: https
|
||||
traefik.http.routers.api.service: api@internal
|
||||
traefik.http.routers.api.tls: true
|
||||
ports:
|
||||
- 80:80
|
||||
- 443:443
|
||||
command:
|
||||
- '--api'
|
||||
- '--log=true'
|
||||
- '--log.level=DEBUG'
|
||||
- '--log.filepath=/var/log/traefik.log'
|
||||
- '--providers.docker=true'
|
||||
- '--providers.docker.exposedByDefault=false'
|
||||
- '--entrypoints.http=true'
|
||||
- '--entrypoints.http.address=:80'
|
||||
- '--entrypoints.http.http.redirections.entrypoint.to=https'
|
||||
- '--entrypoints.http.http.redirections.entrypoint.scheme=https'
|
||||
- '--entrypoints.https=true'
|
||||
- '--entrypoints.https.address=:443'
|
||||
import TraefikCompose from './_traefik_compose.md'
|
||||
|
||||
authentik_proxy:
|
||||
image: goauthentik.io/proxy:2021.5.1
|
||||
ports:
|
||||
- 9000:9000
|
||||
- 9443:9443
|
||||
environment:
|
||||
AUTHENTIK_HOST: https://your-authentik.tld
|
||||
AUTHENTIK_INSECURE: "false"
|
||||
AUTHENTIK_TOKEN: token-generated-by-authentik
|
||||
# Starting with 2021.9, you can optionally set this too
|
||||
# when authentik_host for internal communication doesn't match the public URL
|
||||
# AUTHENTIK_HOST_BROWSER: https://external-domain.tld
|
||||
labels:
|
||||
traefik.enable: true
|
||||
traefik.port: 9000
|
||||
traefik.http.routers.authentik.rule: Host(`*external host that you configured in authentik*`) && PathPrefix(`/akprox/`)
|
||||
traefik.http.routers.authentik.entrypoints: https
|
||||
traefik.http.routers.authentik.tls: true
|
||||
traefik.http.middlewares.authentik.forwardauth.address: http://authentik_proxy:9000/akprox/auth/traefik
|
||||
traefik.http.middlewares.authentik.forwardauth.trustForwardHeader: true
|
||||
traefik.http.middlewares.authentik.forwardauth.authResponseHeaders: Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid
|
||||
restart: unless-stopped
|
||||
|
||||
whoami:
|
||||
image: containous/whoami
|
||||
labels:
|
||||
traefik.enable: true
|
||||
traefik.http.routers.whoami.rule: Host(`*external host that you configured in authentik*`)
|
||||
traefik.http.routers.whoami.entrypoints: https
|
||||
traefik.http.routers.whoami.tls: true
|
||||
traefik.http.routers.whoami.middlewares: authentik@docker
|
||||
restart: unless-stopped
|
||||
```
|
||||
<TraefikCompose />
|
||||
|
||||
</TabItem>
|
||||
<TabItem value="ingress">
|
||||
Create a middleware:
|
||||
|
||||
```yaml
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: Middleware
|
||||
metadata:
|
||||
name: authentik
|
||||
spec:
|
||||
forwardAuth:
|
||||
address: http://authentik-outpost-example-outpost:9000/akprox/auth/traefik
|
||||
trustForwardHeader: true
|
||||
authResponseHeaders:
|
||||
- Set-Cookie
|
||||
- X-authentik-username
|
||||
- X-authentik-groups
|
||||
- X-authentik-email
|
||||
- X-authentik-name
|
||||
- X-authentik-uid
|
||||
```
|
||||
import TraefikIngress from './_traefik_ingress.md'
|
||||
|
||||
Add the following settings to your IngressRoute
|
||||
<TraefikIngress />
|
||||
|
||||
:::warning
|
||||
By default traefik does not allow cross-namespace references for middlewares:
|
||||
|
||||
See [here](https://doc.traefik.io/traefik/v2.4/providers/kubernetes-crd/#allowcrossnamespace) to enable it.
|
||||
:::
|
||||
|
||||
```yaml
|
||||
spec:
|
||||
routes:
|
||||
- kind: Rule
|
||||
match: "Host(`*external host that you configured in authentik*`)"
|
||||
middlewares:
|
||||
- name: authentik
|
||||
namespace: authentik
|
||||
priority: 10
|
||||
services: # Unchanged
|
||||
# This part is only required for single-app setups
|
||||
- kind: Rule
|
||||
match: "Host(`*external host that you configured in authentik*`) && PathPrefix(`/akprox/`)"
|
||||
priority: 15
|
||||
services:
|
||||
- kind: Service
|
||||
name: authentik-outpost-example-outpost
|
||||
port: 9000
|
||||
```
|
||||
</TabItem>
|
||||
</Tabs>
|
||||
|
|
Reference in a new issue