Revert "website/docs: revert to akprox for now"
This reverts commit 9070df6c26
.
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
# Conflicts:
# website/docs/providers/proxy/_nginx_ingress.md
# website/docs/providers/proxy/_nginx_proxy_manager.md
# website/docs/providers/proxy/_nginx_standalone.md
This commit is contained in:
parent
eb05a3ddb8
commit
4e317c10c5
|
@ -26,7 +26,7 @@ Make sure to set it to full URL, only configuring a hostname or FQDN will not wo
|
||||||
Routing is handled like this:
|
Routing is handled like this:
|
||||||
|
|
||||||
1. Paths starting with `/static`, `/media` and `/help` return packaged CSS/JS files, and user-uploaded media files.
|
1. Paths starting with `/static`, `/media` and `/help` return packaged CSS/JS files, and user-uploaded media files.
|
||||||
2. Paths starting with `/akprox` are sent to the embedded outpost.
|
2. Paths starting with `/outpost.goauthentik.io` are sent to the embedded outpost.
|
||||||
3. Any hosts configured in the providers assigned to the embedded outpost are sent to the outpost.
|
3. Any hosts configured in the providers assigned to the embedded outpost are sent to the outpost.
|
||||||
4. Everything remaining is sent to the authentik backend server.
|
4. Everything remaining is sent to the authentik backend server.
|
||||||
|
|
||||||
|
|
|
@ -26,7 +26,7 @@ The container is created with the following hardcoded properties:
|
||||||
- `traefik.http.routers.ak-outpost-<outpost-name>-router.rule`: `Host(...)`
|
- `traefik.http.routers.ak-outpost-<outpost-name>-router.rule`: `Host(...)`
|
||||||
- `traefik.http.routers.ak-outpost-<outpost-name>-router.service`: `ak-outpost-<outpost-name>-service`
|
- `traefik.http.routers.ak-outpost-<outpost-name>-router.service`: `ak-outpost-<outpost-name>-service`
|
||||||
- `traefik.http.routers.ak-outpost-<outpost-name>-router.tls`: "true"
|
- `traefik.http.routers.ak-outpost-<outpost-name>-router.tls`: "true"
|
||||||
- `traefik.http.services.ak-outpost-<outpost-name>-service.loadbalancer.healthcheck.path`: "/akprox/ping"
|
- `traefik.http.services.ak-outpost-<outpost-name>-service.loadbalancer.healthcheck.path`: "/outpost.goauthentik.io/ping"
|
||||||
- `traefik.http.services.ak-outpost-<outpost-name>-service.loadbalancer.healthcheck.port`: "9300"
|
- `traefik.http.services.ak-outpost-<outpost-name>-service.loadbalancer.healthcheck.port`: "9300"
|
||||||
- `traefik.http.services.ak-outpost-<outpost-name>-service.loadbalancer.server.port`: "9000"
|
- `traefik.http.services.ak-outpost-<outpost-name>-service.loadbalancer.server.port`: "9000"
|
||||||
|
|
||||||
|
|
|
@ -15,7 +15,7 @@ spec:
|
||||||
# See https://kubernetes.io/docs/concepts/services-networking/service/#externalname
|
# See https://kubernetes.io/docs/concepts/services-networking/service/#externalname
|
||||||
serviceName: ak-outpost-example-outpost
|
serviceName: ak-outpost-example-outpost
|
||||||
servicePort: 9000
|
servicePort: 9000
|
||||||
path: /akprox
|
path: /outpost.goauthentik.io
|
||||||
```
|
```
|
||||||
|
|
||||||
This ingress handles authentication requests, and the sign-in flow.
|
This ingress handles authentication requests, and the sign-in flow.
|
||||||
|
@ -26,10 +26,10 @@ Add these annotations to the ingress you want to protect
|
||||||
metadata:
|
metadata:
|
||||||
annotations:
|
annotations:
|
||||||
nginx.ingress.kubernetes.io/auth-url: |-
|
nginx.ingress.kubernetes.io/auth-url: |-
|
||||||
http://outpost.company:9000/akprox/auth/nginx
|
http://outpost.company:9000/outpost.goauthentik.io/auth/nginx
|
||||||
# If you're using domain-level auth, use the authentication URL instead of the application URL
|
# If you're using domain-level auth, use the authentication URL instead of the application URL
|
||||||
nginx.ingress.kubernetes.io/auth-signin: |-
|
nginx.ingress.kubernetes.io/auth-signin: |-
|
||||||
https://app.company/akprox/start
|
https://app.company/outpost.goauthentik.io/start?rd=$escaped_request_uri
|
||||||
nginx.ingress.kubernetes.io/auth-response-headers: |-
|
nginx.ingress.kubernetes.io/auth-response-headers: |-
|
||||||
Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid
|
Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid
|
||||||
nginx.ingress.kubernetes.io/auth-snippet: |
|
nginx.ingress.kubernetes.io/auth-snippet: |
|
||||||
|
|
|
@ -12,7 +12,7 @@ location / {
|
||||||
proxy_pass $forward_scheme://$server:$port;
|
proxy_pass $forward_scheme://$server:$port;
|
||||||
|
|
||||||
# authentik-specific config
|
# authentik-specific config
|
||||||
auth_request /akprox/auth/nginx;
|
auth_request /outpost.goauthentik.io/auth/nginx;
|
||||||
error_page 401 = @goauthentik_proxy_signin;
|
error_page 401 = @goauthentik_proxy_signin;
|
||||||
auth_request_set $auth_cookie $upstream_http_set_cookie;
|
auth_request_set $auth_cookie $upstream_http_set_cookie;
|
||||||
add_header Set-Cookie $auth_cookie;
|
add_header Set-Cookie $auth_cookie;
|
||||||
|
@ -31,9 +31,9 @@ location / {
|
||||||
proxy_set_header X-authentik-uid $authentik_uid;
|
proxy_set_header X-authentik-uid $authentik_uid;
|
||||||
}
|
}
|
||||||
|
|
||||||
# all requests to /akprox must be accessible without authentication
|
# all requests to /outpost.goauthentik.io must be accessible without authentication
|
||||||
location /akprox {
|
location /outpost.goauthentik.io {
|
||||||
proxy_pass http://outpost.company:9000/akprox;
|
proxy_pass http://outpost.company:9000/outpost.goauthentik.io;
|
||||||
# ensure the host of this vserver matches your external URL you've configured
|
# ensure the host of this vserver matches your external URL you've configured
|
||||||
# in authentik
|
# in authentik
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
|
@ -47,8 +47,8 @@ location /akprox {
|
||||||
location @goauthentik_proxy_signin {
|
location @goauthentik_proxy_signin {
|
||||||
internal;
|
internal;
|
||||||
add_header Set-Cookie $auth_cookie;
|
add_header Set-Cookie $auth_cookie;
|
||||||
return 302 /akprox/start?rd=$request_uri;
|
return 302 /outpost.goauthentik.io/start?rd=$request_uri;
|
||||||
# For domain level, use the below error_page to redirect to your authentik server with the full redirect path
|
# For domain level, use the below error_page to redirect to your authentik server with the full redirect path
|
||||||
# return 302 https://authentik.company/akprox/start?rd=$scheme://$http_host$request_uri;
|
# return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
|
@ -19,7 +19,7 @@ server {
|
||||||
# proxy_pass http://localhost:5000;
|
# proxy_pass http://localhost:5000;
|
||||||
|
|
||||||
# authentik-specific config
|
# authentik-specific config
|
||||||
auth_request /akprox/auth/nginx;
|
auth_request /outpost.goauthentik.io/auth/nginx;
|
||||||
error_page 401 = @goauthentik_proxy_signin;
|
error_page 401 = @goauthentik_proxy_signin;
|
||||||
auth_request_set $auth_cookie $upstream_http_set_cookie;
|
auth_request_set $auth_cookie $upstream_http_set_cookie;
|
||||||
add_header Set-Cookie $auth_cookie;
|
add_header Set-Cookie $auth_cookie;
|
||||||
|
@ -38,9 +38,9 @@ server {
|
||||||
proxy_set_header X-authentik-uid $authentik_uid;
|
proxy_set_header X-authentik-uid $authentik_uid;
|
||||||
}
|
}
|
||||||
|
|
||||||
# all requests to /akprox must be accessible without authentication
|
# all requests to /outpost.goauthentik.io must be accessible without authentication
|
||||||
location /akprox {
|
location /outpost.goauthentik.io {
|
||||||
proxy_pass http://outpost.company:9000/akprox;
|
proxy_pass http://outpost.company:9000/outpost.goauthentik.io;
|
||||||
# ensure the host of this vserver matches your external URL you've configured
|
# ensure the host of this vserver matches your external URL you've configured
|
||||||
# in authentik
|
# in authentik
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
|
@ -54,9 +54,9 @@ server {
|
||||||
location @goauthentik_proxy_signin {
|
location @goauthentik_proxy_signin {
|
||||||
internal;
|
internal;
|
||||||
add_header Set-Cookie $auth_cookie;
|
add_header Set-Cookie $auth_cookie;
|
||||||
return 302 /akprox/start?rd=$request_uri;
|
return 302 /outpost.goauthentik.io/start?rd=$request_uri;
|
||||||
# For domain level, use the below error_page to redirect to your authentik server with the full redirect path
|
# For domain level, use the below error_page to redirect to your authentik server with the full redirect path
|
||||||
# return 302 https://authentik.company/akprox/start?rd=$scheme://$http_host$request_uri;
|
# return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
|
@ -30,9 +30,9 @@ services:
|
||||||
labels:
|
labels:
|
||||||
traefik.enable: true
|
traefik.enable: true
|
||||||
traefik.port: 9000
|
traefik.port: 9000
|
||||||
traefik.http.routers.authentik.rule: Host(`app.company`) && PathPrefix(`/akprox/`)
|
traefik.http.routers.authentik.rule: Host(`app.company`) && PathPrefix(`/outpost.goauthentik.io/`)
|
||||||
# `authentik-proxy` refers to the service name in the compose file.
|
# `authentik-proxy` refers to the service name in the compose file.
|
||||||
traefik.http.middlewares.authentik.forwardauth.address: http://authentik-proxy:9000/akprox/auth/traefik
|
traefik.http.middlewares.authentik.forwardauth.address: http://authentik-proxy:9000/outpost.goauthentik.io/auth/traefik
|
||||||
traefik.http.middlewares.authentik.forwardauth.trustForwardHeader: true
|
traefik.http.middlewares.authentik.forwardauth.trustForwardHeader: true
|
||||||
traefik.http.middlewares.authentik.forwardauth.authResponseHeaders: X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version
|
traefik.http.middlewares.authentik.forwardauth.authResponseHeaders: X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version
|
||||||
restart: unless-stopped
|
restart: unless-stopped
|
||||||
|
|
|
@ -7,7 +7,7 @@ metadata:
|
||||||
name: authentik
|
name: authentik
|
||||||
spec:
|
spec:
|
||||||
forwardAuth:
|
forwardAuth:
|
||||||
address: http://outpost.company:9000/akprox/auth/traefik
|
address: http://outpost.company:9000/outpost.goauthentik.io/auth/traefik
|
||||||
trustForwardHeader: true
|
trustForwardHeader: true
|
||||||
authResponseHeaders:
|
authResponseHeaders:
|
||||||
- X-authentik-username
|
- X-authentik-username
|
||||||
|
@ -41,7 +41,7 @@ spec:
|
||||||
services: # Unchanged
|
services: # Unchanged
|
||||||
# This part is only required for single-app setups
|
# This part is only required for single-app setups
|
||||||
- kind: Rule
|
- kind: Rule
|
||||||
match: "Host(`app.company`) && PathPrefix(`/akprox/`)"
|
match: "Host(`app.company`) && PathPrefix(`/outpost.goauthentik.io/`)"
|
||||||
priority: 15
|
priority: 15
|
||||||
services:
|
services:
|
||||||
- kind: Service
|
- kind: Service
|
||||||
|
|
|
@ -3,7 +3,7 @@ http:
|
||||||
middlewares:
|
middlewares:
|
||||||
authentik:
|
authentik:
|
||||||
forwardAuth:
|
forwardAuth:
|
||||||
address: http://outpost.company:9000/akprox/auth/traefik
|
address: http://outpost.company:9000/outpost.goauthentik.io/auth/traefik
|
||||||
trustForwardHeader: true
|
trustForwardHeader: true
|
||||||
authResponseHeaders:
|
authResponseHeaders:
|
||||||
- X-authentik-username
|
- X-authentik-username
|
||||||
|
@ -25,7 +25,7 @@ http:
|
||||||
priority: 10
|
priority: 10
|
||||||
services: # Unchanged
|
services: # Unchanged
|
||||||
default-router-auth:
|
default-router-auth:
|
||||||
match: "Host(`app.company`) && PathPrefix(`/akprox/`)"
|
match: "Host(`app.company`) && PathPrefix(`/outpost.goauthentik.io/`)"
|
||||||
priority: 15
|
priority: 15
|
||||||
services: http://outpost.company:9000/akprox
|
services: http://outpost.company:9000/outpost.goauthentik.io
|
||||||
```
|
```
|
||||||
|
|
|
@ -27,7 +27,7 @@ applications to different users.
|
||||||
|
|
||||||
The only configuration difference between single application and domain level is the host you specify.
|
The only configuration difference between single application and domain level is the host you specify.
|
||||||
|
|
||||||
For single application, you'd use the domain which the application is running on, and only /akprox
|
For single application, you'd use the domain which the application is running on, and only /outpost.goauthentik.io
|
||||||
is redirected to the outpost.
|
is redirected to the outpost.
|
||||||
|
|
||||||
For domain level, you'd use the same domain as authentik.
|
For domain level, you'd use the same domain as authentik.
|
||||||
|
|
|
@ -64,11 +64,11 @@ If your upstream host is HTTPS, and you're not using forward auth, you need to a
|
||||||
|
|
||||||
Login is done automatically when you visit the domain without a valid cookie.
|
Login is done automatically when you visit the domain without a valid cookie.
|
||||||
|
|
||||||
When using single-application mode, navigate to `app.domain.tld/akprox/sign_out`.
|
When using single-application mode, navigate to `app.domain.tld/outpost.goauthentik.io/sign_out`.
|
||||||
|
|
||||||
When using domain-level mode, navigate to `auth.domain.tld/akprox/sign_out`, where auth.domain.tld is the external host configured for the provider.
|
When using domain-level mode, navigate to `auth.domain.tld/outpost.goauthentik.io/sign_out`, where auth.domain.tld is the external host configured for the provider.
|
||||||
|
|
||||||
To log out, navigate to `/akprox/sign_out`.
|
To log out, navigate to `/outpost.goauthentik.io/sign_out`.
|
||||||
|
|
||||||
## Allowing unauthenticated requests
|
## Allowing unauthenticated requests
|
||||||
|
|
||||||
|
|
|
@ -10,7 +10,7 @@ slug: "2021.8"
|
||||||
To simplify the setup, an embedded outpost has been added. This outpost runs as part of the main authentik server, and requires no additional setup.
|
To simplify the setup, an embedded outpost has been added. This outpost runs as part of the main authentik server, and requires no additional setup.
|
||||||
|
|
||||||
You can simply assign providers to the embedded outpost, and either use the integrations to configure reverse proxies, or point your traffic to the main authentik server.
|
You can simply assign providers to the embedded outpost, and either use the integrations to configure reverse proxies, or point your traffic to the main authentik server.
|
||||||
Traffic is routed based on host-header, meaning every host that has been configured as a provider and is assigned to the embedded proxy will be sent to the outpost, and every sub-path under `/akprox` is sent to the outpost too. The rest is sent to authentik itself.
|
Traffic is routed based on host-header, meaning every host that has been configured as a provider and is assigned to the embedded proxy will be sent to the outpost, and every sub-path under `/outpost.goauthentik.io` is sent to the outpost too. The rest is sent to authentik itself.
|
||||||
|
|
||||||
- App passwords
|
- App passwords
|
||||||
|
|
||||||
|
|
|
@ -47,7 +47,7 @@ This release mostly removes legacy fields and features that have been deprecated
|
||||||
- internal: route traffic to proxy providers based on cookie domain when multiple domain-level providers exist
|
- internal: route traffic to proxy providers based on cookie domain when multiple domain-level providers exist
|
||||||
- internal: use math.MaxInt for compatibility
|
- internal: use math.MaxInt for compatibility
|
||||||
- lifecycle: add early check for missing/invalid secret key
|
- lifecycle: add early check for missing/invalid secret key
|
||||||
- outposts/proxyv2: allow access to /akprox urls in forward auth mode to make routing in nginx/traefik easier
|
- outposts/proxyv2: allow access to /outpost.goauthentik.io urls in forward auth mode to make routing in nginx/traefik easier
|
||||||
- outposts/proxyv2: fix before-redirect url not being saved in proxy mode
|
- outposts/proxyv2: fix before-redirect url not being saved in proxy mode
|
||||||
- outposts/proxyv2: fix JWKS url pointing to localhost on embedded outpost
|
- outposts/proxyv2: fix JWKS url pointing to localhost on embedded outpost
|
||||||
- providers/oauth2: change default redirect uri behaviour; set first used url when blank and use star for wildcard
|
- providers/oauth2: change default redirect uri behaviour; set first used url when blank and use star for wildcard
|
||||||
|
@ -64,7 +64,7 @@ This release mostly removes legacy fields and features that have been deprecated
|
||||||
|
|
||||||
## Fixed in 2022.1.2
|
## Fixed in 2022.1.2
|
||||||
|
|
||||||
- internal/proxyv2: only allow access to /akprox in nginx mode when forward url could be extracted
|
- internal/proxyv2: only allow access to /outpost.goauthentik.io in nginx mode when forward url could be extracted
|
||||||
- lib: disable backup by default, add note to configuration
|
- lib: disable backup by default, add note to configuration
|
||||||
- lifecycle: replace lowercase, deprecated prometheus_multiproc_dir
|
- lifecycle: replace lowercase, deprecated prometheus_multiproc_dir
|
||||||
- outposts: allow custom label for docker containers
|
- outposts: allow custom label for docker containers
|
||||||
|
|
Reference in a new issue