From 8d7bb7da1787de3bc3d1b592148a20e6e4acaec2 Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Fri, 14 May 2021 11:42:03 +0200 Subject: [PATCH] providers/proxy: connect ingress to https instead of http Signed-off-by: Jens Langhammer #882 --- authentik/providers/proxy/controllers/k8s/ingress.py | 3 ++- website/docs/outposts/proxy.mdx | 8 ++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/authentik/providers/proxy/controllers/k8s/ingress.py b/authentik/providers/proxy/controllers/k8s/ingress.py index bf0c588ab..8f6b1f98d 100644 --- a/authentik/providers/proxy/controllers/k8s/ingress.py +++ b/authentik/providers/proxy/controllers/k8s/ingress.py @@ -84,6 +84,7 @@ class IngressReconciler(KubernetesObjectReconciler[NetworkingV1beta1Ingress]): "traefik.ingress.kubernetes.io/affinity": "true", "nginx.ingress.kubernetes.io/proxy-buffers-number": "4", "nginx.ingress.kubernetes.io/proxy-buffer-size": "16k", + "nginx.ingress.kubernetes.io/backend-protocol": "HTTPS" } annotations.update( self.controller.outpost.config.kubernetes_ingress_annotations @@ -113,7 +114,7 @@ class IngressReconciler(KubernetesObjectReconciler[NetworkingV1beta1Ingress]): NetworkingV1beta1HTTPIngressPath( backend=NetworkingV1beta1IngressBackend( service_name=self.name, - service_port="http", + service_port="https", ), path="/akprox", ) diff --git a/website/docs/outposts/proxy.mdx b/website/docs/outposts/proxy.mdx index ecbfa21ec..1da39f4e7 100644 --- a/website/docs/outposts/proxy.mdx +++ b/website/docs/outposts/proxy.mdx @@ -15,6 +15,14 @@ Additionally, you can set `additionalHeaders` on groups or users to set addition If you enable *Set HTTP-Basic Authentication* option, the HTTP Authorization header is being set. +# HTTPS + +The outpost listens on both 4180 for HTTP and 4443 for HTTPS. + +:::warning +If your upstream host is HTTPS, and you're not using forward auth, you need to access the outpost over HTTPS too. +::: + # Forward auth To use forward auth instead of proxying, you have to change a couple of settings. In the Proxy Provider, make sure to enable `Enable forward-auth mode` on the provider.