website/docs: revert to akprox for now
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
parent
a1c8ad55ad
commit
9070df6c26
|
@ -26,7 +26,7 @@ Make sure to set it to full URL, only configuring a hostname or FQDN will not wo
|
|||
Routing is handled like this:
|
||||
|
||||
1. Paths starting with `/static`, `/media` and `/help` return packaged CSS/JS files, and user-uploaded media files.
|
||||
2. Paths starting with `/outpost.goauthentik.io` are sent to the embedded outpost.
|
||||
2. Paths starting with `/akprox` are sent to the embedded outpost.
|
||||
3. Any hosts configured in the providers assigned to the embedded outpost are sent to the outpost.
|
||||
4. Everything remaining is sent to the authentik backend server.
|
||||
|
||||
|
|
|
@ -26,7 +26,7 @@ The container is created with the following hardcoded properties:
|
|||
- `traefik.http.routers.ak-outpost-<outpost-name>-router.rule`: `Host(...)`
|
||||
- `traefik.http.routers.ak-outpost-<outpost-name>-router.service`: `ak-outpost-<outpost-name>-service`
|
||||
- `traefik.http.routers.ak-outpost-<outpost-name>-router.tls`: "true"
|
||||
- `traefik.http.services.ak-outpost-<outpost-name>-service.loadbalancer.healthcheck.path`: "/outpost.goauthentik.io/ping"
|
||||
- `traefik.http.services.ak-outpost-<outpost-name>-service.loadbalancer.healthcheck.path`: "/akprox/ping"
|
||||
- `traefik.http.services.ak-outpost-<outpost-name>-service.loadbalancer.healthcheck.port`: "9300"
|
||||
- `traefik.http.services.ak-outpost-<outpost-name>-service.loadbalancer.server.port`: "9000"
|
||||
|
||||
|
|
|
@ -15,7 +15,7 @@ spec:
|
|||
# See https://kubernetes.io/docs/concepts/services-networking/service/#externalname
|
||||
serviceName: ak-outpost-example-outpost
|
||||
servicePort: 9000
|
||||
path: /outpost.goauthentik.io
|
||||
path: /akprox
|
||||
```
|
||||
|
||||
This ingress handles authentication requests, and the sign-in flow.
|
||||
|
@ -26,9 +26,9 @@ Add these annotations to the ingress you want to protect
|
|||
metadata:
|
||||
annotations:
|
||||
nginx.ingress.kubernetes.io/auth-url: |
|
||||
https://outpost.company/outpost.goauthentik.io/auth/nginx
|
||||
https://outpost.company/akprox/auth/nginx
|
||||
nginx.ingress.kubernetes.io/auth-signin: |
|
||||
https://outpost.company/outpost.goauthentik.io/start?rd=$escaped_request_uri
|
||||
https://outpost.company/akprox/start?rd=$escaped_request_uri
|
||||
nginx.ingress.kubernetes.io/auth-response-headers: |
|
||||
Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid
|
||||
nginx.ingress.kubernetes.io/auth-snippet: |
|
||||
|
|
|
@ -12,7 +12,7 @@ location / {
|
|||
proxy_pass $forward_scheme://$server:$port;
|
||||
|
||||
# authentik-specific config
|
||||
auth_request /outpost.goauthentik.io/auth/nginx;
|
||||
auth_request /akprox/auth/nginx;
|
||||
error_page 401 = @goauthentik_proxy_signin;
|
||||
auth_request_set $auth_cookie $upstream_http_set_cookie;
|
||||
add_header Set-Cookie $auth_cookie;
|
||||
|
@ -31,9 +31,9 @@ location / {
|
|||
proxy_set_header X-authentik-uid $authentik_uid;
|
||||
}
|
||||
|
||||
# all requests to /outpost.goauthentik.io must be accessible without authentication
|
||||
location /outpost.goauthentik.io {
|
||||
proxy_pass http://outpost.company:9000/outpost.goauthentik.io;
|
||||
# all requests to /akprox must be accessible without authentication
|
||||
location /akprox {
|
||||
proxy_pass http://outpost.company:9000/akprox;
|
||||
# ensure the host of this vserver matches your external URL you've configured
|
||||
# in authentik
|
||||
proxy_set_header Host $host;
|
||||
|
@ -47,6 +47,6 @@ location /outpost.goauthentik.io {
|
|||
location @goauthentik_proxy_signin {
|
||||
internal;
|
||||
add_header Set-Cookie $auth_cookie;
|
||||
return 302 /outpost.goauthentik.io/start?rd=$request_uri;
|
||||
return 302 /akprox/start?rd=$request_uri;
|
||||
}
|
||||
```
|
||||
|
|
|
@ -19,10 +19,10 @@ server {
|
|||
# proxy_pass http://localhost:5000;
|
||||
|
||||
# authentik-specific config
|
||||
auth_request /outpost.goauthentik.io/auth/nginx;
|
||||
auth_request /akprox/auth/nginx;
|
||||
error_page 401 = @goauthentik_proxy_signin;
|
||||
# For domain level, use the below error_page to redirect to your authentik server with the full redirect path
|
||||
# error_page 401 =302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
|
||||
# error_page 401 =302 https://authentik.company/akprox/start?rd=$scheme://$http_host$request_uri;
|
||||
auth_request_set $auth_cookie $upstream_http_set_cookie;
|
||||
add_header Set-Cookie $auth_cookie;
|
||||
|
||||
|
@ -40,9 +40,9 @@ server {
|
|||
proxy_set_header X-authentik-uid $authentik_uid;
|
||||
}
|
||||
|
||||
# all requests to /outpost.goauthentik.io must be accessible without authentication
|
||||
location /outpost.goauthentik.io {
|
||||
proxy_pass http://outpost.company:9000/outpost.goauthentik.io;
|
||||
# all requests to /akprox must be accessible without authentication
|
||||
location /akprox {
|
||||
proxy_pass http://outpost.company:9000/akprox;
|
||||
# ensure the host of this vserver matches your external URL you've configured
|
||||
# in authentik
|
||||
proxy_set_header Host $host;
|
||||
|
@ -56,7 +56,7 @@ server {
|
|||
location @goauthentik_proxy_signin {
|
||||
internal;
|
||||
add_header Set-Cookie $auth_cookie;
|
||||
return 302 /outpost.goauthentik.io/start?rd=$request_uri;
|
||||
return 302 /akprox/start?rd=$request_uri;
|
||||
}
|
||||
}
|
||||
```
|
||||
|
|
|
@ -30,9 +30,9 @@ services:
|
|||
labels:
|
||||
traefik.enable: true
|
||||
traefik.port: 9000
|
||||
traefik.http.routers.authentik.rule: Host(`app.company`) && PathPrefix(`/outpost.goauthentik.io/`)
|
||||
traefik.http.routers.authentik.rule: Host(`app.company`) && PathPrefix(`/akprox/`)
|
||||
# `authentik-proxy` refers to the service name in the compose file.
|
||||
traefik.http.middlewares.authentik.forwardauth.address: http://authentik-proxy:9000/outpost.goauthentik.io/auth/traefik
|
||||
traefik.http.middlewares.authentik.forwardauth.address: http://authentik-proxy:9000/akprox/auth/traefik
|
||||
traefik.http.middlewares.authentik.forwardauth.trustForwardHeader: true
|
||||
traefik.http.middlewares.authentik.forwardauth.authResponseHeaders: X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version
|
||||
restart: unless-stopped
|
||||
|
|
|
@ -7,7 +7,7 @@ metadata:
|
|||
name: authentik
|
||||
spec:
|
||||
forwardAuth:
|
||||
address: http://outpost.company:9000/outpost.goauthentik.io/auth/traefik
|
||||
address: http://outpost.company:9000/akprox/auth/traefik
|
||||
trustForwardHeader: true
|
||||
authResponseHeaders:
|
||||
- X-authentik-username
|
||||
|
@ -41,7 +41,7 @@ spec:
|
|||
services: # Unchanged
|
||||
# This part is only required for single-app setups
|
||||
- kind: Rule
|
||||
match: "Host(`app.company`) && PathPrefix(`/outpost.goauthentik.io/`)"
|
||||
match: "Host(`app.company`) && PathPrefix(`/akprox/`)"
|
||||
priority: 15
|
||||
services:
|
||||
- kind: Service
|
||||
|
|
|
@ -3,7 +3,7 @@ http:
|
|||
middlewares:
|
||||
authentik:
|
||||
forwardAuth:
|
||||
address: http://outpost.company:9000/outpost.goauthentik.io/auth/traefik
|
||||
address: http://outpost.company:9000/akprox/auth/traefik
|
||||
trustForwardHeader: true
|
||||
authResponseHeaders:
|
||||
- X-authentik-username
|
||||
|
@ -25,7 +25,7 @@ http:
|
|||
priority: 10
|
||||
services: # Unchanged
|
||||
default-router-auth:
|
||||
match: "Host(`app.company`) && PathPrefix(`/outpost.goauthentik.io/`)"
|
||||
match: "Host(`app.company`) && PathPrefix(`/akprox/`)"
|
||||
priority: 15
|
||||
services: http://outpost.company:9000/outpost.goauthentik.io
|
||||
services: http://outpost.company:9000/akprox
|
||||
```
|
||||
|
|
|
@ -27,7 +27,7 @@ applications to different users.
|
|||
|
||||
The only configuration difference between single application and domain level is the host you specify.
|
||||
|
||||
For single application, you'd use the domain which the application is running on, and only /outpost.goauthentik.io
|
||||
For single application, you'd use the domain which the application is running on, and only /akprox
|
||||
is redirected to the outpost.
|
||||
|
||||
For domain level, you'd use the same domain as authentik.
|
||||
|
|
|
@ -64,11 +64,11 @@ If your upstream host is HTTPS, and you're not using forward auth, you need to a
|
|||
|
||||
Login is done automatically when you visit the domain without a valid cookie.
|
||||
|
||||
When using single-application mode, navigate to `app.domain.tld/outpost.goauthentik.io/sign_out`.
|
||||
When using single-application mode, navigate to `app.domain.tld/akprox/sign_out`.
|
||||
|
||||
When using domain-level mode, navigate to `auth.domain.tld/outpost.goauthentik.io/sign_out`, where auth.domain.tld is the external host configured for the provider.
|
||||
When using domain-level mode, navigate to `auth.domain.tld/akprox/sign_out`, where auth.domain.tld is the external host configured for the provider.
|
||||
|
||||
To log out, navigate to `/outpost.goauthentik.io/sign_out`.
|
||||
To log out, navigate to `/akprox/sign_out`.
|
||||
|
||||
## Allowing unauthenticated requests
|
||||
|
||||
|
|
|
@ -10,7 +10,7 @@ slug: "2021.8"
|
|||
To simplify the setup, an embedded outpost has been added. This outpost runs as part of the main authentik server, and requires no additional setup.
|
||||
|
||||
You can simply assign providers to the embedded outpost, and either use the integrations to configure reverse proxies, or point your traffic to the main authentik server.
|
||||
Traffic is routed based on host-header, meaning every host that has been configured as a provider and is assigned to the embedded proxy will be sent to the outpost, and every sub-path under `/outpost.goauthentik.io` is sent to the outpost too. The rest is sent to authentik itself.
|
||||
Traffic is routed based on host-header, meaning every host that has been configured as a provider and is assigned to the embedded proxy will be sent to the outpost, and every sub-path under `/akprox` is sent to the outpost too. The rest is sent to authentik itself.
|
||||
|
||||
- App passwords
|
||||
|
||||
|
|
|
@ -47,7 +47,7 @@ This release mostly removes legacy fields and features that have been deprecated
|
|||
- internal: route traffic to proxy providers based on cookie domain when multiple domain-level providers exist
|
||||
- internal: use math.MaxInt for compatibility
|
||||
- lifecycle: add early check for missing/invalid secret key
|
||||
- outposts/proxyv2: allow access to /outpost.goauthentik.io urls in forward auth mode to make routing in nginx/traefik easier
|
||||
- outposts/proxyv2: allow access to /akprox urls in forward auth mode to make routing in nginx/traefik easier
|
||||
- outposts/proxyv2: fix before-redirect url not being saved in proxy mode
|
||||
- outposts/proxyv2: fix JWKS url pointing to localhost on embedded outpost
|
||||
- providers/oauth2: change default redirect uri behaviour; set first used url when blank and use star for wildcard
|
||||
|
@ -64,7 +64,7 @@ This release mostly removes legacy fields and features that have been deprecated
|
|||
|
||||
## Fixed in 2022.1.2
|
||||
|
||||
- internal/proxyv2: only allow access to /outpost.goauthentik.io in nginx mode when forward url could be extracted
|
||||
- internal/proxyv2: only allow access to /akprox in nginx mode when forward url could be extracted
|
||||
- lib: disable backup by default, add note to configuration
|
||||
- lifecycle: replace lowercase, deprecated prometheus_multiproc_dir
|
||||
- outposts: allow custom label for docker containers
|
||||
|
|
Reference in a new issue