From 9070df6c2633f2aba802813d3686a701f9008c90 Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Fri, 11 Feb 2022 23:37:46 +0100 Subject: [PATCH] website/docs: revert to akprox for now Signed-off-by: Jens Langhammer --- website/docs/outposts/embedded/embedded.md | 2 +- website/docs/outposts/integrations/docker.md | 2 +- website/docs/providers/proxy/_nginx_ingress.md | 6 +++--- website/docs/providers/proxy/_nginx_proxy_manager.md | 10 +++++----- website/docs/providers/proxy/_nginx_standalone.md | 12 ++++++------ website/docs/providers/proxy/_traefik_compose.md | 4 ++-- website/docs/providers/proxy/_traefik_ingress.md | 4 ++-- website/docs/providers/proxy/_traefik_standalone.md | 6 +++--- website/docs/providers/proxy/forward_auth.mdx | 2 +- website/docs/providers/proxy/proxy.md | 6 +++--- website/docs/releases/v2021.8.md | 2 +- website/docs/releases/v2022.1.md | 4 ++-- 12 files changed, 30 insertions(+), 30 deletions(-) diff --git a/website/docs/outposts/embedded/embedded.md b/website/docs/outposts/embedded/embedded.md index 7c9420c97..f4a6d643a 100644 --- a/website/docs/outposts/embedded/embedded.md +++ b/website/docs/outposts/embedded/embedded.md @@ -26,7 +26,7 @@ Make sure to set it to full URL, only configuring a hostname or FQDN will not wo Routing is handled like this: 1. Paths starting with `/static`, `/media` and `/help` return packaged CSS/JS files, and user-uploaded media files. -2. Paths starting with `/outpost.goauthentik.io` are sent to the embedded outpost. +2. Paths starting with `/akprox` are sent to the embedded outpost. 3. Any hosts configured in the providers assigned to the embedded outpost are sent to the outpost. 4. Everything remaining is sent to the authentik backend server. diff --git a/website/docs/outposts/integrations/docker.md b/website/docs/outposts/integrations/docker.md index fe3dd8fea..4c67496d1 100644 --- a/website/docs/outposts/integrations/docker.md +++ b/website/docs/outposts/integrations/docker.md @@ -26,7 +26,7 @@ The container is created with the following hardcoded properties: - `traefik.http.routers.ak-outpost--router.rule`: `Host(...)` - `traefik.http.routers.ak-outpost--router.service`: `ak-outpost--service` - `traefik.http.routers.ak-outpost--router.tls`: "true" - - `traefik.http.services.ak-outpost--service.loadbalancer.healthcheck.path`: "/outpost.goauthentik.io/ping" + - `traefik.http.services.ak-outpost--service.loadbalancer.healthcheck.path`: "/akprox/ping" - `traefik.http.services.ak-outpost--service.loadbalancer.healthcheck.port`: "9300" - `traefik.http.services.ak-outpost--service.loadbalancer.server.port`: "9000" diff --git a/website/docs/providers/proxy/_nginx_ingress.md b/website/docs/providers/proxy/_nginx_ingress.md index 2262bf2ec..41f4475f5 100644 --- a/website/docs/providers/proxy/_nginx_ingress.md +++ b/website/docs/providers/proxy/_nginx_ingress.md @@ -15,7 +15,7 @@ spec: # See https://kubernetes.io/docs/concepts/services-networking/service/#externalname serviceName: ak-outpost-example-outpost servicePort: 9000 - path: /outpost.goauthentik.io + path: /akprox ``` This ingress handles authentication requests, and the sign-in flow. @@ -26,9 +26,9 @@ Add these annotations to the ingress you want to protect metadata: annotations: nginx.ingress.kubernetes.io/auth-url: | - https://outpost.company/outpost.goauthentik.io/auth/nginx + https://outpost.company/akprox/auth/nginx nginx.ingress.kubernetes.io/auth-signin: | - https://outpost.company/outpost.goauthentik.io/start?rd=$escaped_request_uri + https://outpost.company/akprox/start?rd=$escaped_request_uri nginx.ingress.kubernetes.io/auth-response-headers: | Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid nginx.ingress.kubernetes.io/auth-snippet: | diff --git a/website/docs/providers/proxy/_nginx_proxy_manager.md b/website/docs/providers/proxy/_nginx_proxy_manager.md index 426adee10..c5f6f0106 100644 --- a/website/docs/providers/proxy/_nginx_proxy_manager.md +++ b/website/docs/providers/proxy/_nginx_proxy_manager.md @@ -12,7 +12,7 @@ location / { proxy_pass $forward_scheme://$server:$port; # authentik-specific config - auth_request /outpost.goauthentik.io/auth/nginx; + auth_request /akprox/auth/nginx; error_page 401 = @goauthentik_proxy_signin; auth_request_set $auth_cookie $upstream_http_set_cookie; add_header Set-Cookie $auth_cookie; @@ -31,9 +31,9 @@ location / { proxy_set_header X-authentik-uid $authentik_uid; } -# all requests to /outpost.goauthentik.io must be accessible without authentication -location /outpost.goauthentik.io { - proxy_pass http://outpost.company:9000/outpost.goauthentik.io; +# all requests to /akprox must be accessible without authentication +location /akprox { + proxy_pass http://outpost.company:9000/akprox; # ensure the host of this vserver matches your external URL you've configured # in authentik proxy_set_header Host $host; @@ -47,6 +47,6 @@ location /outpost.goauthentik.io { location @goauthentik_proxy_signin { internal; add_header Set-Cookie $auth_cookie; - return 302 /outpost.goauthentik.io/start?rd=$request_uri; + return 302 /akprox/start?rd=$request_uri; } ``` diff --git a/website/docs/providers/proxy/_nginx_standalone.md b/website/docs/providers/proxy/_nginx_standalone.md index c9a8ec6a9..04ea01849 100644 --- a/website/docs/providers/proxy/_nginx_standalone.md +++ b/website/docs/providers/proxy/_nginx_standalone.md @@ -19,10 +19,10 @@ server { # proxy_pass http://localhost:5000; # authentik-specific config - auth_request /outpost.goauthentik.io/auth/nginx; + auth_request /akprox/auth/nginx; error_page 401 = @goauthentik_proxy_signin; # For domain level, use the below error_page to redirect to your authentik server with the full redirect path - # error_page 401 =302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri; + # error_page 401 =302 https://authentik.company/akprox/start?rd=$scheme://$http_host$request_uri; auth_request_set $auth_cookie $upstream_http_set_cookie; add_header Set-Cookie $auth_cookie; @@ -40,9 +40,9 @@ server { proxy_set_header X-authentik-uid $authentik_uid; } - # all requests to /outpost.goauthentik.io must be accessible without authentication - location /outpost.goauthentik.io { - proxy_pass http://outpost.company:9000/outpost.goauthentik.io; + # all requests to /akprox must be accessible without authentication + location /akprox { + proxy_pass http://outpost.company:9000/akprox; # ensure the host of this vserver matches your external URL you've configured # in authentik proxy_set_header Host $host; @@ -56,7 +56,7 @@ server { location @goauthentik_proxy_signin { internal; add_header Set-Cookie $auth_cookie; - return 302 /outpost.goauthentik.io/start?rd=$request_uri; + return 302 /akprox/start?rd=$request_uri; } } ``` diff --git a/website/docs/providers/proxy/_traefik_compose.md b/website/docs/providers/proxy/_traefik_compose.md index 6ddaff9da..bd0248f2d 100644 --- a/website/docs/providers/proxy/_traefik_compose.md +++ b/website/docs/providers/proxy/_traefik_compose.md @@ -30,9 +30,9 @@ services: labels: traefik.enable: true traefik.port: 9000 - traefik.http.routers.authentik.rule: Host(`app.company`) && PathPrefix(`/outpost.goauthentik.io/`) + traefik.http.routers.authentik.rule: Host(`app.company`) && PathPrefix(`/akprox/`) # `authentik-proxy` refers to the service name in the compose file. - traefik.http.middlewares.authentik.forwardauth.address: http://authentik-proxy:9000/outpost.goauthentik.io/auth/traefik + traefik.http.middlewares.authentik.forwardauth.address: http://authentik-proxy:9000/akprox/auth/traefik traefik.http.middlewares.authentik.forwardauth.trustForwardHeader: true traefik.http.middlewares.authentik.forwardauth.authResponseHeaders: X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version restart: unless-stopped diff --git a/website/docs/providers/proxy/_traefik_ingress.md b/website/docs/providers/proxy/_traefik_ingress.md index c48e626e7..b673b1990 100644 --- a/website/docs/providers/proxy/_traefik_ingress.md +++ b/website/docs/providers/proxy/_traefik_ingress.md @@ -7,7 +7,7 @@ metadata: name: authentik spec: forwardAuth: - address: http://outpost.company:9000/outpost.goauthentik.io/auth/traefik + address: http://outpost.company:9000/akprox/auth/traefik trustForwardHeader: true authResponseHeaders: - X-authentik-username @@ -41,7 +41,7 @@ spec: services: # Unchanged # This part is only required for single-app setups - kind: Rule - match: "Host(`app.company`) && PathPrefix(`/outpost.goauthentik.io/`)" + match: "Host(`app.company`) && PathPrefix(`/akprox/`)" priority: 15 services: - kind: Service diff --git a/website/docs/providers/proxy/_traefik_standalone.md b/website/docs/providers/proxy/_traefik_standalone.md index 6fb1610c3..c58a2d87b 100644 --- a/website/docs/providers/proxy/_traefik_standalone.md +++ b/website/docs/providers/proxy/_traefik_standalone.md @@ -3,7 +3,7 @@ http: middlewares: authentik: forwardAuth: - address: http://outpost.company:9000/outpost.goauthentik.io/auth/traefik + address: http://outpost.company:9000/akprox/auth/traefik trustForwardHeader: true authResponseHeaders: - X-authentik-username @@ -25,7 +25,7 @@ http: priority: 10 services: # Unchanged default-router-auth: - match: "Host(`app.company`) && PathPrefix(`/outpost.goauthentik.io/`)" + match: "Host(`app.company`) && PathPrefix(`/akprox/`)" priority: 15 - services: http://outpost.company:9000/outpost.goauthentik.io + services: http://outpost.company:9000/akprox ``` diff --git a/website/docs/providers/proxy/forward_auth.mdx b/website/docs/providers/proxy/forward_auth.mdx index 84d03c474..76c84ccbd 100644 --- a/website/docs/providers/proxy/forward_auth.mdx +++ b/website/docs/providers/proxy/forward_auth.mdx @@ -27,7 +27,7 @@ applications to different users. The only configuration difference between single application and domain level is the host you specify. -For single application, you'd use the domain which the application is running on, and only /outpost.goauthentik.io +For single application, you'd use the domain which the application is running on, and only /akprox is redirected to the outpost. For domain level, you'd use the same domain as authentik. diff --git a/website/docs/providers/proxy/proxy.md b/website/docs/providers/proxy/proxy.md index d458a561d..6351778af 100644 --- a/website/docs/providers/proxy/proxy.md +++ b/website/docs/providers/proxy/proxy.md @@ -64,11 +64,11 @@ If your upstream host is HTTPS, and you're not using forward auth, you need to a Login is done automatically when you visit the domain without a valid cookie. -When using single-application mode, navigate to `app.domain.tld/outpost.goauthentik.io/sign_out`. +When using single-application mode, navigate to `app.domain.tld/akprox/sign_out`. -When using domain-level mode, navigate to `auth.domain.tld/outpost.goauthentik.io/sign_out`, where auth.domain.tld is the external host configured for the provider. +When using domain-level mode, navigate to `auth.domain.tld/akprox/sign_out`, where auth.domain.tld is the external host configured for the provider. -To log out, navigate to `/outpost.goauthentik.io/sign_out`. +To log out, navigate to `/akprox/sign_out`. ## Allowing unauthenticated requests diff --git a/website/docs/releases/v2021.8.md b/website/docs/releases/v2021.8.md index 1d2edce42..2fa01bdf3 100644 --- a/website/docs/releases/v2021.8.md +++ b/website/docs/releases/v2021.8.md @@ -10,7 +10,7 @@ slug: "2021.8" To simplify the setup, an embedded outpost has been added. This outpost runs as part of the main authentik server, and requires no additional setup. You can simply assign providers to the embedded outpost, and either use the integrations to configure reverse proxies, or point your traffic to the main authentik server. - Traffic is routed based on host-header, meaning every host that has been configured as a provider and is assigned to the embedded proxy will be sent to the outpost, and every sub-path under `/outpost.goauthentik.io` is sent to the outpost too. The rest is sent to authentik itself. + Traffic is routed based on host-header, meaning every host that has been configured as a provider and is assigned to the embedded proxy will be sent to the outpost, and every sub-path under `/akprox` is sent to the outpost too. The rest is sent to authentik itself. - App passwords diff --git a/website/docs/releases/v2022.1.md b/website/docs/releases/v2022.1.md index ce313f347..854752959 100644 --- a/website/docs/releases/v2022.1.md +++ b/website/docs/releases/v2022.1.md @@ -47,7 +47,7 @@ This release mostly removes legacy fields and features that have been deprecated - internal: route traffic to proxy providers based on cookie domain when multiple domain-level providers exist - internal: use math.MaxInt for compatibility - lifecycle: add early check for missing/invalid secret key -- outposts/proxyv2: allow access to /outpost.goauthentik.io urls in forward auth mode to make routing in nginx/traefik easier +- outposts/proxyv2: allow access to /akprox urls in forward auth mode to make routing in nginx/traefik easier - outposts/proxyv2: fix before-redirect url not being saved in proxy mode - outposts/proxyv2: fix JWKS url pointing to localhost on embedded outpost - providers/oauth2: change default redirect uri behaviour; set first used url when blank and use star for wildcard @@ -64,7 +64,7 @@ This release mostly removes legacy fields and features that have been deprecated ## Fixed in 2022.1.2 -- internal/proxyv2: only allow access to /outpost.goauthentik.io in nginx mode when forward url could be extracted +- internal/proxyv2: only allow access to /akprox in nginx mode when forward url could be extracted - lib: disable backup by default, add note to configuration - lifecycle: replace lowercase, deprecated prometheus_multiproc_dir - outposts: allow custom label for docker containers