website/docs: use common placeholders for forward_auth
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
parent
80364b04a9
commit
bc6afdf94f
|
@ -7,7 +7,7 @@ metadata:
|
|||
name: authentik-outpost
|
||||
spec:
|
||||
rules:
|
||||
- host: *external host that you configured in authentik*
|
||||
- host: app.company
|
||||
http:
|
||||
paths:
|
||||
- backend:
|
||||
|
@ -23,9 +23,12 @@ Add these annotations to the ingress you want to protect
|
|||
```yaml
|
||||
metadata:
|
||||
annotations:
|
||||
nginx.ingress.kubernetes.io/auth-url: https://*external host that you configured in authentik*/akprox/auth?nginx
|
||||
nginx.ingress.kubernetes.io/auth-signin: https://*external host that you configured in authentik*/akprox/start?rd=$escaped_request_uri
|
||||
nginx.ingress.kubernetes.io/auth-response-headers: Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid
|
||||
nginx.ingress.kubernetes.io/auth-url: |
|
||||
https://outpost.company/akprox/auth/nginx
|
||||
nginx.ingress.kubernetes.io/auth-signin: |
|
||||
https://outpost.company/akprox/start?rd=$escaped_request_uri
|
||||
nginx.ingress.kubernetes.io/auth-response-headers: |
|
||||
Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid
|
||||
nginx.ingress.kubernetes.io/auth-snippet: |
|
||||
proxy_set_header X-Forwarded-Host $http_host;
|
||||
```
|
||||
|
|
|
@ -32,7 +32,7 @@ location / {
|
|||
|
||||
# all requests to /akprox must be accessible without authentication
|
||||
location /akprox {
|
||||
proxy_pass http://*ip or hostname of the authentik OUTPOST*:9000/akprox;
|
||||
proxy_pass http://outpost.company:9000/akprox;
|
||||
# ensure the host of this vserver matches your external URL you've configured
|
||||
# in authentik
|
||||
proxy_set_header Host $host;
|
||||
|
|
|
@ -41,7 +41,7 @@ server {
|
|||
|
||||
# all requests to /akprox must be accessible without authentication
|
||||
location /akprox {
|
||||
proxy_pass http://*ip or hostname of the authentik OUTPOST*:9000/akprox;
|
||||
proxy_pass http://outpost.company:9000/akprox;
|
||||
# ensure the host of this vserver matches your external URL you've configured
|
||||
# in authentik
|
||||
proxy_set_header Host $host;
|
||||
|
|
|
@ -45,10 +45,10 @@ services:
|
|||
labels:
|
||||
traefik.enable: true
|
||||
traefik.port: 9000
|
||||
traefik.http.routers.authentik.rule: Host(`*external host that you configured in authentik*`) && PathPrefix(`/akprox/`)
|
||||
traefik.http.routers.authentik.rule: Host(`app.company`) && PathPrefix(`/akprox/`)
|
||||
traefik.http.routers.authentik.entrypoints: https
|
||||
traefik.http.routers.authentik.tls: true
|
||||
traefik.http.middlewares.authentik.forwardauth.address: http://authentik_proxy:9000/akprox/auth/traefik
|
||||
traefik.http.middlewares.authentik.forwardauth.address: http://app.company:9000/akprox/auth/traefik
|
||||
traefik.http.middlewares.authentik.forwardauth.trustForwardHeader: true
|
||||
traefik.http.middlewares.authentik.forwardauth.authResponseHeaders: Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid
|
||||
restart: unless-stopped
|
||||
|
@ -57,7 +57,7 @@ services:
|
|||
image: containous/whoami
|
||||
labels:
|
||||
traefik.enable: true
|
||||
traefik.http.routers.whoami.rule: Host(`*external host that you configured in authentik*`)
|
||||
traefik.http.routers.whoami.rule: Host(`app.company`)
|
||||
traefik.http.routers.whoami.entrypoints: https
|
||||
traefik.http.routers.whoami.tls: true
|
||||
traefik.http.routers.whoami.middlewares: authentik@docker
|
||||
|
|
|
@ -7,7 +7,7 @@ metadata:
|
|||
name: authentik
|
||||
spec:
|
||||
forwardAuth:
|
||||
address: http://authentik-outpost-example-outpost:9000/akprox/auth/traefik
|
||||
address: http://outpost.company:9000/akprox/auth/traefik
|
||||
trustForwardHeader: true
|
||||
authResponseHeaders:
|
||||
- Set-Cookie
|
||||
|
@ -30,7 +30,7 @@ See [here](https://doc.traefik.io/traefik/v2.4/providers/kubernetes-crd/#allowcr
|
|||
spec:
|
||||
routes:
|
||||
- kind: Rule
|
||||
match: "Host(`*external host that you configured in authentik*`)"
|
||||
match: "Host(`app.company`)"
|
||||
middlewares:
|
||||
- name: authentik
|
||||
namespace: authentik
|
||||
|
@ -38,7 +38,7 @@ spec:
|
|||
services: # Unchanged
|
||||
# This part is only required for single-app setups
|
||||
- kind: Rule
|
||||
match: "Host(`*external host that you configured in authentik*`) && PathPrefix(`/akprox/`)"
|
||||
match: "Host(`app.company`) && PathPrefix(`/akprox/`)"
|
||||
priority: 15
|
||||
services:
|
||||
- kind: Service
|
||||
|
|
|
@ -3,7 +3,7 @@ http:
|
|||
middlewares:
|
||||
authentik:
|
||||
forwardAuth:
|
||||
address: http://authentik-outpost-example-outpost:9000/akprox/auth/traefik
|
||||
address: http://outpost.company:9000/akprox/auth/traefik
|
||||
trustForwardHeader: true
|
||||
authResponseHeaders:
|
||||
- Set-Cookie
|
||||
|
@ -14,13 +14,13 @@ http:
|
|||
- X-authentik-uid
|
||||
routers:
|
||||
default-router:
|
||||
rule: "Host(`*external host that you configured in authentik*`)"
|
||||
rule: "Host(`app.company`)"
|
||||
middlewares:
|
||||
- name: authentik
|
||||
priority: 10
|
||||
services: # Unchanged
|
||||
default-router-auth
|
||||
match: "Host(`*external host that you configured in authentik*`) && PathPrefix(`/akprox/`)"
|
||||
default-router-auth:
|
||||
match: "Host(`app.company`) && PathPrefix(`/akprox/`)"
|
||||
priority: 15
|
||||
services: http://*ip of your outpost*:9000/akprox
|
||||
```
|
||||
|
|
|
@ -35,6 +35,8 @@ For domain level, you'd use the same domain as authentik.
|
|||
:::info
|
||||
*example-outpost* is used as a placeholder for the outpost name.
|
||||
*authentik.company* is used as a placeholder for the authentik install.
|
||||
*app.company* is used as a placeholder for the external domain for the application.
|
||||
*outpost.company* is used as a placeholder for the outpost. When using the embedded outpost, this can be the same as *authentik.company*
|
||||
:::
|
||||
|
||||
## Nginx
|
||||
|
|
Reference in a new issue