From bc6afdf94f7194ba13b1d2fa80db6b6f0b3d10b5 Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Fri, 26 Nov 2021 13:29:38 +0100 Subject: [PATCH] website/docs: use common placeholders for forward_auth Signed-off-by: Jens Langhammer --- website/docs/providers/proxy/_nginx_ingress.md | 11 +++++++---- website/docs/providers/proxy/_nginx_proxy_manager.md | 2 +- website/docs/providers/proxy/_nginx_standalone.md | 2 +- website/docs/providers/proxy/_traefik_compose.md | 6 +++--- website/docs/providers/proxy/_traefik_ingress.md | 6 +++--- website/docs/providers/proxy/_traefik_standalone.md | 8 ++++---- website/docs/providers/proxy/forward_auth.mdx | 2 ++ 7 files changed, 21 insertions(+), 16 deletions(-) diff --git a/website/docs/providers/proxy/_nginx_ingress.md b/website/docs/providers/proxy/_nginx_ingress.md index 11961932b..945dd2a51 100644 --- a/website/docs/providers/proxy/_nginx_ingress.md +++ b/website/docs/providers/proxy/_nginx_ingress.md @@ -7,7 +7,7 @@ metadata: name: authentik-outpost spec: rules: - - host: *external host that you configured in authentik* + - host: app.company http: paths: - backend: @@ -23,9 +23,12 @@ Add these annotations to the ingress you want to protect ```yaml metadata: annotations: - nginx.ingress.kubernetes.io/auth-url: https://*external host that you configured in authentik*/akprox/auth?nginx - nginx.ingress.kubernetes.io/auth-signin: https://*external host that you configured in authentik*/akprox/start?rd=$escaped_request_uri - nginx.ingress.kubernetes.io/auth-response-headers: Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid + nginx.ingress.kubernetes.io/auth-url: | + https://outpost.company/akprox/auth/nginx + nginx.ingress.kubernetes.io/auth-signin: | + https://outpost.company/akprox/start?rd=$escaped_request_uri + nginx.ingress.kubernetes.io/auth-response-headers: | + Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid nginx.ingress.kubernetes.io/auth-snippet: | proxy_set_header X-Forwarded-Host $http_host; ``` diff --git a/website/docs/providers/proxy/_nginx_proxy_manager.md b/website/docs/providers/proxy/_nginx_proxy_manager.md index bd30d2b75..4e4ec7159 100644 --- a/website/docs/providers/proxy/_nginx_proxy_manager.md +++ b/website/docs/providers/proxy/_nginx_proxy_manager.md @@ -32,7 +32,7 @@ location / { # all requests to /akprox must be accessible without authentication location /akprox { - proxy_pass http://*ip or hostname of the authentik OUTPOST*:9000/akprox; + proxy_pass http://outpost.company:9000/akprox; # ensure the host of this vserver matches your external URL you've configured # in authentik proxy_set_header Host $host; diff --git a/website/docs/providers/proxy/_nginx_standalone.md b/website/docs/providers/proxy/_nginx_standalone.md index 3b219b31f..e113386b2 100644 --- a/website/docs/providers/proxy/_nginx_standalone.md +++ b/website/docs/providers/proxy/_nginx_standalone.md @@ -41,7 +41,7 @@ server { # all requests to /akprox must be accessible without authentication location /akprox { - proxy_pass http://*ip or hostname of the authentik OUTPOST*:9000/akprox; + proxy_pass http://outpost.company:9000/akprox; # ensure the host of this vserver matches your external URL you've configured # in authentik proxy_set_header Host $host; diff --git a/website/docs/providers/proxy/_traefik_compose.md b/website/docs/providers/proxy/_traefik_compose.md index 28d94377e..e3ed153ca 100644 --- a/website/docs/providers/proxy/_traefik_compose.md +++ b/website/docs/providers/proxy/_traefik_compose.md @@ -45,10 +45,10 @@ services: labels: traefik.enable: true traefik.port: 9000 - traefik.http.routers.authentik.rule: Host(`*external host that you configured in authentik*`) && PathPrefix(`/akprox/`) + traefik.http.routers.authentik.rule: Host(`app.company`) && PathPrefix(`/akprox/`) traefik.http.routers.authentik.entrypoints: https traefik.http.routers.authentik.tls: true - traefik.http.middlewares.authentik.forwardauth.address: http://authentik_proxy:9000/akprox/auth/traefik + traefik.http.middlewares.authentik.forwardauth.address: http://app.company:9000/akprox/auth/traefik traefik.http.middlewares.authentik.forwardauth.trustForwardHeader: true traefik.http.middlewares.authentik.forwardauth.authResponseHeaders: Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid restart: unless-stopped @@ -57,7 +57,7 @@ services: image: containous/whoami labels: traefik.enable: true - traefik.http.routers.whoami.rule: Host(`*external host that you configured in authentik*`) + traefik.http.routers.whoami.rule: Host(`app.company`) traefik.http.routers.whoami.entrypoints: https traefik.http.routers.whoami.tls: true traefik.http.routers.whoami.middlewares: authentik@docker diff --git a/website/docs/providers/proxy/_traefik_ingress.md b/website/docs/providers/proxy/_traefik_ingress.md index 2fb7cf735..3dc18778d 100644 --- a/website/docs/providers/proxy/_traefik_ingress.md +++ b/website/docs/providers/proxy/_traefik_ingress.md @@ -7,7 +7,7 @@ metadata: name: authentik spec: forwardAuth: - address: http://authentik-outpost-example-outpost:9000/akprox/auth/traefik + address: http://outpost.company:9000/akprox/auth/traefik trustForwardHeader: true authResponseHeaders: - Set-Cookie @@ -30,7 +30,7 @@ See [here](https://doc.traefik.io/traefik/v2.4/providers/kubernetes-crd/#allowcr spec: routes: - kind: Rule - match: "Host(`*external host that you configured in authentik*`)" + match: "Host(`app.company`)" middlewares: - name: authentik namespace: authentik @@ -38,7 +38,7 @@ spec: services: # Unchanged # This part is only required for single-app setups - kind: Rule - match: "Host(`*external host that you configured in authentik*`) && PathPrefix(`/akprox/`)" + match: "Host(`app.company`) && PathPrefix(`/akprox/`)" priority: 15 services: - kind: Service diff --git a/website/docs/providers/proxy/_traefik_standalone.md b/website/docs/providers/proxy/_traefik_standalone.md index 72f834e89..032bbbaf3 100644 --- a/website/docs/providers/proxy/_traefik_standalone.md +++ b/website/docs/providers/proxy/_traefik_standalone.md @@ -3,7 +3,7 @@ http: middlewares: authentik: forwardAuth: - address: http://authentik-outpost-example-outpost:9000/akprox/auth/traefik + address: http://outpost.company:9000/akprox/auth/traefik trustForwardHeader: true authResponseHeaders: - Set-Cookie @@ -14,13 +14,13 @@ http: - X-authentik-uid routers: default-router: - rule: "Host(`*external host that you configured in authentik*`)" + rule: "Host(`app.company`)" middlewares: - name: authentik priority: 10 services: # Unchanged - default-router-auth - match: "Host(`*external host that you configured in authentik*`) && PathPrefix(`/akprox/`)" + default-router-auth: + match: "Host(`app.company`) && PathPrefix(`/akprox/`)" priority: 15 services: http://*ip of your outpost*:9000/akprox ``` diff --git a/website/docs/providers/proxy/forward_auth.mdx b/website/docs/providers/proxy/forward_auth.mdx index f24457d56..76c84ccbd 100644 --- a/website/docs/providers/proxy/forward_auth.mdx +++ b/website/docs/providers/proxy/forward_auth.mdx @@ -35,6 +35,8 @@ For domain level, you'd use the same domain as authentik. :::info *example-outpost* is used as a placeholder for the outpost name. *authentik.company* is used as a placeholder for the authentik install. +*app.company* is used as a placeholder for the external domain for the application. +*outpost.company* is used as a placeholder for the outpost. When using the embedded outpost, this can be the same as *authentik.company* ::: ## Nginx