website/docs: use common placeholders for forward_auth
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
parent
80364b04a9
commit
bc6afdf94f
|
@ -7,7 +7,7 @@ metadata:
|
||||||
name: authentik-outpost
|
name: authentik-outpost
|
||||||
spec:
|
spec:
|
||||||
rules:
|
rules:
|
||||||
- host: *external host that you configured in authentik*
|
- host: app.company
|
||||||
http:
|
http:
|
||||||
paths:
|
paths:
|
||||||
- backend:
|
- backend:
|
||||||
|
@ -23,9 +23,12 @@ Add these annotations to the ingress you want to protect
|
||||||
```yaml
|
```yaml
|
||||||
metadata:
|
metadata:
|
||||||
annotations:
|
annotations:
|
||||||
nginx.ingress.kubernetes.io/auth-url: https://*external host that you configured in authentik*/akprox/auth?nginx
|
nginx.ingress.kubernetes.io/auth-url: |
|
||||||
nginx.ingress.kubernetes.io/auth-signin: https://*external host that you configured in authentik*/akprox/start?rd=$escaped_request_uri
|
https://outpost.company/akprox/auth/nginx
|
||||||
nginx.ingress.kubernetes.io/auth-response-headers: Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid
|
nginx.ingress.kubernetes.io/auth-signin: |
|
||||||
|
https://outpost.company/akprox/start?rd=$escaped_request_uri
|
||||||
|
nginx.ingress.kubernetes.io/auth-response-headers: |
|
||||||
|
Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid
|
||||||
nginx.ingress.kubernetes.io/auth-snippet: |
|
nginx.ingress.kubernetes.io/auth-snippet: |
|
||||||
proxy_set_header X-Forwarded-Host $http_host;
|
proxy_set_header X-Forwarded-Host $http_host;
|
||||||
```
|
```
|
||||||
|
|
|
@ -32,7 +32,7 @@ location / {
|
||||||
|
|
||||||
# all requests to /akprox must be accessible without authentication
|
# all requests to /akprox must be accessible without authentication
|
||||||
location /akprox {
|
location /akprox {
|
||||||
proxy_pass http://*ip or hostname of the authentik OUTPOST*:9000/akprox;
|
proxy_pass http://outpost.company:9000/akprox;
|
||||||
# ensure the host of this vserver matches your external URL you've configured
|
# ensure the host of this vserver matches your external URL you've configured
|
||||||
# in authentik
|
# in authentik
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
|
|
|
@ -41,7 +41,7 @@ server {
|
||||||
|
|
||||||
# all requests to /akprox must be accessible without authentication
|
# all requests to /akprox must be accessible without authentication
|
||||||
location /akprox {
|
location /akprox {
|
||||||
proxy_pass http://*ip or hostname of the authentik OUTPOST*:9000/akprox;
|
proxy_pass http://outpost.company:9000/akprox;
|
||||||
# ensure the host of this vserver matches your external URL you've configured
|
# ensure the host of this vserver matches your external URL you've configured
|
||||||
# in authentik
|
# in authentik
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
|
|
|
@ -45,10 +45,10 @@ services:
|
||||||
labels:
|
labels:
|
||||||
traefik.enable: true
|
traefik.enable: true
|
||||||
traefik.port: 9000
|
traefik.port: 9000
|
||||||
traefik.http.routers.authentik.rule: Host(`*external host that you configured in authentik*`) && PathPrefix(`/akprox/`)
|
traefik.http.routers.authentik.rule: Host(`app.company`) && PathPrefix(`/akprox/`)
|
||||||
traefik.http.routers.authentik.entrypoints: https
|
traefik.http.routers.authentik.entrypoints: https
|
||||||
traefik.http.routers.authentik.tls: true
|
traefik.http.routers.authentik.tls: true
|
||||||
traefik.http.middlewares.authentik.forwardauth.address: http://authentik_proxy:9000/akprox/auth/traefik
|
traefik.http.middlewares.authentik.forwardauth.address: http://app.company:9000/akprox/auth/traefik
|
||||||
traefik.http.middlewares.authentik.forwardauth.trustForwardHeader: true
|
traefik.http.middlewares.authentik.forwardauth.trustForwardHeader: true
|
||||||
traefik.http.middlewares.authentik.forwardauth.authResponseHeaders: Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid
|
traefik.http.middlewares.authentik.forwardauth.authResponseHeaders: Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid
|
||||||
restart: unless-stopped
|
restart: unless-stopped
|
||||||
|
@ -57,7 +57,7 @@ services:
|
||||||
image: containous/whoami
|
image: containous/whoami
|
||||||
labels:
|
labels:
|
||||||
traefik.enable: true
|
traefik.enable: true
|
||||||
traefik.http.routers.whoami.rule: Host(`*external host that you configured in authentik*`)
|
traefik.http.routers.whoami.rule: Host(`app.company`)
|
||||||
traefik.http.routers.whoami.entrypoints: https
|
traefik.http.routers.whoami.entrypoints: https
|
||||||
traefik.http.routers.whoami.tls: true
|
traefik.http.routers.whoami.tls: true
|
||||||
traefik.http.routers.whoami.middlewares: authentik@docker
|
traefik.http.routers.whoami.middlewares: authentik@docker
|
||||||
|
|
|
@ -7,7 +7,7 @@ metadata:
|
||||||
name: authentik
|
name: authentik
|
||||||
spec:
|
spec:
|
||||||
forwardAuth:
|
forwardAuth:
|
||||||
address: http://authentik-outpost-example-outpost:9000/akprox/auth/traefik
|
address: http://outpost.company:9000/akprox/auth/traefik
|
||||||
trustForwardHeader: true
|
trustForwardHeader: true
|
||||||
authResponseHeaders:
|
authResponseHeaders:
|
||||||
- Set-Cookie
|
- Set-Cookie
|
||||||
|
@ -30,7 +30,7 @@ See [here](https://doc.traefik.io/traefik/v2.4/providers/kubernetes-crd/#allowcr
|
||||||
spec:
|
spec:
|
||||||
routes:
|
routes:
|
||||||
- kind: Rule
|
- kind: Rule
|
||||||
match: "Host(`*external host that you configured in authentik*`)"
|
match: "Host(`app.company`)"
|
||||||
middlewares:
|
middlewares:
|
||||||
- name: authentik
|
- name: authentik
|
||||||
namespace: authentik
|
namespace: authentik
|
||||||
|
@ -38,7 +38,7 @@ spec:
|
||||||
services: # Unchanged
|
services: # Unchanged
|
||||||
# This part is only required for single-app setups
|
# This part is only required for single-app setups
|
||||||
- kind: Rule
|
- kind: Rule
|
||||||
match: "Host(`*external host that you configured in authentik*`) && PathPrefix(`/akprox/`)"
|
match: "Host(`app.company`) && PathPrefix(`/akprox/`)"
|
||||||
priority: 15
|
priority: 15
|
||||||
services:
|
services:
|
||||||
- kind: Service
|
- kind: Service
|
||||||
|
|
|
@ -3,7 +3,7 @@ http:
|
||||||
middlewares:
|
middlewares:
|
||||||
authentik:
|
authentik:
|
||||||
forwardAuth:
|
forwardAuth:
|
||||||
address: http://authentik-outpost-example-outpost:9000/akprox/auth/traefik
|
address: http://outpost.company:9000/akprox/auth/traefik
|
||||||
trustForwardHeader: true
|
trustForwardHeader: true
|
||||||
authResponseHeaders:
|
authResponseHeaders:
|
||||||
- Set-Cookie
|
- Set-Cookie
|
||||||
|
@ -14,13 +14,13 @@ http:
|
||||||
- X-authentik-uid
|
- X-authentik-uid
|
||||||
routers:
|
routers:
|
||||||
default-router:
|
default-router:
|
||||||
rule: "Host(`*external host that you configured in authentik*`)"
|
rule: "Host(`app.company`)"
|
||||||
middlewares:
|
middlewares:
|
||||||
- name: authentik
|
- name: authentik
|
||||||
priority: 10
|
priority: 10
|
||||||
services: # Unchanged
|
services: # Unchanged
|
||||||
default-router-auth
|
default-router-auth:
|
||||||
match: "Host(`*external host that you configured in authentik*`) && PathPrefix(`/akprox/`)"
|
match: "Host(`app.company`) && PathPrefix(`/akprox/`)"
|
||||||
priority: 15
|
priority: 15
|
||||||
services: http://*ip of your outpost*:9000/akprox
|
services: http://*ip of your outpost*:9000/akprox
|
||||||
```
|
```
|
||||||
|
|
|
@ -35,6 +35,8 @@ For domain level, you'd use the same domain as authentik.
|
||||||
:::info
|
:::info
|
||||||
*example-outpost* is used as a placeholder for the outpost name.
|
*example-outpost* is used as a placeholder for the outpost name.
|
||||||
*authentik.company* is used as a placeholder for the authentik install.
|
*authentik.company* is used as a placeholder for the authentik install.
|
||||||
|
*app.company* is used as a placeholder for the external domain for the application.
|
||||||
|
*outpost.company* is used as a placeholder for the outpost. When using the embedded outpost, this can be the same as *authentik.company*
|
||||||
:::
|
:::
|
||||||
|
|
||||||
## Nginx
|
## Nginx
|
||||||
|
|
Reference in New Issue