website/docs: use common placeholders for forward_auth

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens Langhammer 2021-11-26 13:29:38 +01:00
parent 80364b04a9
commit bc6afdf94f
7 changed files with 21 additions and 16 deletions

View File

@ -7,7 +7,7 @@ metadata:
name: authentik-outpost name: authentik-outpost
spec: spec:
rules: rules:
- host: *external host that you configured in authentik* - host: app.company
http: http:
paths: paths:
- backend: - backend:
@ -23,9 +23,12 @@ Add these annotations to the ingress you want to protect
```yaml ```yaml
metadata: metadata:
annotations: annotations:
nginx.ingress.kubernetes.io/auth-url: https://*external host that you configured in authentik*/akprox/auth?nginx nginx.ingress.kubernetes.io/auth-url: |
nginx.ingress.kubernetes.io/auth-signin: https://*external host that you configured in authentik*/akprox/start?rd=$escaped_request_uri https://outpost.company/akprox/auth/nginx
nginx.ingress.kubernetes.io/auth-response-headers: Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid nginx.ingress.kubernetes.io/auth-signin: |
https://outpost.company/akprox/start?rd=$escaped_request_uri
nginx.ingress.kubernetes.io/auth-response-headers: |
Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid
nginx.ingress.kubernetes.io/auth-snippet: | nginx.ingress.kubernetes.io/auth-snippet: |
proxy_set_header X-Forwarded-Host $http_host; proxy_set_header X-Forwarded-Host $http_host;
``` ```

View File

@ -32,7 +32,7 @@ location / {
# all requests to /akprox must be accessible without authentication # all requests to /akprox must be accessible without authentication
location /akprox { location /akprox {
proxy_pass http://*ip or hostname of the authentik OUTPOST*:9000/akprox; proxy_pass http://outpost.company:9000/akprox;
# ensure the host of this vserver matches your external URL you've configured # ensure the host of this vserver matches your external URL you've configured
# in authentik # in authentik
proxy_set_header Host $host; proxy_set_header Host $host;

View File

@ -41,7 +41,7 @@ server {
# all requests to /akprox must be accessible without authentication # all requests to /akprox must be accessible without authentication
location /akprox { location /akprox {
proxy_pass http://*ip or hostname of the authentik OUTPOST*:9000/akprox; proxy_pass http://outpost.company:9000/akprox;
# ensure the host of this vserver matches your external URL you've configured # ensure the host of this vserver matches your external URL you've configured
# in authentik # in authentik
proxy_set_header Host $host; proxy_set_header Host $host;

View File

@ -45,10 +45,10 @@ services:
labels: labels:
traefik.enable: true traefik.enable: true
traefik.port: 9000 traefik.port: 9000
traefik.http.routers.authentik.rule: Host(`*external host that you configured in authentik*`) && PathPrefix(`/akprox/`) traefik.http.routers.authentik.rule: Host(`app.company`) && PathPrefix(`/akprox/`)
traefik.http.routers.authentik.entrypoints: https traefik.http.routers.authentik.entrypoints: https
traefik.http.routers.authentik.tls: true traefik.http.routers.authentik.tls: true
traefik.http.middlewares.authentik.forwardauth.address: http://authentik_proxy:9000/akprox/auth/traefik traefik.http.middlewares.authentik.forwardauth.address: http://app.company:9000/akprox/auth/traefik
traefik.http.middlewares.authentik.forwardauth.trustForwardHeader: true traefik.http.middlewares.authentik.forwardauth.trustForwardHeader: true
traefik.http.middlewares.authentik.forwardauth.authResponseHeaders: Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid traefik.http.middlewares.authentik.forwardauth.authResponseHeaders: Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid
restart: unless-stopped restart: unless-stopped
@ -57,7 +57,7 @@ services:
image: containous/whoami image: containous/whoami
labels: labels:
traefik.enable: true traefik.enable: true
traefik.http.routers.whoami.rule: Host(`*external host that you configured in authentik*`) traefik.http.routers.whoami.rule: Host(`app.company`)
traefik.http.routers.whoami.entrypoints: https traefik.http.routers.whoami.entrypoints: https
traefik.http.routers.whoami.tls: true traefik.http.routers.whoami.tls: true
traefik.http.routers.whoami.middlewares: authentik@docker traefik.http.routers.whoami.middlewares: authentik@docker

View File

@ -7,7 +7,7 @@ metadata:
name: authentik name: authentik
spec: spec:
forwardAuth: forwardAuth:
address: http://authentik-outpost-example-outpost:9000/akprox/auth/traefik address: http://outpost.company:9000/akprox/auth/traefik
trustForwardHeader: true trustForwardHeader: true
authResponseHeaders: authResponseHeaders:
- Set-Cookie - Set-Cookie
@ -30,7 +30,7 @@ See [here](https://doc.traefik.io/traefik/v2.4/providers/kubernetes-crd/#allowcr
spec: spec:
routes: routes:
- kind: Rule - kind: Rule
match: "Host(`*external host that you configured in authentik*`)" match: "Host(`app.company`)"
middlewares: middlewares:
- name: authentik - name: authentik
namespace: authentik namespace: authentik
@ -38,7 +38,7 @@ spec:
services: # Unchanged services: # Unchanged
# This part is only required for single-app setups # This part is only required for single-app setups
- kind: Rule - kind: Rule
match: "Host(`*external host that you configured in authentik*`) && PathPrefix(`/akprox/`)" match: "Host(`app.company`) && PathPrefix(`/akprox/`)"
priority: 15 priority: 15
services: services:
- kind: Service - kind: Service

View File

@ -3,7 +3,7 @@ http:
middlewares: middlewares:
authentik: authentik:
forwardAuth: forwardAuth:
address: http://authentik-outpost-example-outpost:9000/akprox/auth/traefik address: http://outpost.company:9000/akprox/auth/traefik
trustForwardHeader: true trustForwardHeader: true
authResponseHeaders: authResponseHeaders:
- Set-Cookie - Set-Cookie
@ -14,13 +14,13 @@ http:
- X-authentik-uid - X-authentik-uid
routers: routers:
default-router: default-router:
rule: "Host(`*external host that you configured in authentik*`)" rule: "Host(`app.company`)"
middlewares: middlewares:
- name: authentik - name: authentik
priority: 10 priority: 10
services: # Unchanged services: # Unchanged
default-router-auth default-router-auth:
match: "Host(`*external host that you configured in authentik*`) && PathPrefix(`/akprox/`)" match: "Host(`app.company`) && PathPrefix(`/akprox/`)"
priority: 15 priority: 15
services: http://*ip of your outpost*:9000/akprox services: http://*ip of your outpost*:9000/akprox
``` ```

View File

@ -35,6 +35,8 @@ For domain level, you'd use the same domain as authentik.
:::info :::info
*example-outpost* is used as a placeholder for the outpost name. *example-outpost* is used as a placeholder for the outpost name.
*authentik.company* is used as a placeholder for the authentik install. *authentik.company* is used as a placeholder for the authentik install.
*app.company* is used as a placeholder for the external domain for the application.
*outpost.company* is used as a placeholder for the outpost. When using the embedded outpost, this can be the same as *authentik.company*
::: :::
## Nginx ## Nginx