---
title: Proxy Provider
---

```mermaid
sequenceDiagram
    participant u as User accesses service
    participant rp as Reverse proxy
    participant ak as authentik
    participant s as Service

    u->>rp: Initial request
    rp->>ak: Checks authentication
    alt User is authenticated
        ak ->> rp: Successful response
        rp ->> s: Initial request is forwarded
    else User needs to be authenticated
        ak ->> rp: Redirect to the login page
        rp ->> u: Redirect is passed to enduser
    end
```

## Headers

The proxy outpost sets the following user-specific headers:

### `X-authentik-username`

Example value: `akadmin`

The username of the currently logged in user

### `X-authentik-groups`

Example value: `foo|bar|baz`

The groups the user is member of, separated by a pipe

### `X-authentik-email`

Example value: `root@localhost`

The email address of the currently logged in user

### `X-authentik-name`

Example value: `authentik Default Admin`

Full name of the current user

### `X-authentik-uid`

Example value: `900347b8a29876b45ca6f75722635ecfedf0e931c6022e3a29a8aa13fb5516fb`

The hashed identifier of the currently logged in user.

Besides these user-specific headers, some application specific headers are also set:

### `X-authentik-meta-outpost`

Example value: `authentik Embedded Outpost`

The authentik outpost's name.

### `X-authentik-meta-provider`

Example value: `test`

The authentik provider's name.

### `X-authentik-meta-app`

Example value: `test`

The authentik application's slug.

### `X-authentik-meta-version`

Example value: `goauthentik.io/outpost/1.2.3`

The authentik outpost's version.

### `X-Forwarded-Host`

:::info
Only set in proxy mode
:::

The original Host header sent by the client. This is set as the `Host` header is set to the host of the configured backend.

### Additional headers

Additionally, you can set `additionalHeaders` attribute on groups or users to set additional headers:

```yaml
additionalHeaders:
    X-test-header: test-value
```

## HTTPS

The outpost listens on both 9000 for HTTP and 9443 for HTTPS.

:::info
If your upstream host is HTTPS, and you're not using forward auth, you need to access the outpost over HTTPS too.
:::

## Logging out

Login is done automatically when you visit the domain without a valid cookie.

When using single-application mode, navigate to `app.domain.tld/outpost.goauthentik.io/sign_out`.

When using domain-level mode, navigate to `auth.domain.tld/outpost.goauthentik.io/sign_out`, where auth.domain.tld is the external host configured for the provider.

To log out, navigate to `/outpost.goauthentik.io/sign_out`.

Starting with authentik 2023.2, when logging out of a provider, all the users sessions within the respective outpost are invalidated.

## Allowing unauthenticated requests

To allow un-authenticated requests to certain paths/URLs, you can use the _Unauthenticated URLs_ / _Unauthenticated Paths_ field.

Each new line is interpreted as a regular expression, and is compiled and checked using the standard Golang regex parser.

The behaviour of this field changes depending on which mode you're in.

### Proxy and Forward auth (single application)

In this mode, the regular expressions are matched against the Request's Path.

### Forward auth (domain level)

In this mode, the regular expressions are matched against the Request's full URL.

## Dynamic backend selection

You can configure the backend the proxy should access dynamically via _Scope mappings_. To do so, create a new _Scope mapping_, with a name and scope of your choice. As expression, use this:

```python
return {
    "ak_proxy": {
        "backend_override": f"http://foo.bar.baz/{request.user.username}"
    }
}
```

Afterwards, edit the _Proxy provider_ and add this new mapping. The expression is only evaluated when the user logs into the application.