2021-04-29 16:17:10 +00:00
|
|
|
---
|
2021-06-08 21:10:17 +00:00
|
|
|
title: Forward auth
|
2021-04-29 16:17:10 +00:00
|
|
|
---
|
|
|
|
|
2022-06-02 22:06:09 +00:00
|
|
|
import Tabs from "@theme/Tabs";
|
|
|
|
import TabItem from "@theme/TabItem";
|
|
|
|
|
2021-06-08 21:10:17 +00:00
|
|
|
Using forward auth uses your existing reverse proxy to do the proxying, and only uses the
|
2021-09-24 13:37:54 +00:00
|
|
|
authentik outpost to check authentication and authorization.
|
2021-04-29 16:17:10 +00:00
|
|
|
|
2021-06-08 21:10:17 +00:00
|
|
|
To use forward auth instead of proxying, you have to change a couple of settings.
|
|
|
|
In the Proxy Provider, make sure to use one of the Forward auth modes.
|
|
|
|
|
|
|
|
## Single application
|
|
|
|
|
|
|
|
Single application mode works for a single application hosted on its dedicated subdomain. This
|
|
|
|
has the advantage that you can still do per-application access policies in authentik.
|
2021-04-29 16:17:10 +00:00
|
|
|
|
2021-06-08 21:10:17 +00:00
|
|
|
## Domain level
|
2021-04-29 16:17:10 +00:00
|
|
|
|
2021-06-08 21:10:17 +00:00
|
|
|
To use forward auth instead of proxying, you have to change a couple of settings.
|
2022-05-09 19:22:41 +00:00
|
|
|
In the Proxy Provider, make sure to use the _Forward auth (domain level)_ mode.
|
2021-04-29 16:17:10 +00:00
|
|
|
|
2022-05-09 19:22:41 +00:00
|
|
|
This mode differs from the _Forward auth (single application)_ mode in the following points:
|
|
|
|
|
|
|
|
- You don't have to configure an application in authentik for each domain
|
|
|
|
- Users don't have to authorize multiple times
|
2021-05-14 09:42:03 +00:00
|
|
|
|
2021-06-08 21:10:17 +00:00
|
|
|
There are however also some downsides, mainly the fact that you **can't** restrict individual
|
|
|
|
applications to different users.
|
2021-05-14 09:42:03 +00:00
|
|
|
|
2021-06-08 21:10:17 +00:00
|
|
|
The only configuration difference between single application and domain level is the host you specify.
|
2021-05-14 09:42:03 +00:00
|
|
|
|
2022-02-16 09:19:33 +00:00
|
|
|
For single application, you'd use the domain which the application is running on, and only /outpost.goauthentik.io
|
2021-09-24 13:37:54 +00:00
|
|
|
is redirected to the outpost.
|
2021-04-29 16:17:10 +00:00
|
|
|
|
2021-06-08 21:10:17 +00:00
|
|
|
For domain level, you'd use the same domain as authentik.
|
2021-04-29 16:17:10 +00:00
|
|
|
|
2021-07-23 14:07:47 +00:00
|
|
|
:::info
|
2022-05-09 19:22:41 +00:00
|
|
|
_example-outpost_ is used as a placeholder for the outpost name.
|
|
|
|
_authentik.company_ is used as a placeholder for the authentik install.
|
|
|
|
_app.company_ is used as a placeholder for the external domain for the application.
|
|
|
|
_outpost.company_ is used as a placeholder for the outpost. When using the embedded outpost, this can be the same as _authentik.company_
|
2021-07-23 14:07:47 +00:00
|
|
|
:::
|
|
|
|
|
2021-04-29 16:17:10 +00:00
|
|
|
## Nginx
|
|
|
|
|
|
|
|
<Tabs
|
|
|
|
defaultValue="standalone-nginx"
|
|
|
|
values={[
|
|
|
|
{label: 'Standalone nginx', value: 'standalone-nginx'},
|
|
|
|
{label: 'Ingress', value: 'ingress'},
|
2021-11-12 21:57:19 +00:00
|
|
|
{label: 'Nginx Proxy Manager', value: 'proxy-manager'},
|
2021-04-29 16:17:10 +00:00
|
|
|
]}>
|
|
|
|
<TabItem value="standalone-nginx">
|
|
|
|
|
2022-05-09 19:22:41 +00:00
|
|
|
import NginxStandalone from "./_nginx_standalone.md";
|
2021-11-12 21:57:19 +00:00
|
|
|
|
|
|
|
<NginxStandalone />
|
2021-04-29 16:17:10 +00:00
|
|
|
|
|
|
|
</TabItem>
|
|
|
|
<TabItem value="ingress">
|
2021-11-12 21:57:19 +00:00
|
|
|
|
2022-05-09 19:22:41 +00:00
|
|
|
import NginxIngress from "./_nginx_ingress.md";
|
2021-11-12 21:57:19 +00:00
|
|
|
|
|
|
|
<NginxIngress />
|
|
|
|
|
|
|
|
</TabItem>
|
|
|
|
<TabItem value="proxy-manager">
|
|
|
|
|
2022-05-09 19:22:41 +00:00
|
|
|
import NginxProxyManager from "./_nginx_proxy_manager.md";
|
2021-11-12 21:57:19 +00:00
|
|
|
|
|
|
|
<NginxProxyManager />
|
|
|
|
|
2021-04-29 16:17:10 +00:00
|
|
|
</TabItem>
|
|
|
|
</Tabs>
|
|
|
|
|
|
|
|
## Traefik
|
|
|
|
|
|
|
|
<Tabs
|
|
|
|
defaultValue="standalone-traefik"
|
|
|
|
values={[
|
|
|
|
{label: 'Standalone traefik', value: 'standalone-traefik'},
|
|
|
|
{label: 'docker-compose', value: 'docker-compose'},
|
|
|
|
{label: 'Ingress', value: 'ingress'},
|
|
|
|
]}>
|
|
|
|
<TabItem value="standalone-traefik">
|
|
|
|
|
2022-05-09 19:22:41 +00:00
|
|
|
import TraefikStandalone from "./_traefik_standalone.md";
|
2021-11-12 21:57:19 +00:00
|
|
|
|
|
|
|
<TraefikStandalone />
|
|
|
|
|
2021-04-29 16:17:10 +00:00
|
|
|
</TabItem>
|
|
|
|
<TabItem value="docker-compose">
|
2021-05-07 12:08:30 +00:00
|
|
|
|
2022-05-09 19:22:41 +00:00
|
|
|
import TraefikCompose from "./_traefik_compose.md";
|
2021-11-12 21:57:19 +00:00
|
|
|
|
|
|
|
<TraefikCompose />
|
2021-05-07 12:08:30 +00:00
|
|
|
|
2021-04-29 16:17:10 +00:00
|
|
|
</TabItem>
|
|
|
|
<TabItem value="ingress">
|
2021-08-29 18:46:17 +00:00
|
|
|
|
2022-05-09 19:22:41 +00:00
|
|
|
import TraefikIngress from "./_traefik_ingress.md";
|
2021-11-12 21:57:19 +00:00
|
|
|
|
|
|
|
<TraefikIngress />
|
|
|
|
|
2021-04-29 16:17:10 +00:00
|
|
|
</TabItem>
|
|
|
|
</Tabs>
|
2022-06-02 22:06:09 +00:00
|
|
|
|
2023-03-06 19:28:40 +00:00
|
|
|
## Envoy (Istio)
|
2022-06-02 22:06:09 +00:00
|
|
|
|
|
|
|
:::info
|
|
|
|
Requires authentik 2022.6
|
|
|
|
:::
|
|
|
|
|
|
|
|
:::info
|
|
|
|
Support for this is still in preview, please report bugs on [GitHub](https://github.com/goauthentik/authentik/issues).
|
|
|
|
:::
|
|
|
|
|
2023-03-06 19:28:40 +00:00
|
|
|
:::info
|
|
|
|
If you are using Istio and Kubernetes, use the port number that is exposed for your cluster.
|
|
|
|
:::
|
|
|
|
|
2022-06-02 22:06:09 +00:00
|
|
|
<Tabs
|
|
|
|
defaultValue="envoy-istio"
|
|
|
|
values={[
|
|
|
|
{label: 'Envoy (Istio)', value: 'envoy-istio'},
|
|
|
|
]}>
|
|
|
|
<TabItem value="envoy-istio">
|
|
|
|
|
|
|
|
import EnvoyIstio from "./_envoy_istio.md";
|
|
|
|
|
|
|
|
<EnvoyIstio />
|
|
|
|
|
|
|
|
</TabItem>
|
|
|
|
</Tabs>
|
2022-07-29 08:58:53 +00:00
|
|
|
|
|
|
|
## Caddy
|
|
|
|
|
|
|
|
:::info
|
|
|
|
Requires authentik 2022.8
|
|
|
|
:::
|
|
|
|
|
|
|
|
<Tabs
|
|
|
|
defaultValue="caddy-standalone"
|
|
|
|
values={[
|
|
|
|
{label: 'Caddy (standalone)', value: 'caddy-standalone'},
|
|
|
|
]}>
|
|
|
|
<TabItem value="caddy-standalone">
|
|
|
|
|
|
|
|
import CaddyStandalone from "./_caddy_standalone.md";
|
|
|
|
|
|
|
|
<CaddyStandalone />
|
|
|
|
|
|
|
|
</TabItem>
|
|
|
|
</Tabs>
|