diff --git a/website/docs/providers/proxy/_nginx_ingress.md b/website/docs/providers/proxy/_nginx_ingress.md
new file mode 100644
index 000000000..11961932b
--- /dev/null
+++ b/website/docs/providers/proxy/_nginx_ingress.md
@@ -0,0 +1,31 @@
+Create a new ingress for the outpost
+
+```yaml
+apiVersion: networking.k8s.io/v1beta1
+kind: Ingress
+metadata:
+ name: authentik-outpost
+spec:
+ rules:
+ - host: *external host that you configured in authentik*
+ http:
+ paths:
+ - backend:
+ serviceName: authentik-outpost-example-outpost
+ servicePort: 9000
+ path: /akprox
+```
+
+This ingress handles authentication requests, and the sign-in flow.
+
+Add these annotations to the ingress you want to protect
+
+```yaml
+metadata:
+ annotations:
+ nginx.ingress.kubernetes.io/auth-url: https://*external host that you configured in authentik*/akprox/auth?nginx
+ nginx.ingress.kubernetes.io/auth-signin: https://*external host that you configured in authentik*/akprox/start?rd=$escaped_request_uri
+ nginx.ingress.kubernetes.io/auth-response-headers: Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid
+ nginx.ingress.kubernetes.io/auth-snippet: |
+ proxy_set_header X-Forwarded-Host $http_host;
+```
diff --git a/website/docs/providers/proxy/_nginx_proxy_manager.md b/website/docs/providers/proxy/_nginx_proxy_manager.md
new file mode 100644
index 000000000..bd30d2b75
--- /dev/null
+++ b/website/docs/providers/proxy/_nginx_proxy_manager.md
@@ -0,0 +1,50 @@
+For Nginx Proxy Manager you can use this snippet
+
+```
+# Increase buffer size for large headers
+# This is needed only if you get 'upstream sent too big header while reading response header from upstream' error when trying to access an application protected by goauthentik
+proxy_buffers 8 16k;
+proxy_buffer_size 32k;
+fastcgi_buffers 16 16k;
+fastcgi_buffer_size 32k;
+
+location / {
+ # Put your proxy_pass to your application here
+ proxy_pass $forward_scheme://$server:$port;
+
+ # authentik-specific config
+ auth_request /akprox/auth/nginx;
+ error_page 401 = @akprox_signin;
+
+ # translate headers from the outposts back to the actual upstream
+ auth_request_set $authentik_username $upstream_http_x_authentik_username;
+ auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
+ auth_request_set $authentik_email $upstream_http_x_authentik_email;
+ auth_request_set $authentik_name $upstream_http_x_authentik_name;
+ auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
+
+ proxy_set_header X-authentik-username $authentik_username;
+ proxy_set_header X-authentik-groups $authentik_groups;
+ proxy_set_header X-authentik-email $authentik_email;
+ proxy_set_header X-authentik-name $authentik_name;
+ proxy_set_header X-authentik-uid $authentik_uid;
+}
+
+# all requests to /akprox must be accessible without authentication
+location /akprox {
+ proxy_pass http://*ip or hostname of the authentik OUTPOST*:9000/akprox;
+ # ensure the host of this vserver matches your external URL you've configured
+ # in authentik
+ proxy_set_header Host $host;
+ add_header Set-Cookie $auth_cookie;
+ auth_request_set $auth_cookie $upstream_http_set_cookie;
+}
+
+# Special location for when the /auth endpoint returns a 401,
+# redirect to the /start URL which initiates SSO
+location @akprox_signin {
+ internal;
+ add_header Set-Cookie $auth_cookie;
+ return 302 /akprox/start?rd=$request_uri;
+}
+```
diff --git a/website/docs/providers/proxy/_nginx_standalone.md b/website/docs/providers/proxy/_nginx_standalone.md
new file mode 100644
index 000000000..3b219b31f
--- /dev/null
+++ b/website/docs/providers/proxy/_nginx_standalone.md
@@ -0,0 +1,60 @@
+
+```
+server {
+ # SSL and VHost configuration
+ listen 443 ssl http2;
+ server_name _;
+
+ ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
+ ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
+
+ # Increase buffer size for large headers
+ # This is needed only if you get 'upstream sent too big header while reading response header from upstream' error when trying to access an application protected by goauthentik
+ proxy_buffers 8 16k;
+ proxy_buffer_size 32k;
+ fastcgi_buffers 16 16k;
+ fastcgi_buffer_size 32k;
+
+ location / {
+ # Put your proxy_pass to your application here
+ # proxy_pass http://localhost:5000;
+
+ # authentik-specific config
+ auth_request /akprox/auth/nginx;
+ error_page 401 = @akprox_signin;
+ # For domain level, use the below error_page to redirect to your authentik server with the full redirect path
+ # error_page 401 =302 https://authentik.company/akprox/start?rd=$scheme://$http_host$request_uri;
+
+ # translate headers from the outposts back to the actual upstream
+ auth_request_set $authentik_username $upstream_http_x_authentik_username;
+ auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
+ auth_request_set $authentik_email $upstream_http_x_authentik_email;
+ auth_request_set $authentik_name $upstream_http_x_authentik_name;
+ auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
+
+ proxy_set_header X-authentik-username $authentik_username;
+ proxy_set_header X-authentik-groups $authentik_groups;
+ proxy_set_header X-authentik-email $authentik_email;
+ proxy_set_header X-authentik-name $authentik_name;
+ proxy_set_header X-authentik-uid $authentik_uid;
+ }
+
+ # all requests to /akprox must be accessible without authentication
+ location /akprox {
+ proxy_pass http://*ip or hostname of the authentik OUTPOST*:9000/akprox;
+ # ensure the host of this vserver matches your external URL you've configured
+ # in authentik
+ proxy_set_header Host $host;
+ add_header Set-Cookie $auth_cookie;
+ auth_request_set $auth_cookie $upstream_http_set_cookie;
+ }
+
+ # Special location for when the /auth endpoint returns a 401,
+ # redirect to the /start URL which initiates SSO
+ location @akprox_signin {
+ internal;
+ add_header Set-Cookie $auth_cookie;
+ return 302 /akprox/start?rd=$request_uri;
+ }
+}
+```
diff --git a/website/docs/providers/proxy/_traefik_compose.md b/website/docs/providers/proxy/_traefik_compose.md
new file mode 100644
index 000000000..28d94377e
--- /dev/null
+++ b/website/docs/providers/proxy/_traefik_compose.md
@@ -0,0 +1,65 @@
+
+```yaml
+version: '3.7'
+services:
+ traefik:
+ image: traefik:v2.2
+ container_name: traefik
+ volumes:
+ - /var/run/docker.sock:/var/run/docker.sock
+ labels:
+ traefik.enable: true
+ traefik.http.routers.api.rule: Host(`traefik.example.com`)
+ traefik.http.routers.api.entrypoints: https
+ traefik.http.routers.api.service: api@internal
+ traefik.http.routers.api.tls: true
+ ports:
+ - 80:80
+ - 443:443
+ command:
+ - '--api'
+ - '--log=true'
+ - '--log.level=DEBUG'
+ - '--log.filepath=/var/log/traefik.log'
+ - '--providers.docker=true'
+ - '--providers.docker.exposedByDefault=false'
+ - '--entrypoints.http=true'
+ - '--entrypoints.http.address=:80'
+ - '--entrypoints.http.http.redirections.entrypoint.to=https'
+ - '--entrypoints.http.http.redirections.entrypoint.scheme=https'
+ - '--entrypoints.https=true'
+ - '--entrypoints.https.address=:443'
+
+ authentik_proxy:
+ image: goauthentik.io/proxy:2021.5.1
+ ports:
+ - 9000:9000
+ - 9443:9443
+ environment:
+ AUTHENTIK_HOST: https://your-authentik.tld
+ AUTHENTIK_INSECURE: "false"
+ AUTHENTIK_TOKEN: token-generated-by-authentik
+ # Starting with 2021.9, you can optionally set this too
+ # when authentik_host for internal communication doesn't match the public URL
+ # AUTHENTIK_HOST_BROWSER: https://external-domain.tld
+ labels:
+ traefik.enable: true
+ traefik.port: 9000
+ traefik.http.routers.authentik.rule: Host(`*external host that you configured in authentik*`) && PathPrefix(`/akprox/`)
+ traefik.http.routers.authentik.entrypoints: https
+ traefik.http.routers.authentik.tls: true
+ traefik.http.middlewares.authentik.forwardauth.address: http://authentik_proxy:9000/akprox/auth/traefik
+ traefik.http.middlewares.authentik.forwardauth.trustForwardHeader: true
+ traefik.http.middlewares.authentik.forwardauth.authResponseHeaders: Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid
+ restart: unless-stopped
+
+ whoami:
+ image: containous/whoami
+ labels:
+ traefik.enable: true
+ traefik.http.routers.whoami.rule: Host(`*external host that you configured in authentik*`)
+ traefik.http.routers.whoami.entrypoints: https
+ traefik.http.routers.whoami.tls: true
+ traefik.http.routers.whoami.middlewares: authentik@docker
+ restart: unless-stopped
+```
diff --git a/website/docs/providers/proxy/_traefik_ingress.md b/website/docs/providers/proxy/_traefik_ingress.md
new file mode 100644
index 000000000..2fb7cf735
--- /dev/null
+++ b/website/docs/providers/proxy/_traefik_ingress.md
@@ -0,0 +1,47 @@
+Create a middleware:
+
+```yaml
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+ name: authentik
+spec:
+ forwardAuth:
+ address: http://authentik-outpost-example-outpost:9000/akprox/auth/traefik
+ trustForwardHeader: true
+ authResponseHeaders:
+ - Set-Cookie
+ - X-authentik-username
+ - X-authentik-groups
+ - X-authentik-email
+ - X-authentik-name
+ - X-authentik-uid
+```
+
+Add the following settings to your IngressRoute
+
+:::warning
+By default traefik does not allow cross-namespace references for middlewares:
+
+See [here](https://doc.traefik.io/traefik/v2.4/providers/kubernetes-crd/#allowcrossnamespace) to enable it.
+:::
+
+```yaml
+spec:
+ routes:
+ - kind: Rule
+ match: "Host(`*external host that you configured in authentik*`)"
+ middlewares:
+ - name: authentik
+ namespace: authentik
+ priority: 10
+ services: # Unchanged
+ # This part is only required for single-app setups
+ - kind: Rule
+ match: "Host(`*external host that you configured in authentik*`) && PathPrefix(`/akprox/`)"
+ priority: 15
+ services:
+ - kind: Service
+ name: authentik-outpost-example-outpost
+ port: 9000
+```
diff --git a/website/docs/providers/proxy/_traefik_standalone.md b/website/docs/providers/proxy/_traefik_standalone.md
new file mode 100644
index 000000000..72f834e89
--- /dev/null
+++ b/website/docs/providers/proxy/_traefik_standalone.md
@@ -0,0 +1,26 @@
+```yaml
+http:
+ middlewares:
+ authentik:
+ forwardAuth:
+ address: http://authentik-outpost-example-outpost:9000/akprox/auth/traefik
+ trustForwardHeader: true
+ authResponseHeaders:
+ - Set-Cookie
+ - X-authentik-username
+ - X-authentik-groups
+ - X-authentik-email
+ - X-authentik-name
+ - X-authentik-uid
+ routers:
+ default-router:
+ rule: "Host(`*external host that you configured in authentik*`)"
+ middlewares:
+ - name: authentik
+ priority: 10
+ services: # Unchanged
+ default-router-auth
+ match: "Host(`*external host that you configured in authentik*`) && PathPrefix(`/akprox/`)"
+ priority: 15
+ services: http://*ip of your outpost*:9000/akprox
+```
diff --git a/website/docs/providers/proxy/forward_auth.mdx b/website/docs/providers/proxy/forward_auth.mdx
index 6505d9789..f24457d56 100644
--- a/website/docs/providers/proxy/forward_auth.mdx
+++ b/website/docs/providers/proxy/forward_auth.mdx
@@ -47,102 +47,28 @@ import TabItem from '@theme/TabItem';
values={[
{label: 'Standalone nginx', value: 'standalone-nginx'},
{label: 'Ingress', value: 'ingress'},
+ {label: 'Nginx Proxy Manager', value: 'proxy-manager'},
]}>
-```
-server {
- # SSL and VHost configuration
- listen 443 ssl http2;
- server_name _;
+import NginxStandalone from './_nginx_standalone.md'
- ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
- ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
-
- # Increase buffer size for large headers
- # This is needed only if you get 'upstream sent too big header while reading response header from upstream' error when trying to access an application protected by goauthentik
- proxy_buffers 8 16k;
- proxy_buffer_size 32k;
- fastcgi_buffers 16 16k;
- fastcgi_buffer_size 32k;
-
- location / {
- # Put your proxy_pass to your application here
- # proxy_pass http://localhost:5000;
-
- # authentik-specific config
- auth_request /akprox/auth/nginx;
- error_page 401 = @akprox_signin;
- # For domain level, use the below error_page to redirect to your authentik server with the full redirect path
- # error_page 401 =302 https://authentik.company/akprox/start?rd=$scheme://$http_host$request_uri;
-
- # translate headers from the outposts back to the actual upstream
- auth_request_set $authentik_username $upstream_http_x_authentik_username;
- auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
- auth_request_set $authentik_email $upstream_http_x_authentik_email;
- auth_request_set $authentik_name $upstream_http_x_authentik_name;
- auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
-
- proxy_set_header X-authentik-username $authentik_username;
- proxy_set_header X-authentik-groups $authentik_groups;
- proxy_set_header X-authentik-email $authentik_email;
- proxy_set_header X-authentik-name $authentik_name;
- proxy_set_header X-authentik-uid $authentik_uid;
- }
-
- # all requests to /akprox must be accessible without authentication
- location /akprox {
- proxy_pass http://*ip or hostname of the authentik OUTPOST*:9000/akprox;
- # ensure the host of this vserver matches your external URL you've configured
- # in authentik
- proxy_set_header Host $host;
- add_header Set-Cookie $auth_cookie;
- auth_request_set $auth_cookie $upstream_http_set_cookie;
- }
-
- # Special location for when the /auth endpoint returns a 401,
- # redirect to the /start URL which initiates SSO
- location @akprox_signin {
- internal;
- add_header Set-Cookie $auth_cookie;
- return 302 /akprox/start?rd=$request_uri;
- }
-}
-```
+
-Create a new ingress for the outpost
-```yaml
-apiVersion: networking.k8s.io/v1beta1
-kind: Ingress
-metadata:
- name: authentik-outpost
-spec:
- rules:
- - host: *external host that you configured in authentik*
- http:
- paths:
- - backend:
- serviceName: authentik-outpost-example-outpost
- servicePort: 9000
- path: /akprox
-```
+import NginxIngress from './_nginx_ingress.md'
-This ingress handles authentication requests, and the sign-in flow.
+
-Add these annotations to the ingress you want to protect
+
+
+
+import NginxProxyManager from './_nginx_proxy_manager.md'
+
+
-```yaml
-metadata:
- annotations:
- nginx.ingress.kubernetes.io/auth-url: https://*external host that you configured in authentik*/akprox/auth?nginx
- nginx.ingress.kubernetes.io/auth-signin: https://*external host that you configured in authentik*/akprox/start?rd=$escaped_request_uri
- nginx.ingress.kubernetes.io/auth-response-headers: Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid
- nginx.ingress.kubernetes.io/auth-snippet: |
- proxy_set_header X-Forwarded-Host $http_host;
-```
@@ -157,148 +83,23 @@ metadata:
]}>
-```yaml
-http:
- middlewares:
- authentik:
- forwardAuth:
- address: http://authentik-outpost-example-outpost:9000/akprox/auth/traefik
- trustForwardHeader: true
- authResponseHeaders:
- - Set-Cookie
- - X-authentik-username
- - X-authentik-groups
- - X-authentik-email
- - X-authentik-name
- - X-authentik-uid
- routers:
- default-router:
- rule: "Host(`*external host that you configured in authentik*`)"
- middlewares:
- - name: authentik
- priority: 10
- services: # Unchanged
- default-router-auth
- match: "Host(`*external host that you configured in authentik*`) && PathPrefix(`/akprox/`)"
- priority: 15
- services: http://*ip of your outpost*:9000/akprox
-```
+import TraefikStandalone from './_traefik_standalone.md'
+
+
+
-```yaml
-version: '3.7'
-services:
- traefik:
- image: traefik:v2.2
- container_name: traefik
- volumes:
- - /var/run/docker.sock:/var/run/docker.sock
- labels:
- traefik.enable: true
- traefik.http.routers.api.rule: Host(`traefik.example.com`)
- traefik.http.routers.api.entrypoints: https
- traefik.http.routers.api.service: api@internal
- traefik.http.routers.api.tls: true
- ports:
- - 80:80
- - 443:443
- command:
- - '--api'
- - '--log=true'
- - '--log.level=DEBUG'
- - '--log.filepath=/var/log/traefik.log'
- - '--providers.docker=true'
- - '--providers.docker.exposedByDefault=false'
- - '--entrypoints.http=true'
- - '--entrypoints.http.address=:80'
- - '--entrypoints.http.http.redirections.entrypoint.to=https'
- - '--entrypoints.http.http.redirections.entrypoint.scheme=https'
- - '--entrypoints.https=true'
- - '--entrypoints.https.address=:443'
+import TraefikCompose from './_traefik_compose.md'
- authentik_proxy:
- image: goauthentik.io/proxy:2021.5.1
- ports:
- - 9000:9000
- - 9443:9443
- environment:
- AUTHENTIK_HOST: https://your-authentik.tld
- AUTHENTIK_INSECURE: "false"
- AUTHENTIK_TOKEN: token-generated-by-authentik
- # Starting with 2021.9, you can optionally set this too
- # when authentik_host for internal communication doesn't match the public URL
- # AUTHENTIK_HOST_BROWSER: https://external-domain.tld
- labels:
- traefik.enable: true
- traefik.port: 9000
- traefik.http.routers.authentik.rule: Host(`*external host that you configured in authentik*`) && PathPrefix(`/akprox/`)
- traefik.http.routers.authentik.entrypoints: https
- traefik.http.routers.authentik.tls: true
- traefik.http.middlewares.authentik.forwardauth.address: http://authentik_proxy:9000/akprox/auth/traefik
- traefik.http.middlewares.authentik.forwardauth.trustForwardHeader: true
- traefik.http.middlewares.authentik.forwardauth.authResponseHeaders: Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid
- restart: unless-stopped
-
- whoami:
- image: containous/whoami
- labels:
- traefik.enable: true
- traefik.http.routers.whoami.rule: Host(`*external host that you configured in authentik*`)
- traefik.http.routers.whoami.entrypoints: https
- traefik.http.routers.whoami.tls: true
- traefik.http.routers.whoami.middlewares: authentik@docker
- restart: unless-stopped
-```
+
-Create a middleware:
-```yaml
-apiVersion: traefik.containo.us/v1alpha1
-kind: Middleware
-metadata:
- name: authentik
-spec:
- forwardAuth:
- address: http://authentik-outpost-example-outpost:9000/akprox/auth/traefik
- trustForwardHeader: true
- authResponseHeaders:
- - Set-Cookie
- - X-authentik-username
- - X-authentik-groups
- - X-authentik-email
- - X-authentik-name
- - X-authentik-uid
-```
+import TraefikIngress from './_traefik_ingress.md'
-Add the following settings to your IngressRoute
+
-:::warning
-By default traefik does not allow cross-namespace references for middlewares:
-
-See [here](https://doc.traefik.io/traefik/v2.4/providers/kubernetes-crd/#allowcrossnamespace) to enable it.
-:::
-
-```yaml
-spec:
- routes:
- - kind: Rule
- match: "Host(`*external host that you configured in authentik*`)"
- middlewares:
- - name: authentik
- namespace: authentik
- priority: 10
- services: # Unchanged
- # This part is only required for single-app setups
- - kind: Rule
- match: "Host(`*external host that you configured in authentik*`) && PathPrefix(`/akprox/`)"
- priority: 15
- services:
- - kind: Service
- name: authentik-outpost-example-outpost
- port: 9000
-```