From 4ce3c2341cc1f7ef6620e973958d687447e661a2 Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Fri, 12 Nov 2021 22:57:19 +0100 Subject: [PATCH] website/docs: add nginx-proxy-manager Signed-off-by: Jens Langhammer --- .../docs/providers/proxy/_nginx_ingress.md | 31 +++ .../providers/proxy/_nginx_proxy_manager.md | 50 ++++ .../docs/providers/proxy/_nginx_standalone.md | 60 +++++ .../docs/providers/proxy/_traefik_compose.md | 65 +++++ .../docs/providers/proxy/_traefik_ingress.md | 47 ++++ .../providers/proxy/_traefik_standalone.md | 26 ++ website/docs/providers/proxy/forward_auth.mdx | 237 ++---------------- 7 files changed, 298 insertions(+), 218 deletions(-) create mode 100644 website/docs/providers/proxy/_nginx_ingress.md create mode 100644 website/docs/providers/proxy/_nginx_proxy_manager.md create mode 100644 website/docs/providers/proxy/_nginx_standalone.md create mode 100644 website/docs/providers/proxy/_traefik_compose.md create mode 100644 website/docs/providers/proxy/_traefik_ingress.md create mode 100644 website/docs/providers/proxy/_traefik_standalone.md diff --git a/website/docs/providers/proxy/_nginx_ingress.md b/website/docs/providers/proxy/_nginx_ingress.md new file mode 100644 index 000000000..11961932b --- /dev/null +++ b/website/docs/providers/proxy/_nginx_ingress.md @@ -0,0 +1,31 @@ +Create a new ingress for the outpost + +```yaml +apiVersion: networking.k8s.io/v1beta1 +kind: Ingress +metadata: + name: authentik-outpost +spec: + rules: + - host: *external host that you configured in authentik* + http: + paths: + - backend: + serviceName: authentik-outpost-example-outpost + servicePort: 9000 + path: /akprox +``` + +This ingress handles authentication requests, and the sign-in flow. + +Add these annotations to the ingress you want to protect + +```yaml +metadata: + annotations: + nginx.ingress.kubernetes.io/auth-url: https://*external host that you configured in authentik*/akprox/auth?nginx + nginx.ingress.kubernetes.io/auth-signin: https://*external host that you configured in authentik*/akprox/start?rd=$escaped_request_uri + nginx.ingress.kubernetes.io/auth-response-headers: Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid + nginx.ingress.kubernetes.io/auth-snippet: | + proxy_set_header X-Forwarded-Host $http_host; +``` diff --git a/website/docs/providers/proxy/_nginx_proxy_manager.md b/website/docs/providers/proxy/_nginx_proxy_manager.md new file mode 100644 index 000000000..bd30d2b75 --- /dev/null +++ b/website/docs/providers/proxy/_nginx_proxy_manager.md @@ -0,0 +1,50 @@ +For Nginx Proxy Manager you can use this snippet + +``` +# Increase buffer size for large headers +# This is needed only if you get 'upstream sent too big header while reading response header from upstream' error when trying to access an application protected by goauthentik +proxy_buffers 8 16k; +proxy_buffer_size 32k; +fastcgi_buffers 16 16k; +fastcgi_buffer_size 32k; + +location / { + # Put your proxy_pass to your application here + proxy_pass $forward_scheme://$server:$port; + + # authentik-specific config + auth_request /akprox/auth/nginx; + error_page 401 = @akprox_signin; + + # translate headers from the outposts back to the actual upstream + auth_request_set $authentik_username $upstream_http_x_authentik_username; + auth_request_set $authentik_groups $upstream_http_x_authentik_groups; + auth_request_set $authentik_email $upstream_http_x_authentik_email; + auth_request_set $authentik_name $upstream_http_x_authentik_name; + auth_request_set $authentik_uid $upstream_http_x_authentik_uid; + + proxy_set_header X-authentik-username $authentik_username; + proxy_set_header X-authentik-groups $authentik_groups; + proxy_set_header X-authentik-email $authentik_email; + proxy_set_header X-authentik-name $authentik_name; + proxy_set_header X-authentik-uid $authentik_uid; +} + +# all requests to /akprox must be accessible without authentication +location /akprox { + proxy_pass http://*ip or hostname of the authentik OUTPOST*:9000/akprox; + # ensure the host of this vserver matches your external URL you've configured + # in authentik + proxy_set_header Host $host; + add_header Set-Cookie $auth_cookie; + auth_request_set $auth_cookie $upstream_http_set_cookie; +} + +# Special location for when the /auth endpoint returns a 401, +# redirect to the /start URL which initiates SSO +location @akprox_signin { + internal; + add_header Set-Cookie $auth_cookie; + return 302 /akprox/start?rd=$request_uri; +} +``` diff --git a/website/docs/providers/proxy/_nginx_standalone.md b/website/docs/providers/proxy/_nginx_standalone.md new file mode 100644 index 000000000..3b219b31f --- /dev/null +++ b/website/docs/providers/proxy/_nginx_standalone.md @@ -0,0 +1,60 @@ + +``` +server { + # SSL and VHost configuration + listen 443 ssl http2; + server_name _; + + ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; + ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; + + # Increase buffer size for large headers + # This is needed only if you get 'upstream sent too big header while reading response header from upstream' error when trying to access an application protected by goauthentik + proxy_buffers 8 16k; + proxy_buffer_size 32k; + fastcgi_buffers 16 16k; + fastcgi_buffer_size 32k; + + location / { + # Put your proxy_pass to your application here + # proxy_pass http://localhost:5000; + + # authentik-specific config + auth_request /akprox/auth/nginx; + error_page 401 = @akprox_signin; + # For domain level, use the below error_page to redirect to your authentik server with the full redirect path + # error_page 401 =302 https://authentik.company/akprox/start?rd=$scheme://$http_host$request_uri; + + # translate headers from the outposts back to the actual upstream + auth_request_set $authentik_username $upstream_http_x_authentik_username; + auth_request_set $authentik_groups $upstream_http_x_authentik_groups; + auth_request_set $authentik_email $upstream_http_x_authentik_email; + auth_request_set $authentik_name $upstream_http_x_authentik_name; + auth_request_set $authentik_uid $upstream_http_x_authentik_uid; + + proxy_set_header X-authentik-username $authentik_username; + proxy_set_header X-authentik-groups $authentik_groups; + proxy_set_header X-authentik-email $authentik_email; + proxy_set_header X-authentik-name $authentik_name; + proxy_set_header X-authentik-uid $authentik_uid; + } + + # all requests to /akprox must be accessible without authentication + location /akprox { + proxy_pass http://*ip or hostname of the authentik OUTPOST*:9000/akprox; + # ensure the host of this vserver matches your external URL you've configured + # in authentik + proxy_set_header Host $host; + add_header Set-Cookie $auth_cookie; + auth_request_set $auth_cookie $upstream_http_set_cookie; + } + + # Special location for when the /auth endpoint returns a 401, + # redirect to the /start URL which initiates SSO + location @akprox_signin { + internal; + add_header Set-Cookie $auth_cookie; + return 302 /akprox/start?rd=$request_uri; + } +} +``` diff --git a/website/docs/providers/proxy/_traefik_compose.md b/website/docs/providers/proxy/_traefik_compose.md new file mode 100644 index 000000000..28d94377e --- /dev/null +++ b/website/docs/providers/proxy/_traefik_compose.md @@ -0,0 +1,65 @@ + +```yaml +version: '3.7' +services: + traefik: + image: traefik:v2.2 + container_name: traefik + volumes: + - /var/run/docker.sock:/var/run/docker.sock + labels: + traefik.enable: true + traefik.http.routers.api.rule: Host(`traefik.example.com`) + traefik.http.routers.api.entrypoints: https + traefik.http.routers.api.service: api@internal + traefik.http.routers.api.tls: true + ports: + - 80:80 + - 443:443 + command: + - '--api' + - '--log=true' + - '--log.level=DEBUG' + - '--log.filepath=/var/log/traefik.log' + - '--providers.docker=true' + - '--providers.docker.exposedByDefault=false' + - '--entrypoints.http=true' + - '--entrypoints.http.address=:80' + - '--entrypoints.http.http.redirections.entrypoint.to=https' + - '--entrypoints.http.http.redirections.entrypoint.scheme=https' + - '--entrypoints.https=true' + - '--entrypoints.https.address=:443' + + authentik_proxy: + image: goauthentik.io/proxy:2021.5.1 + ports: + - 9000:9000 + - 9443:9443 + environment: + AUTHENTIK_HOST: https://your-authentik.tld + AUTHENTIK_INSECURE: "false" + AUTHENTIK_TOKEN: token-generated-by-authentik + # Starting with 2021.9, you can optionally set this too + # when authentik_host for internal communication doesn't match the public URL + # AUTHENTIK_HOST_BROWSER: https://external-domain.tld + labels: + traefik.enable: true + traefik.port: 9000 + traefik.http.routers.authentik.rule: Host(`*external host that you configured in authentik*`) && PathPrefix(`/akprox/`) + traefik.http.routers.authentik.entrypoints: https + traefik.http.routers.authentik.tls: true + traefik.http.middlewares.authentik.forwardauth.address: http://authentik_proxy:9000/akprox/auth/traefik + traefik.http.middlewares.authentik.forwardauth.trustForwardHeader: true + traefik.http.middlewares.authentik.forwardauth.authResponseHeaders: Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid + restart: unless-stopped + + whoami: + image: containous/whoami + labels: + traefik.enable: true + traefik.http.routers.whoami.rule: Host(`*external host that you configured in authentik*`) + traefik.http.routers.whoami.entrypoints: https + traefik.http.routers.whoami.tls: true + traefik.http.routers.whoami.middlewares: authentik@docker + restart: unless-stopped +``` diff --git a/website/docs/providers/proxy/_traefik_ingress.md b/website/docs/providers/proxy/_traefik_ingress.md new file mode 100644 index 000000000..2fb7cf735 --- /dev/null +++ b/website/docs/providers/proxy/_traefik_ingress.md @@ -0,0 +1,47 @@ +Create a middleware: + +```yaml +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: authentik +spec: + forwardAuth: + address: http://authentik-outpost-example-outpost:9000/akprox/auth/traefik + trustForwardHeader: true + authResponseHeaders: + - Set-Cookie + - X-authentik-username + - X-authentik-groups + - X-authentik-email + - X-authentik-name + - X-authentik-uid +``` + +Add the following settings to your IngressRoute + +:::warning +By default traefik does not allow cross-namespace references for middlewares: + +See [here](https://doc.traefik.io/traefik/v2.4/providers/kubernetes-crd/#allowcrossnamespace) to enable it. +::: + +```yaml +spec: + routes: + - kind: Rule + match: "Host(`*external host that you configured in authentik*`)" + middlewares: + - name: authentik + namespace: authentik + priority: 10 + services: # Unchanged + # This part is only required for single-app setups + - kind: Rule + match: "Host(`*external host that you configured in authentik*`) && PathPrefix(`/akprox/`)" + priority: 15 + services: + - kind: Service + name: authentik-outpost-example-outpost + port: 9000 +``` diff --git a/website/docs/providers/proxy/_traefik_standalone.md b/website/docs/providers/proxy/_traefik_standalone.md new file mode 100644 index 000000000..72f834e89 --- /dev/null +++ b/website/docs/providers/proxy/_traefik_standalone.md @@ -0,0 +1,26 @@ +```yaml +http: + middlewares: + authentik: + forwardAuth: + address: http://authentik-outpost-example-outpost:9000/akprox/auth/traefik + trustForwardHeader: true + authResponseHeaders: + - Set-Cookie + - X-authentik-username + - X-authentik-groups + - X-authentik-email + - X-authentik-name + - X-authentik-uid + routers: + default-router: + rule: "Host(`*external host that you configured in authentik*`)" + middlewares: + - name: authentik + priority: 10 + services: # Unchanged + default-router-auth + match: "Host(`*external host that you configured in authentik*`) && PathPrefix(`/akprox/`)" + priority: 15 + services: http://*ip of your outpost*:9000/akprox +``` diff --git a/website/docs/providers/proxy/forward_auth.mdx b/website/docs/providers/proxy/forward_auth.mdx index 6505d9789..f24457d56 100644 --- a/website/docs/providers/proxy/forward_auth.mdx +++ b/website/docs/providers/proxy/forward_auth.mdx @@ -47,102 +47,28 @@ import TabItem from '@theme/TabItem'; values={[ {label: 'Standalone nginx', value: 'standalone-nginx'}, {label: 'Ingress', value: 'ingress'}, + {label: 'Nginx Proxy Manager', value: 'proxy-manager'}, ]}> -``` -server { - # SSL and VHost configuration - listen 443 ssl http2; - server_name _; +import NginxStandalone from './_nginx_standalone.md' - ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; - ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; - - # Increase buffer size for large headers - # This is needed only if you get 'upstream sent too big header while reading response header from upstream' error when trying to access an application protected by goauthentik - proxy_buffers 8 16k; - proxy_buffer_size 32k; - fastcgi_buffers 16 16k; - fastcgi_buffer_size 32k; - - location / { - # Put your proxy_pass to your application here - # proxy_pass http://localhost:5000; - - # authentik-specific config - auth_request /akprox/auth/nginx; - error_page 401 = @akprox_signin; - # For domain level, use the below error_page to redirect to your authentik server with the full redirect path - # error_page 401 =302 https://authentik.company/akprox/start?rd=$scheme://$http_host$request_uri; - - # translate headers from the outposts back to the actual upstream - auth_request_set $authentik_username $upstream_http_x_authentik_username; - auth_request_set $authentik_groups $upstream_http_x_authentik_groups; - auth_request_set $authentik_email $upstream_http_x_authentik_email; - auth_request_set $authentik_name $upstream_http_x_authentik_name; - auth_request_set $authentik_uid $upstream_http_x_authentik_uid; - - proxy_set_header X-authentik-username $authentik_username; - proxy_set_header X-authentik-groups $authentik_groups; - proxy_set_header X-authentik-email $authentik_email; - proxy_set_header X-authentik-name $authentik_name; - proxy_set_header X-authentik-uid $authentik_uid; - } - - # all requests to /akprox must be accessible without authentication - location /akprox { - proxy_pass http://*ip or hostname of the authentik OUTPOST*:9000/akprox; - # ensure the host of this vserver matches your external URL you've configured - # in authentik - proxy_set_header Host $host; - add_header Set-Cookie $auth_cookie; - auth_request_set $auth_cookie $upstream_http_set_cookie; - } - - # Special location for when the /auth endpoint returns a 401, - # redirect to the /start URL which initiates SSO - location @akprox_signin { - internal; - add_header Set-Cookie $auth_cookie; - return 302 /akprox/start?rd=$request_uri; - } -} -``` + -Create a new ingress for the outpost -```yaml -apiVersion: networking.k8s.io/v1beta1 -kind: Ingress -metadata: - name: authentik-outpost -spec: - rules: - - host: *external host that you configured in authentik* - http: - paths: - - backend: - serviceName: authentik-outpost-example-outpost - servicePort: 9000 - path: /akprox -``` +import NginxIngress from './_nginx_ingress.md' -This ingress handles authentication requests, and the sign-in flow. + -Add these annotations to the ingress you want to protect + + + +import NginxProxyManager from './_nginx_proxy_manager.md' + + -```yaml -metadata: - annotations: - nginx.ingress.kubernetes.io/auth-url: https://*external host that you configured in authentik*/akprox/auth?nginx - nginx.ingress.kubernetes.io/auth-signin: https://*external host that you configured in authentik*/akprox/start?rd=$escaped_request_uri - nginx.ingress.kubernetes.io/auth-response-headers: Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid - nginx.ingress.kubernetes.io/auth-snippet: | - proxy_set_header X-Forwarded-Host $http_host; -``` @@ -157,148 +83,23 @@ metadata: ]}> -```yaml -http: - middlewares: - authentik: - forwardAuth: - address: http://authentik-outpost-example-outpost:9000/akprox/auth/traefik - trustForwardHeader: true - authResponseHeaders: - - Set-Cookie - - X-authentik-username - - X-authentik-groups - - X-authentik-email - - X-authentik-name - - X-authentik-uid - routers: - default-router: - rule: "Host(`*external host that you configured in authentik*`)" - middlewares: - - name: authentik - priority: 10 - services: # Unchanged - default-router-auth - match: "Host(`*external host that you configured in authentik*`) && PathPrefix(`/akprox/`)" - priority: 15 - services: http://*ip of your outpost*:9000/akprox -``` +import TraefikStandalone from './_traefik_standalone.md' + + + -```yaml -version: '3.7' -services: - traefik: - image: traefik:v2.2 - container_name: traefik - volumes: - - /var/run/docker.sock:/var/run/docker.sock - labels: - traefik.enable: true - traefik.http.routers.api.rule: Host(`traefik.example.com`) - traefik.http.routers.api.entrypoints: https - traefik.http.routers.api.service: api@internal - traefik.http.routers.api.tls: true - ports: - - 80:80 - - 443:443 - command: - - '--api' - - '--log=true' - - '--log.level=DEBUG' - - '--log.filepath=/var/log/traefik.log' - - '--providers.docker=true' - - '--providers.docker.exposedByDefault=false' - - '--entrypoints.http=true' - - '--entrypoints.http.address=:80' - - '--entrypoints.http.http.redirections.entrypoint.to=https' - - '--entrypoints.http.http.redirections.entrypoint.scheme=https' - - '--entrypoints.https=true' - - '--entrypoints.https.address=:443' +import TraefikCompose from './_traefik_compose.md' - authentik_proxy: - image: goauthentik.io/proxy:2021.5.1 - ports: - - 9000:9000 - - 9443:9443 - environment: - AUTHENTIK_HOST: https://your-authentik.tld - AUTHENTIK_INSECURE: "false" - AUTHENTIK_TOKEN: token-generated-by-authentik - # Starting with 2021.9, you can optionally set this too - # when authentik_host for internal communication doesn't match the public URL - # AUTHENTIK_HOST_BROWSER: https://external-domain.tld - labels: - traefik.enable: true - traefik.port: 9000 - traefik.http.routers.authentik.rule: Host(`*external host that you configured in authentik*`) && PathPrefix(`/akprox/`) - traefik.http.routers.authentik.entrypoints: https - traefik.http.routers.authentik.tls: true - traefik.http.middlewares.authentik.forwardauth.address: http://authentik_proxy:9000/akprox/auth/traefik - traefik.http.middlewares.authentik.forwardauth.trustForwardHeader: true - traefik.http.middlewares.authentik.forwardauth.authResponseHeaders: Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid - restart: unless-stopped - - whoami: - image: containous/whoami - labels: - traefik.enable: true - traefik.http.routers.whoami.rule: Host(`*external host that you configured in authentik*`) - traefik.http.routers.whoami.entrypoints: https - traefik.http.routers.whoami.tls: true - traefik.http.routers.whoami.middlewares: authentik@docker - restart: unless-stopped -``` + -Create a middleware: -```yaml -apiVersion: traefik.containo.us/v1alpha1 -kind: Middleware -metadata: - name: authentik -spec: - forwardAuth: - address: http://authentik-outpost-example-outpost:9000/akprox/auth/traefik - trustForwardHeader: true - authResponseHeaders: - - Set-Cookie - - X-authentik-username - - X-authentik-groups - - X-authentik-email - - X-authentik-name - - X-authentik-uid -``` +import TraefikIngress from './_traefik_ingress.md' -Add the following settings to your IngressRoute + -:::warning -By default traefik does not allow cross-namespace references for middlewares: - -See [here](https://doc.traefik.io/traefik/v2.4/providers/kubernetes-crd/#allowcrossnamespace) to enable it. -::: - -```yaml -spec: - routes: - - kind: Rule - match: "Host(`*external host that you configured in authentik*`)" - middlewares: - - name: authentik - namespace: authentik - priority: 10 - services: # Unchanged - # This part is only required for single-app setups - - kind: Rule - match: "Host(`*external host that you configured in authentik*`) && PathPrefix(`/akprox/`)" - priority: 15 - services: - - kind: Service - name: authentik-outpost-example-outpost - port: 9000 -```