Revert "website/docs: revert to akprox for now"

This reverts commit 9070df6c26.

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

# Conflicts:
#	website/docs/providers/proxy/_nginx_ingress.md
#	website/docs/providers/proxy/_nginx_proxy_manager.md
#	website/docs/providers/proxy/_nginx_standalone.md
This commit is contained in:
Jens Langhammer 2022-02-16 10:19:33 +01:00
parent eb05a3ddb8
commit 4e317c10c5
12 changed files with 31 additions and 31 deletions

View File

@ -26,7 +26,7 @@ Make sure to set it to full URL, only configuring a hostname or FQDN will not wo
Routing is handled like this: Routing is handled like this:
1. Paths starting with `/static`, `/media` and `/help` return packaged CSS/JS files, and user-uploaded media files. 1. Paths starting with `/static`, `/media` and `/help` return packaged CSS/JS files, and user-uploaded media files.
2. Paths starting with `/akprox` are sent to the embedded outpost. 2. Paths starting with `/outpost.goauthentik.io` are sent to the embedded outpost.
3. Any hosts configured in the providers assigned to the embedded outpost are sent to the outpost. 3. Any hosts configured in the providers assigned to the embedded outpost are sent to the outpost.
4. Everything remaining is sent to the authentik backend server. 4. Everything remaining is sent to the authentik backend server.

View File

@ -26,7 +26,7 @@ The container is created with the following hardcoded properties:
- `traefik.http.routers.ak-outpost-<outpost-name>-router.rule`: `Host(...)` - `traefik.http.routers.ak-outpost-<outpost-name>-router.rule`: `Host(...)`
- `traefik.http.routers.ak-outpost-<outpost-name>-router.service`: `ak-outpost-<outpost-name>-service` - `traefik.http.routers.ak-outpost-<outpost-name>-router.service`: `ak-outpost-<outpost-name>-service`
- `traefik.http.routers.ak-outpost-<outpost-name>-router.tls`: "true" - `traefik.http.routers.ak-outpost-<outpost-name>-router.tls`: "true"
- `traefik.http.services.ak-outpost-<outpost-name>-service.loadbalancer.healthcheck.path`: "/akprox/ping" - `traefik.http.services.ak-outpost-<outpost-name>-service.loadbalancer.healthcheck.path`: "/outpost.goauthentik.io/ping"
- `traefik.http.services.ak-outpost-<outpost-name>-service.loadbalancer.healthcheck.port`: "9300" - `traefik.http.services.ak-outpost-<outpost-name>-service.loadbalancer.healthcheck.port`: "9300"
- `traefik.http.services.ak-outpost-<outpost-name>-service.loadbalancer.server.port`: "9000" - `traefik.http.services.ak-outpost-<outpost-name>-service.loadbalancer.server.port`: "9000"

View File

@ -15,7 +15,7 @@ spec:
# See https://kubernetes.io/docs/concepts/services-networking/service/#externalname # See https://kubernetes.io/docs/concepts/services-networking/service/#externalname
serviceName: ak-outpost-example-outpost serviceName: ak-outpost-example-outpost
servicePort: 9000 servicePort: 9000
path: /akprox path: /outpost.goauthentik.io
``` ```
This ingress handles authentication requests, and the sign-in flow. This ingress handles authentication requests, and the sign-in flow.
@ -26,10 +26,10 @@ Add these annotations to the ingress you want to protect
metadata: metadata:
annotations: annotations:
nginx.ingress.kubernetes.io/auth-url: |- nginx.ingress.kubernetes.io/auth-url: |-
http://outpost.company:9000/akprox/auth/nginx http://outpost.company:9000/outpost.goauthentik.io/auth/nginx
# If you're using domain-level auth, use the authentication URL instead of the application URL # If you're using domain-level auth, use the authentication URL instead of the application URL
nginx.ingress.kubernetes.io/auth-signin: |- nginx.ingress.kubernetes.io/auth-signin: |-
https://app.company/akprox/start https://app.company/outpost.goauthentik.io/start?rd=$escaped_request_uri
nginx.ingress.kubernetes.io/auth-response-headers: |- nginx.ingress.kubernetes.io/auth-response-headers: |-
Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid
nginx.ingress.kubernetes.io/auth-snippet: | nginx.ingress.kubernetes.io/auth-snippet: |

View File

@ -12,7 +12,7 @@ location / {
proxy_pass $forward_scheme://$server:$port; proxy_pass $forward_scheme://$server:$port;
# authentik-specific config # authentik-specific config
auth_request /akprox/auth/nginx; auth_request /outpost.goauthentik.io/auth/nginx;
error_page 401 = @goauthentik_proxy_signin; error_page 401 = @goauthentik_proxy_signin;
auth_request_set $auth_cookie $upstream_http_set_cookie; auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie; add_header Set-Cookie $auth_cookie;
@ -31,9 +31,9 @@ location / {
proxy_set_header X-authentik-uid $authentik_uid; proxy_set_header X-authentik-uid $authentik_uid;
} }
# all requests to /akprox must be accessible without authentication # all requests to /outpost.goauthentik.io must be accessible without authentication
location /akprox { location /outpost.goauthentik.io {
proxy_pass http://outpost.company:9000/akprox; proxy_pass http://outpost.company:9000/outpost.goauthentik.io;
# ensure the host of this vserver matches your external URL you've configured # ensure the host of this vserver matches your external URL you've configured
# in authentik # in authentik
proxy_set_header Host $host; proxy_set_header Host $host;
@ -47,8 +47,8 @@ location /akprox {
location @goauthentik_proxy_signin { location @goauthentik_proxy_signin {
internal; internal;
add_header Set-Cookie $auth_cookie; add_header Set-Cookie $auth_cookie;
return 302 /akprox/start?rd=$request_uri; return 302 /outpost.goauthentik.io/start?rd=$request_uri;
# For domain level, use the below error_page to redirect to your authentik server with the full redirect path # For domain level, use the below error_page to redirect to your authentik server with the full redirect path
# return 302 https://authentik.company/akprox/start?rd=$scheme://$http_host$request_uri; # return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
} }
``` ```

View File

@ -19,7 +19,7 @@ server {
# proxy_pass http://localhost:5000; # proxy_pass http://localhost:5000;
# authentik-specific config # authentik-specific config
auth_request /akprox/auth/nginx; auth_request /outpost.goauthentik.io/auth/nginx;
error_page 401 = @goauthentik_proxy_signin; error_page 401 = @goauthentik_proxy_signin;
auth_request_set $auth_cookie $upstream_http_set_cookie; auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie; add_header Set-Cookie $auth_cookie;
@ -38,9 +38,9 @@ server {
proxy_set_header X-authentik-uid $authentik_uid; proxy_set_header X-authentik-uid $authentik_uid;
} }
# all requests to /akprox must be accessible without authentication # all requests to /outpost.goauthentik.io must be accessible without authentication
location /akprox { location /outpost.goauthentik.io {
proxy_pass http://outpost.company:9000/akprox; proxy_pass http://outpost.company:9000/outpost.goauthentik.io;
# ensure the host of this vserver matches your external URL you've configured # ensure the host of this vserver matches your external URL you've configured
# in authentik # in authentik
proxy_set_header Host $host; proxy_set_header Host $host;
@ -54,9 +54,9 @@ server {
location @goauthentik_proxy_signin { location @goauthentik_proxy_signin {
internal; internal;
add_header Set-Cookie $auth_cookie; add_header Set-Cookie $auth_cookie;
return 302 /akprox/start?rd=$request_uri; return 302 /outpost.goauthentik.io/start?rd=$request_uri;
# For domain level, use the below error_page to redirect to your authentik server with the full redirect path # For domain level, use the below error_page to redirect to your authentik server with the full redirect path
# return 302 https://authentik.company/akprox/start?rd=$scheme://$http_host$request_uri; # return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
} }
} }
``` ```

View File

@ -30,9 +30,9 @@ services:
labels: labels:
traefik.enable: true traefik.enable: true
traefik.port: 9000 traefik.port: 9000
traefik.http.routers.authentik.rule: Host(`app.company`) && PathPrefix(`/akprox/`) traefik.http.routers.authentik.rule: Host(`app.company`) && PathPrefix(`/outpost.goauthentik.io/`)
# `authentik-proxy` refers to the service name in the compose file. # `authentik-proxy` refers to the service name in the compose file.
traefik.http.middlewares.authentik.forwardauth.address: http://authentik-proxy:9000/akprox/auth/traefik traefik.http.middlewares.authentik.forwardauth.address: http://authentik-proxy:9000/outpost.goauthentik.io/auth/traefik
traefik.http.middlewares.authentik.forwardauth.trustForwardHeader: true traefik.http.middlewares.authentik.forwardauth.trustForwardHeader: true
traefik.http.middlewares.authentik.forwardauth.authResponseHeaders: X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version traefik.http.middlewares.authentik.forwardauth.authResponseHeaders: X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version
restart: unless-stopped restart: unless-stopped

View File

@ -7,7 +7,7 @@ metadata:
name: authentik name: authentik
spec: spec:
forwardAuth: forwardAuth:
address: http://outpost.company:9000/akprox/auth/traefik address: http://outpost.company:9000/outpost.goauthentik.io/auth/traefik
trustForwardHeader: true trustForwardHeader: true
authResponseHeaders: authResponseHeaders:
- X-authentik-username - X-authentik-username
@ -41,7 +41,7 @@ spec:
services: # Unchanged services: # Unchanged
# This part is only required for single-app setups # This part is only required for single-app setups
- kind: Rule - kind: Rule
match: "Host(`app.company`) && PathPrefix(`/akprox/`)" match: "Host(`app.company`) && PathPrefix(`/outpost.goauthentik.io/`)"
priority: 15 priority: 15
services: services:
- kind: Service - kind: Service

View File

@ -3,7 +3,7 @@ http:
middlewares: middlewares:
authentik: authentik:
forwardAuth: forwardAuth:
address: http://outpost.company:9000/akprox/auth/traefik address: http://outpost.company:9000/outpost.goauthentik.io/auth/traefik
trustForwardHeader: true trustForwardHeader: true
authResponseHeaders: authResponseHeaders:
- X-authentik-username - X-authentik-username
@ -25,7 +25,7 @@ http:
priority: 10 priority: 10
services: # Unchanged services: # Unchanged
default-router-auth: default-router-auth:
match: "Host(`app.company`) && PathPrefix(`/akprox/`)" match: "Host(`app.company`) && PathPrefix(`/outpost.goauthentik.io/`)"
priority: 15 priority: 15
services: http://outpost.company:9000/akprox services: http://outpost.company:9000/outpost.goauthentik.io
``` ```

View File

@ -27,7 +27,7 @@ applications to different users.
The only configuration difference between single application and domain level is the host you specify. The only configuration difference between single application and domain level is the host you specify.
For single application, you'd use the domain which the application is running on, and only /akprox For single application, you'd use the domain which the application is running on, and only /outpost.goauthentik.io
is redirected to the outpost. is redirected to the outpost.
For domain level, you'd use the same domain as authentik. For domain level, you'd use the same domain as authentik.

View File

@ -64,11 +64,11 @@ If your upstream host is HTTPS, and you're not using forward auth, you need to a
Login is done automatically when you visit the domain without a valid cookie. Login is done automatically when you visit the domain without a valid cookie.
When using single-application mode, navigate to `app.domain.tld/akprox/sign_out`. When using single-application mode, navigate to `app.domain.tld/outpost.goauthentik.io/sign_out`.
When using domain-level mode, navigate to `auth.domain.tld/akprox/sign_out`, where auth.domain.tld is the external host configured for the provider. When using domain-level mode, navigate to `auth.domain.tld/outpost.goauthentik.io/sign_out`, where auth.domain.tld is the external host configured for the provider.
To log out, navigate to `/akprox/sign_out`. To log out, navigate to `/outpost.goauthentik.io/sign_out`.
## Allowing unauthenticated requests ## Allowing unauthenticated requests

View File

@ -10,7 +10,7 @@ slug: "2021.8"
To simplify the setup, an embedded outpost has been added. This outpost runs as part of the main authentik server, and requires no additional setup. To simplify the setup, an embedded outpost has been added. This outpost runs as part of the main authentik server, and requires no additional setup.
You can simply assign providers to the embedded outpost, and either use the integrations to configure reverse proxies, or point your traffic to the main authentik server. You can simply assign providers to the embedded outpost, and either use the integrations to configure reverse proxies, or point your traffic to the main authentik server.
Traffic is routed based on host-header, meaning every host that has been configured as a provider and is assigned to the embedded proxy will be sent to the outpost, and every sub-path under `/akprox` is sent to the outpost too. The rest is sent to authentik itself. Traffic is routed based on host-header, meaning every host that has been configured as a provider and is assigned to the embedded proxy will be sent to the outpost, and every sub-path under `/outpost.goauthentik.io` is sent to the outpost too. The rest is sent to authentik itself.
- App passwords - App passwords

View File

@ -47,7 +47,7 @@ This release mostly removes legacy fields and features that have been deprecated
- internal: route traffic to proxy providers based on cookie domain when multiple domain-level providers exist - internal: route traffic to proxy providers based on cookie domain when multiple domain-level providers exist
- internal: use math.MaxInt for compatibility - internal: use math.MaxInt for compatibility
- lifecycle: add early check for missing/invalid secret key - lifecycle: add early check for missing/invalid secret key
- outposts/proxyv2: allow access to /akprox urls in forward auth mode to make routing in nginx/traefik easier - outposts/proxyv2: allow access to /outpost.goauthentik.io urls in forward auth mode to make routing in nginx/traefik easier
- outposts/proxyv2: fix before-redirect url not being saved in proxy mode - outposts/proxyv2: fix before-redirect url not being saved in proxy mode
- outposts/proxyv2: fix JWKS url pointing to localhost on embedded outpost - outposts/proxyv2: fix JWKS url pointing to localhost on embedded outpost
- providers/oauth2: change default redirect uri behaviour; set first used url when blank and use star for wildcard - providers/oauth2: change default redirect uri behaviour; set first used url when blank and use star for wildcard
@ -64,7 +64,7 @@ This release mostly removes legacy fields and features that have been deprecated
## Fixed in 2022.1.2 ## Fixed in 2022.1.2
- internal/proxyv2: only allow access to /akprox in nginx mode when forward url could be extracted - internal/proxyv2: only allow access to /outpost.goauthentik.io in nginx mode when forward url could be extracted
- lib: disable backup by default, add note to configuration - lib: disable backup by default, add note to configuration
- lifecycle: replace lowercase, deprecated prometheus_multiproc_dir - lifecycle: replace lowercase, deprecated prometheus_multiproc_dir
- outposts: allow custom label for docker containers - outposts: allow custom label for docker containers