---
title: Proxy Outpost
---

The proxy outpost sets the following headers:

```
X-Auth-Username: akadmin # The username of the currently logged in user
X-Forwarded-Email: root@localhost # The email address of the currently logged in user
X-Forwarded-Preferred-Username: akadmin  # The username of the currently logged in user
X-Forwarded-User: 900347b8a29876b45ca6f75722635ecfedf0e931c6022e3a29a8aa13fb5516fb # The hashed identifier of the currently logged in user.
```

Additionally, you can set `additionalHeaders` on groups or users to set additional headers.

If you enable *Set HTTP-Basic Authentication* option, the HTTP Authorization header is being set.

# HTTPS

The outpost listens on both 4180 for HTTP and 4443 for HTTPS.

:::warning
If your upstream host is HTTPS, and you're not using forward auth, you need to access the outpost over HTTPS too.
:::

# Forward auth

To use forward auth instead of proxying, you have to change a couple of settings. In the Proxy Provider, make sure to enable `Enable forward-auth mode` on the provider.

## Nginx

import Tabs from '@theme/Tabs';
import TabItem from '@theme/TabItem';

<Tabs
  defaultValue="standalone-nginx"
  values={[
    {label: 'Standalone nginx', value: 'standalone-nginx'},
    {label: 'Ingress', value: 'ingress'},
  ]}>
  <TabItem value="standalone-nginx">

```
    location /akprox {
        proxy_pass http://*ip of your outpost*:4180;
        error_page 401 = @akprox_signin;
        proxy_set_header    X-Forwarded-Host $http_host;
        auth_request_set    $auth_cookie $upstream_http_set_cookie;
        add_header          Set-Cookie $auth_cookie;
    }

    location @akprox_signin {
      internal;
      add_header Set-Cookie $auth_cookie;
      return 302 /akprox/start?rd=$escaped_request_uri;
    }

    location / {
        auth_request /akprox/auth?nginx;
        # All your other options...
    }
```

  </TabItem>
  <TabItem value="ingress">
Create a new ingress for the outpost

```yaml
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: authentik-outpost
spec:
  rules:
  - host: *external host that you configured in authentik*
    http:
      paths:
      - backend:
          serviceName: authentik-outpost-*uuid of the service generated by authentik*
          servicePort: 4180
        path: /akprox
```

This ingress handles authentication requests, and the sign-in flow.

Add these annotations to the ingress you want to protect

```yaml
metadata:
  annotations:
    nginx.ingress.kubernetes.io/auth-url: http://*external host that you configured in authentik*:4180/akprox/auth?nginx
    nginx.ingress.kubernetes.io/auth-signin: http://*external host that you configured in authentik*:4180/akprox/start?rd=$escaped_request_uri
    nginx.ingress.kubernetes.io/auth-response-headers: X-Auth-Username,X-Forwarded-Email,X-Forwarded-Preferred-Username,X-Forwarded-User
    nginx.ingress.kubernetes.io/auth-snippet: |
       proxy_set_header X-Forwarded-Host $http_host;
```
  </TabItem>
</Tabs>

## Traefik

<Tabs
  defaultValue="standalone-traefik"
  values={[
    {label: 'Standalone traefik', value: 'standalone-traefik'},
    {label: 'docker-compose', value: 'docker-compose'},
    {label: 'Ingress', value: 'ingress'},
  ]}>
  <TabItem value="standalone-traefik">

```yaml
http:
  middlewares:
    authentik:
      forwardAuth:
        address: http://authentik-outpost-*uuid of the service generated by authentik*:4180/akprox/auth?traefik
        trustForwardHeader: true
        authResponseHeaders:
          - Set-Cookie
          - X-Auth-Username
          - X-Forwarded-Email
          - X-Forwarded-Preferred-Username
          - X-Forwarded-User
  routers:
    default-router:
      rule: "Host(`*external host that you configured in authentik*`)"
      middlewares:
        - name: authentik
      priority: 10
      services: # Unchanged
    default-router-auth
      match: "Host(`*external host that you configured in authentik*`) && PathPrefix(`/akprox/`)"
      priority: 15
      services: http://*ip of your outpost*:4180/akprox
```
  </TabItem>
  <TabItem value="docker-compose">

```yaml
version: '3.7'
services:
  traefik:
    image: traefik:v2.2
    container_name: traefik
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    labels:
      traefik.enable: true
      traefik.http.routers.api.rule: Host(`traefik.example.com`)
      traefik.http.routers.api.entrypoints: https
      traefik.http.routers.api.service: api@internal
      traefik.http.routers.api.tls: true
    ports:
      - 80:80
      - 443:443
    command:
      - '--api'
      - '--log=true'
      - '--log.level=DEBUG'
      - '--log.filepath=/var/log/traefik.log'
      - '--providers.docker=true'
      - '--providers.docker.exposedByDefault=false'
      - '--entrypoints.http=true'
      - '--entrypoints.http.address=:80'
      - '--entrypoints.http.http.redirections.entrypoint.to=https'
      - '--entrypoints.http.http.redirections.entrypoint.scheme=https'
      - '--entrypoints.https=true'
      - '--entrypoints.https.address=:443'

  authentik_proxy:
    image: ghcr.io/goauthentik/proxy:2021.5.1
    ports:
      - 4180:4180
      - 4443:4443
    environment:
      AUTHENTIK_HOST: https://your-authentik.tld
      AUTHENTIK_INSECURE: "false"
      AUTHENTIK_TOKEN: token-generated-by-authentik
    labels:
      traefik.enable: true
      traefik.port: 4180
      traefik.http.routers.authentik.rule: Host(`*external host that you configured in authentik*`) && PathPrefix(`/akprox/`)
      traefik.http.routers.authentik.entrypoints: https
      traefik.http.routers.authentik.tls: true
      traefik.http.middlewares.authentik.forwardauth.address: http://authentik_proxy:4180/akprox/auth?traefik
      traefik.http.middlewares.authentik.forwardauth.trustForwardHeader: true
      traefik.http.middlewares.authentik.forwardauth.authResponseHeaders: Set-Cookie,X-Auth-Username,X-Forwarded-Email,X-Forwarded-Preferred-Username,X-Forwarded-User
    restart: unless-stopped

  whoami:
    image: containous/whoami
    labels:
      traefik.enable: true
      traefik.http.routers.whoami.rule: Host(`*external host that you configured in authentik*`)
      traefik.http.routers.whoami.entrypoints: https
      traefik.http.routers.whoami.tls: true
      traefik.http.routers.whoami.middlewares: authentik@docker
    restart: unless-stopped
```

  </TabItem>
  <TabItem value="ingress">
Create a middleware:

```yaml
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: authentik
spec:
  forwardAuth:
    address: http://authentik-outpost-*uuid of the service generated by authentik*:4180/akprox/auth?traefik
    trustForwardHeader: true
    authResponseHeaders:
      - Set-Cookie
      - X-Auth-Username
      - X-Forwarded-Email
      - X-Forwarded-Preferred-Username
      - X-Forwarded-User
```

Add the following settings to your IngressRoute

```yaml
spec:
  routes:
    - kind: Rule
      match: "Host(`*external host that you configured in authentik*`)"
      middlewares:
        - name: authentik
      priority: 10
      services: # Unchanged
    - kind: Rule
      match: "Host(`*external host that you configured in authentik*`) && PathPrefix(`/akprox/`)"
      priority: 15
      services:
        - kind: Service
          name: authentik-outpost-*uuid of the service generated by authentik*
          port: 4180
```
  </TabItem>
</Tabs>