authentik/website/docs/outposts/proxy/forward_auth.mdx

---
title: Forward auth
---

Using forward auth uses your existing reverse proxy to do the proxying, and only uses the
authentik outpost to check authentication and authoirzation.

To use forward auth instead of proxying, you have to change a couple of settings.
In the Proxy Provider, make sure to use one of the Forward auth modes.

## Single application

Single application mode works for a single application hosted on its dedicated subdomain. This
has the advantage that you can still do per-application access policies in authentik.

## Domain level

To use forward auth instead of proxying, you have to change a couple of settings.
In the Proxy Provider, make sure to use the *Forward auth (domain level)* mode.

This mode differs from the *Forward auth (single application)* mode in the following points:
- You don't have to configure an application in authentik for each domain
- Users don't have to authorize multiple times

There are however also some downsides, mainly the fact that you **can't** restrict individual
applications to different users.

The only configuration difference between single application and domain level is the host you specify.

For single application, you'd use the domain which the application is running on, and only /akprox
is redirect to the outpost.

For domain level, you'd use the same domain as authentik.

## Nginx

import Tabs from '@theme/Tabs';
import TabItem from '@theme/TabItem';

<Tabs
  defaultValue="standalone-nginx"
  values={[
    {label: 'Standalone nginx', value: 'standalone-nginx'},
    {label: 'Ingress', value: 'ingress'},
  ]}>
  <TabItem value="standalone-nginx">

```
    location /akprox {
        proxy_pass          http://*ip of your outpost*:4180;
        error_page          401 = @akprox_signin;
        proxy_set_header    X-Forwarded-Host $http_host;
        auth_request_set    $auth_cookie $upstream_http_set_cookie;
        add_header          Set-Cookie $auth_cookie;
    }

    location @akprox_signin {
      internal;
      add_header Set-Cookie $auth_cookie;
      return 302 /akprox/start?rd=$escaped_request_uri;
    }

    location / {
        auth_request /akprox/auth?nginx;
        # All your other options...
    }
```

  </TabItem>
  <TabItem value="ingress">
Create a new ingress for the outpost

```yaml
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: authentik-outpost
spec:
  rules:
  - host: *external host that you configured in authentik*
    http:
      paths:
      - backend:
          serviceName: authentik-outpost-*uuid of the service generated by authentik*
          servicePort: 4180
        path: /akprox
```

This ingress handles authentication requests, and the sign-in flow.

Add these annotations to the ingress you want to protect

```yaml
metadata:
  annotations:
    nginx.ingress.kubernetes.io/auth-url: https://*external host that you configured in authentik*/akprox/auth?nginx
    nginx.ingress.kubernetes.io/auth-signin: https://*external host that you configured in authentik*/akprox/start?rd=$escaped_request_uri
    nginx.ingress.kubernetes.io/auth-response-headers: X-Auth-Username,X-Forwarded-Email,X-Forwarded-Preferred-Username,X-Forwarded-User
    nginx.ingress.kubernetes.io/auth-snippet: |
       proxy_set_header X-Forwarded-Host $http_host;
```
  </TabItem>
</Tabs>

## Traefik

<Tabs
  defaultValue="standalone-traefik"
  values={[
    {label: 'Standalone traefik', value: 'standalone-traefik'},
    {label: 'docker-compose', value: 'docker-compose'},
    {label: 'Ingress', value: 'ingress'},
  ]}>
  <TabItem value="standalone-traefik">

```yaml
http:
  middlewares:
    authentik:
      forwardAuth:
        address: http://authentik-outpost-*uuid of the service generated by authentik*:4180/akprox/auth?traefik
        trustForwardHeader: true
        authResponseHeaders:
          - Set-Cookie
          - X-Auth-Username
          - X-Forwarded-Email
          - X-Forwarded-Preferred-Username
          - X-Forwarded-User
  routers:
    default-router:
      rule: "Host(`*external host that you configured in authentik*`)"
      middlewares:
        - name: authentik
      priority: 10
      services: # Unchanged
    default-router-auth
      match: "Host(`*external host that you configured in authentik*`) && PathPrefix(`/akprox/`)"
      priority: 15
      services: http://*ip of your outpost*:4180/akprox
```
  </TabItem>
  <TabItem value="docker-compose">

```yaml
version: '3.7'
services:
  traefik:
    image: traefik:v2.2
    container_name: traefik
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    labels:
      traefik.enable: true
      traefik.http.routers.api.rule: Host(`traefik.example.com`)
      traefik.http.routers.api.entrypoints: https
      traefik.http.routers.api.service: api@internal
      traefik.http.routers.api.tls: true
    ports:
      - 80:80
      - 443:443
    command:
      - '--api'
      - '--log=true'
      - '--log.level=DEBUG'
      - '--log.filepath=/var/log/traefik.log'
      - '--providers.docker=true'
      - '--providers.docker.exposedByDefault=false'
      - '--entrypoints.http=true'
      - '--entrypoints.http.address=:80'
      - '--entrypoints.http.http.redirections.entrypoint.to=https'
      - '--entrypoints.http.http.redirections.entrypoint.scheme=https'
      - '--entrypoints.https=true'
      - '--entrypoints.https.address=:443'

  authentik_proxy:
    image: ghcr.io/goauthentik/proxy:2021.5.1
    ports:
      - 4180:4180
      - 4443:4443
    environment:
      AUTHENTIK_HOST: https://your-authentik.tld
      AUTHENTIK_INSECURE: "false"
      AUTHENTIK_TOKEN: token-generated-by-authentik
    labels:
      traefik.enable: true
      traefik.port: 4180
      traefik.http.routers.authentik.rule: Host(`*external host that you configured in authentik*`) && PathPrefix(`/akprox/`)
      traefik.http.routers.authentik.entrypoints: https
      traefik.http.routers.authentik.tls: true
      traefik.http.middlewares.authentik.forwardauth.address: http://authentik_proxy:4180/akprox/auth?traefik
      traefik.http.middlewares.authentik.forwardauth.trustForwardHeader: true
      traefik.http.middlewares.authentik.forwardauth.authResponseHeaders: Set-Cookie,X-Auth-Username,X-Forwarded-Email,X-Forwarded-Preferred-Username,X-Forwarded-User
    restart: unless-stopped

  whoami:
    image: containous/whoami
    labels:
      traefik.enable: true
      traefik.http.routers.whoami.rule: Host(`*external host that you configured in authentik*`)
      traefik.http.routers.whoami.entrypoints: https
      traefik.http.routers.whoami.tls: true
      traefik.http.routers.whoami.middlewares: authentik@docker
    restart: unless-stopped
```

  </TabItem>
  <TabItem value="ingress">
Create a middleware:

```yaml
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: authentik
spec:
  forwardAuth:
    address: http://authentik-outpost-*uuid of the service generated by authentik*:4180/akprox/auth?traefik
    trustForwardHeader: true
    authResponseHeaders:
      - Set-Cookie
      - X-Auth-Username
      - X-Forwarded-Email
      - X-Forwarded-Preferred-Username
      - X-Forwarded-User
```

Add the following settings to your IngressRoute

```yaml
spec:
  routes:
    - kind: Rule
      match: "Host(`*external host that you configured in authentik*`)"
      middlewares:
        - name: authentik
      priority: 10
      services: # Unchanged
    - kind: Rule
      match: "Host(`*external host that you configured in authentik*`) && PathPrefix(`/akprox/`)"
      priority: 15
      services:
        - kind: Service
          name: authentik-outpost-*uuid of the service generated by authentik*
          port: 4180
```
  </TabItem>
</Tabs>