8d7bb7da17
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> #882
240 lines
7 KiB
Plaintext
240 lines
7 KiB
Plaintext
---
|
|
title: Proxy Outpost
|
|
---
|
|
|
|
The proxy outpost sets the following headers:
|
|
|
|
```
|
|
X-Auth-Username: akadmin # The username of the currently logged in user
|
|
X-Forwarded-Email: root@localhost # The email address of the currently logged in user
|
|
X-Forwarded-Preferred-Username: akadmin # The username of the currently logged in user
|
|
X-Forwarded-User: 900347b8a29876b45ca6f75722635ecfedf0e931c6022e3a29a8aa13fb5516fb # The hashed identifier of the currently logged in user.
|
|
```
|
|
|
|
Additionally, you can set `additionalHeaders` on groups or users to set additional headers.
|
|
|
|
If you enable *Set HTTP-Basic Authentication* option, the HTTP Authorization header is being set.
|
|
|
|
# HTTPS
|
|
|
|
The outpost listens on both 4180 for HTTP and 4443 for HTTPS.
|
|
|
|
:::warning
|
|
If your upstream host is HTTPS, and you're not using forward auth, you need to access the outpost over HTTPS too.
|
|
:::
|
|
|
|
# Forward auth
|
|
|
|
To use forward auth instead of proxying, you have to change a couple of settings. In the Proxy Provider, make sure to enable `Enable forward-auth mode` on the provider.
|
|
|
|
## Nginx
|
|
|
|
import Tabs from '@theme/Tabs';
|
|
import TabItem from '@theme/TabItem';
|
|
|
|
<Tabs
|
|
defaultValue="standalone-nginx"
|
|
values={[
|
|
{label: 'Standalone nginx', value: 'standalone-nginx'},
|
|
{label: 'Ingress', value: 'ingress'},
|
|
]}>
|
|
<TabItem value="standalone-nginx">
|
|
|
|
```
|
|
location /akprox {
|
|
proxy_pass http://*ip of your outpost*:4180;
|
|
proxy_set_header X-Forwarded-Host $http_host;
|
|
error_page 401 = @akprox_signin;
|
|
}
|
|
|
|
location @akprox_signin {
|
|
internal;
|
|
add_header Set-Cookie $auth_cookie;
|
|
return 302 /akprox/start?rd=$escaped_request_uri;
|
|
}
|
|
|
|
location / {
|
|
auth_request /akprox/auth?nginx;
|
|
# All your other options...
|
|
}
|
|
```
|
|
|
|
</TabItem>
|
|
<TabItem value="ingress">
|
|
Create a new ingress for the outpost
|
|
|
|
```yaml
|
|
apiVersion: networking.k8s.io/v1beta1
|
|
kind: Ingress
|
|
metadata:
|
|
name: authentik-outpost
|
|
spec:
|
|
rules:
|
|
- host: *external host that you configured in authentik*
|
|
http:
|
|
paths:
|
|
- backend:
|
|
serviceName: authentik-outpost-*uuid of the service generated by authentik*
|
|
servicePort: 4180
|
|
path: /akprox
|
|
```
|
|
|
|
This ingress handles authentication requests, and the sign-in flow.
|
|
|
|
Add these annotations to the ingress you want to protect
|
|
|
|
```yaml
|
|
metadata:
|
|
annotations:
|
|
nginx.ingress.kubernetes.io/auth-url: http://*external host that you configured in authentik*:4180/akprox/auth?nginx
|
|
nginx.ingress.kubernetes.io/auth-signin: http://*external host that you configured in authentik*:4180/akprox/start?rd=$escaped_request_uri
|
|
nginx.ingress.kubernetes.io/auth-snippet: |
|
|
proxy_set_header X-Forwarded-Host $http_host;
|
|
```
|
|
</TabItem>
|
|
</Tabs>
|
|
|
|
## Traefik
|
|
|
|
<Tabs
|
|
defaultValue="standalone-traefik"
|
|
values={[
|
|
{label: 'Standalone traefik', value: 'standalone-traefik'},
|
|
{label: 'docker-compose', value: 'docker-compose'},
|
|
{label: 'Ingress', value: 'ingress'},
|
|
]}>
|
|
<TabItem value="standalone-traefik">
|
|
|
|
```yaml
|
|
http:
|
|
middlewares:
|
|
authentik:
|
|
forwardAuth:
|
|
address: http://authentik-outpost-*uuid of the service generated by authentik*:4180/akprox/auth?traefik
|
|
trustForwardHeader: true
|
|
authResponseHeaders:
|
|
- Set-Cookie
|
|
- X-Auth-Username
|
|
- X-Forwarded-Email
|
|
- X-Forwarded-Preferred-Username
|
|
- X-Forwarded-User
|
|
routers:
|
|
default-router:
|
|
rule: "Host(`*external host that you configured in authentik*`)"
|
|
middlewares:
|
|
- name: authentik
|
|
priority: 10
|
|
services: # Unchanged
|
|
default-router-auth
|
|
match: "Host(`*external host that you configured in authentik*`) && PathPrefix(`/akprox/`)"
|
|
priority: 15
|
|
services: http://*ip of your outpost*:4180/akprox
|
|
```
|
|
</TabItem>
|
|
<TabItem value="docker-compose">
|
|
|
|
```yaml
|
|
version: '3.7'
|
|
services:
|
|
traefik:
|
|
image: traefik:v2.2
|
|
container_name: traefik
|
|
volumes:
|
|
- /var/run/docker.sock:/var/run/docker.sock
|
|
labels:
|
|
traefik.enable: true
|
|
traefik.http.routers.api.rule: Host(`traefik.example.com`)
|
|
traefik.http.routers.api.entrypoints: https
|
|
traefik.http.routers.api.service: api@internal
|
|
traefik.http.routers.api.tls: true
|
|
ports:
|
|
- 80:80
|
|
- 443:443
|
|
command:
|
|
- '--api'
|
|
- '--log=true'
|
|
- '--log.level=DEBUG'
|
|
- '--log.filepath=/var/log/traefik.log'
|
|
- '--providers.docker=true'
|
|
- '--providers.docker.exposedByDefault=false'
|
|
- '--entrypoints.http=true'
|
|
- '--entrypoints.http.address=:80'
|
|
- '--entrypoints.http.http.redirections.entrypoint.to=https'
|
|
- '--entrypoints.http.http.redirections.entrypoint.scheme=https'
|
|
- '--entrypoints.https=true'
|
|
- '--entrypoints.https.address=:443'
|
|
|
|
authentik_proxy:
|
|
image: ghcr.io/goauthentik/proxy:2021.5.1
|
|
ports:
|
|
- 4180:4180
|
|
- 4443:4443
|
|
environment:
|
|
AUTHENTIK_HOST: https://your-authentik.tld
|
|
AUTHENTIK_INSECURE: "false"
|
|
AUTHENTIK_TOKEN: token-generated-by-authentik
|
|
labels:
|
|
traefik.enable: true
|
|
traefik.port: 4180
|
|
traefik.http.routers.authentik.rule: Host(`*external host that you configured in authentik*`) && PathPrefix(`/akprox/`)
|
|
traefik.http.routers.authentik.entrypoints: https
|
|
traefik.http.routers.authentik.tls: true
|
|
traefik.http.middlewares.authentik.forwardauth.address: http://authentik_proxy:4180/akprox/auth?traefik
|
|
traefik.http.middlewares.authentik.forwardauth.trustForwardHeader: true
|
|
traefik.http.middlewares.authentik.forwardauth.authResponseHeaders: Set-Cookie,X-Auth-Username,X-Forwarded-Email,X-Forwarded-Preferred-Username,X-Forwarded-User
|
|
restart: unless-stopped
|
|
|
|
whoami:
|
|
image: containous/whoami
|
|
labels:
|
|
traefik.enable: true
|
|
traefik.http.routers.whoami.rule: Host(`*external host that you configured in authentik*`)
|
|
traefik.http.routers.whoami.entrypoints: https
|
|
traefik.http.routers.whoami.tls: true
|
|
traefik.http.routers.whoami.middlewares: authentik@docker
|
|
restart: unless-stopped
|
|
```
|
|
|
|
</TabItem>
|
|
<TabItem value="ingress">
|
|
Create a middleware:
|
|
|
|
```yaml
|
|
apiVersion: traefik.containo.us/v1alpha1
|
|
kind: Middleware
|
|
metadata:
|
|
name: authentik
|
|
spec:
|
|
forwardAuth:
|
|
address: http://authentik-outpost-*uuid of the service generated by authentik*:4180/akprox/auth?traefik
|
|
trustForwardHeader: true
|
|
authResponseHeaders:
|
|
- Set-Cookie
|
|
- X-Auth-Username
|
|
- X-Forwarded-Email
|
|
- X-Forwarded-Preferred-Username
|
|
- X-Forwarded-User
|
|
```
|
|
|
|
Add the following settings to your IngressRoute
|
|
|
|
```yaml
|
|
spec:
|
|
routes:
|
|
- kind: Rule
|
|
match: "Host(`*external host that you configured in authentik*`)"
|
|
middlewares:
|
|
- name: authentik
|
|
priority: 10
|
|
services: # Unchanged
|
|
- kind: Rule
|
|
match: "Host(`*external host that you configured in authentik*`) && PathPrefix(`/akprox/`)"
|
|
priority: 15
|
|
services:
|
|
- kind: Service
|
|
name: authentik-outpost-*uuid of the service generated by authentik*
|
|
port: 4180
|
|
```
|
|
</TabItem>
|
|
</Tabs>
|