dad24c03ff
* outposts: initial cookie domain implementation Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * web/admin: add cookie domain setting Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * providers/proxy: replace forward_auth_mode with general mode Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * web/admin: rebuild proxy provider form Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * providers/proxy: re-add forward_auth_mode for backwards compat Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * web/admin: fix data.mode not being set Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * root: always set log level to debug when testing Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * providers/proxy: use new mode attribute Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * providers/proxy: only ingress /akprox on forward_domain Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * providers/proxy: fix lint error Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * web/admin: fix error on ProxyProviderForm when not using proxy mode Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * web/admin: fix default for outpost form's type missing Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * web/admin: add additional desc for proxy modes Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * outposts: fix service account permissions not always being updated Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * outpost/proxy: fix redirecting to incorrect host for domain mode Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * web: improve error handling for network errors Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * outpost: fix image naming not matching main imaeg Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * outposts/proxy: fix redirects for domain mode and traefik Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * web: fix colour for paragraphs Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * web/flows: fix consent stage not showing permissions correctly Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * website/docs: add domain-level docs Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * website/docs: fix broken links Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * outposts/proxy: remove dead code Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * web/flows: fix missing id for #header-text Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
248 lines
7.5 KiB
Plaintext
248 lines
7.5 KiB
Plaintext
---
|
|
title: Forward auth
|
|
---
|
|
|
|
Using forward auth uses your existing reverse proxy to do the proxying, and only uses the
|
|
authentik outpost to check authentication and authoirzation.
|
|
|
|
To use forward auth instead of proxying, you have to change a couple of settings.
|
|
In the Proxy Provider, make sure to use one of the Forward auth modes.
|
|
|
|
## Single application
|
|
|
|
Single application mode works for a single application hosted on its dedicated subdomain. This
|
|
has the advantage that you can still do per-application access policies in authentik.
|
|
|
|
## Domain level
|
|
|
|
To use forward auth instead of proxying, you have to change a couple of settings.
|
|
In the Proxy Provider, make sure to use the *Forward auth (domain level)* mode.
|
|
|
|
This mode differs from the *Forward auth (single application)* mode in the following points:
|
|
- You don't have to configure an application in authentik for each domain
|
|
- Users don't have to authorize multiple times
|
|
|
|
There are however also some downsides, mainly the fact that you **can't** restrict individual
|
|
applications to different users.
|
|
|
|
The only configuration difference between single application and domain level is the host you specify.
|
|
|
|
For single application, you'd use the domain which the application is running on, and only /akprox
|
|
is redirect to the outpost.
|
|
|
|
For domain level, you'd use the same domain as authentik.
|
|
|
|
## Nginx
|
|
|
|
import Tabs from '@theme/Tabs';
|
|
import TabItem from '@theme/TabItem';
|
|
|
|
<Tabs
|
|
defaultValue="standalone-nginx"
|
|
values={[
|
|
{label: 'Standalone nginx', value: 'standalone-nginx'},
|
|
{label: 'Ingress', value: 'ingress'},
|
|
]}>
|
|
<TabItem value="standalone-nginx">
|
|
|
|
```
|
|
location /akprox {
|
|
proxy_pass http://*ip of your outpost*:4180;
|
|
error_page 401 = @akprox_signin;
|
|
proxy_set_header X-Forwarded-Host $http_host;
|
|
auth_request_set $auth_cookie $upstream_http_set_cookie;
|
|
add_header Set-Cookie $auth_cookie;
|
|
}
|
|
|
|
location @akprox_signin {
|
|
internal;
|
|
add_header Set-Cookie $auth_cookie;
|
|
return 302 /akprox/start?rd=$escaped_request_uri;
|
|
}
|
|
|
|
location / {
|
|
auth_request /akprox/auth?nginx;
|
|
# All your other options...
|
|
}
|
|
```
|
|
|
|
</TabItem>
|
|
<TabItem value="ingress">
|
|
Create a new ingress for the outpost
|
|
|
|
```yaml
|
|
apiVersion: networking.k8s.io/v1beta1
|
|
kind: Ingress
|
|
metadata:
|
|
name: authentik-outpost
|
|
spec:
|
|
rules:
|
|
- host: *external host that you configured in authentik*
|
|
http:
|
|
paths:
|
|
- backend:
|
|
serviceName: authentik-outpost-*uuid of the service generated by authentik*
|
|
servicePort: 4180
|
|
path: /akprox
|
|
```
|
|
|
|
This ingress handles authentication requests, and the sign-in flow.
|
|
|
|
Add these annotations to the ingress you want to protect
|
|
|
|
```yaml
|
|
metadata:
|
|
annotations:
|
|
nginx.ingress.kubernetes.io/auth-url: https://*external host that you configured in authentik*/akprox/auth?nginx
|
|
nginx.ingress.kubernetes.io/auth-signin: https://*external host that you configured in authentik*/akprox/start?rd=$escaped_request_uri
|
|
nginx.ingress.kubernetes.io/auth-response-headers: X-Auth-Username,X-Forwarded-Email,X-Forwarded-Preferred-Username,X-Forwarded-User
|
|
nginx.ingress.kubernetes.io/auth-snippet: |
|
|
proxy_set_header X-Forwarded-Host $http_host;
|
|
```
|
|
</TabItem>
|
|
</Tabs>
|
|
|
|
## Traefik
|
|
|
|
<Tabs
|
|
defaultValue="standalone-traefik"
|
|
values={[
|
|
{label: 'Standalone traefik', value: 'standalone-traefik'},
|
|
{label: 'docker-compose', value: 'docker-compose'},
|
|
{label: 'Ingress', value: 'ingress'},
|
|
]}>
|
|
<TabItem value="standalone-traefik">
|
|
|
|
```yaml
|
|
http:
|
|
middlewares:
|
|
authentik:
|
|
forwardAuth:
|
|
address: http://authentik-outpost-*uuid of the service generated by authentik*:4180/akprox/auth?traefik
|
|
trustForwardHeader: true
|
|
authResponseHeaders:
|
|
- Set-Cookie
|
|
- X-Auth-Username
|
|
- X-Forwarded-Email
|
|
- X-Forwarded-Preferred-Username
|
|
- X-Forwarded-User
|
|
routers:
|
|
default-router:
|
|
rule: "Host(`*external host that you configured in authentik*`)"
|
|
middlewares:
|
|
- name: authentik
|
|
priority: 10
|
|
services: # Unchanged
|
|
default-router-auth
|
|
match: "Host(`*external host that you configured in authentik*`) && PathPrefix(`/akprox/`)"
|
|
priority: 15
|
|
services: http://*ip of your outpost*:4180/akprox
|
|
```
|
|
</TabItem>
|
|
<TabItem value="docker-compose">
|
|
|
|
```yaml
|
|
version: '3.7'
|
|
services:
|
|
traefik:
|
|
image: traefik:v2.2
|
|
container_name: traefik
|
|
volumes:
|
|
- /var/run/docker.sock:/var/run/docker.sock
|
|
labels:
|
|
traefik.enable: true
|
|
traefik.http.routers.api.rule: Host(`traefik.example.com`)
|
|
traefik.http.routers.api.entrypoints: https
|
|
traefik.http.routers.api.service: api@internal
|
|
traefik.http.routers.api.tls: true
|
|
ports:
|
|
- 80:80
|
|
- 443:443
|
|
command:
|
|
- '--api'
|
|
- '--log=true'
|
|
- '--log.level=DEBUG'
|
|
- '--log.filepath=/var/log/traefik.log'
|
|
- '--providers.docker=true'
|
|
- '--providers.docker.exposedByDefault=false'
|
|
- '--entrypoints.http=true'
|
|
- '--entrypoints.http.address=:80'
|
|
- '--entrypoints.http.http.redirections.entrypoint.to=https'
|
|
- '--entrypoints.http.http.redirections.entrypoint.scheme=https'
|
|
- '--entrypoints.https=true'
|
|
- '--entrypoints.https.address=:443'
|
|
|
|
authentik_proxy:
|
|
image: ghcr.io/goauthentik/proxy:2021.5.1
|
|
ports:
|
|
- 4180:4180
|
|
- 4443:4443
|
|
environment:
|
|
AUTHENTIK_HOST: https://your-authentik.tld
|
|
AUTHENTIK_INSECURE: "false"
|
|
AUTHENTIK_TOKEN: token-generated-by-authentik
|
|
labels:
|
|
traefik.enable: true
|
|
traefik.port: 4180
|
|
traefik.http.routers.authentik.rule: Host(`*external host that you configured in authentik*`) && PathPrefix(`/akprox/`)
|
|
traefik.http.routers.authentik.entrypoints: https
|
|
traefik.http.routers.authentik.tls: true
|
|
traefik.http.middlewares.authentik.forwardauth.address: http://authentik_proxy:4180/akprox/auth?traefik
|
|
traefik.http.middlewares.authentik.forwardauth.trustForwardHeader: true
|
|
traefik.http.middlewares.authentik.forwardauth.authResponseHeaders: Set-Cookie,X-Auth-Username,X-Forwarded-Email,X-Forwarded-Preferred-Username,X-Forwarded-User
|
|
restart: unless-stopped
|
|
|
|
whoami:
|
|
image: containous/whoami
|
|
labels:
|
|
traefik.enable: true
|
|
traefik.http.routers.whoami.rule: Host(`*external host that you configured in authentik*`)
|
|
traefik.http.routers.whoami.entrypoints: https
|
|
traefik.http.routers.whoami.tls: true
|
|
traefik.http.routers.whoami.middlewares: authentik@docker
|
|
restart: unless-stopped
|
|
```
|
|
|
|
</TabItem>
|
|
<TabItem value="ingress">
|
|
Create a middleware:
|
|
|
|
```yaml
|
|
apiVersion: traefik.containo.us/v1alpha1
|
|
kind: Middleware
|
|
metadata:
|
|
name: authentik
|
|
spec:
|
|
forwardAuth:
|
|
address: http://authentik-outpost-*uuid of the service generated by authentik*:4180/akprox/auth?traefik
|
|
trustForwardHeader: true
|
|
authResponseHeaders:
|
|
- Set-Cookie
|
|
- X-Auth-Username
|
|
- X-Forwarded-Email
|
|
- X-Forwarded-Preferred-Username
|
|
- X-Forwarded-User
|
|
```
|
|
|
|
Add the following settings to your IngressRoute
|
|
|
|
```yaml
|
|
spec:
|
|
routes:
|
|
- kind: Rule
|
|
match: "Host(`*external host that you configured in authentik*`)"
|
|
middlewares:
|
|
- name: authentik
|
|
priority: 10
|
|
services: # Unchanged
|
|
- kind: Rule
|
|
match: "Host(`*external host that you configured in authentik*`) && PathPrefix(`/akprox/`)"
|
|
priority: 15
|
|
services:
|
|
- kind: Service
|
|
name: authentik-outpost-*uuid of the service generated by authentik*
|
|
port: 4180
|
|
```
|
|
</TabItem>
|
|
</Tabs>
|