website/docs: update forward_auth for nginx config
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens Langhammer
@ -46,24 +46,46 @@ import TabItem from '@theme/TabItem';
|
|||||||
<TabItem value="standalone-nginx">
|
<TabItem value="standalone-nginx">
|
||||||
|
|
||||||
```
|
```
|
||||||
location /akprox {
|
server {
|
||||||
proxy_pass http://*ip of your outpost*:4180;
|
# SSL and VHost configuration
|
||||||
error_page 401 = @akprox_signin;
|
listen 443 ssl http2;
|
||||||
proxy_set_header X-Forwarded-Host $http_host;
|
server_name _;
|
||||||
auth_request_set $auth_cookie $upstream_http_set_cookie;
|
|
||||||
add_header Set-Cookie $auth_cookie;
|
|
||||||
}
|
|
||||||
|
|
||||||
location @akprox_signin {
|
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
|
||||||
internal;
|
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
|
||||||
add_header Set-Cookie $auth_cookie;
|
|
||||||
return 302 /akprox/start?rd=$request_uri;
|
|
||||||
}
|
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
auth_request /akprox/auth?nginx;
|
# Put your proxy_pass to your application here
|
||||||
# All your other options...
|
# proxy_pass http://localhost:5000;
|
||||||
|
|
||||||
|
# authentik-specific config
|
||||||
|
auth_request /akprox/auth;
|
||||||
|
error_page 401 = @akprox_signin;
|
||||||
|
# translate headers from the outposts back to the actual upstream
|
||||||
|
auth_request_set $username $upstream_http_x_auth_username;
|
||||||
|
auth_request_set $email $upstream_http_X_Forwarded_Email;
|
||||||
|
proxy_set_header X-Auth-Username $username;
|
||||||
|
proxy_set_header X-Forwarded-Email $email;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# all requests to /akprox must be accessible without authentication
|
||||||
|
location /akprox {
|
||||||
|
proxy_pass http://*ip or hostname of the authentik OUTPOST*:4180;
|
||||||
|
# ensure the host of this vserver matches your external URL you've configured
|
||||||
|
# in authentik
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
add_header Set-Cookie $auth_cookie;
|
||||||
|
auth_request_set $auth_cookie $upstream_http_set_cookie;
|
||||||
|
}
|
||||||
|
|
||||||
|
# Special location for when the /auth endpoint returns a 401,
|
||||||
|
# redirect to the /start URL which initiates SSO
|
||||||
|
location @akprox_signin {
|
||||||
|
internal;
|
||||||
|
add_header Set-Cookie $auth_cookie;
|
||||||
|
return 302 /akprox/start?rd=$request_uri;
|
||||||
|
}
|
||||||
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
</TabItem>
|
</TabItem>
|
||||||
|
|||||||
Reference in New Issue
Block a user