habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

website/docs: remove duplicate proxy docs

Browse Source 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens Langhammer
2021-07-22 10:48:10 +02:00
parent 66bfa6879d
commit 285a9b8b1d
7 changed files with 23 additions and 50 deletions
Download Patch File Download Diff File Expand all files Collapse all files

271
website/docs/providers/proxy/forward_auth.mdx Normal file
View File

@ -0,0 +1,271 @@
---
title: Forward auth
---
Using forward auth uses your existing reverse proxy to do the proxying, and only uses the
authentik outpost to check authentication and authoirzation.
To use forward auth instead of proxying, you have to change a couple of settings.
In the Proxy Provider, make sure to use one of the Forward auth modes.
## Single application
Single application mode works for a single application hosted on its dedicated subdomain. This
has the advantage that you can still do per-application access policies in authentik.
## Domain level
To use forward auth instead of proxying, you have to change a couple of settings.
In the Proxy Provider, make sure to use the *Forward auth (domain level)* mode.
This mode differs from the *Forward auth (single application)* mode in the following points:
- You don't have to configure an application in authentik for each domain
- Users don't have to authorize multiple times
There are however also some downsides, mainly the fact that you **can't** restrict individual
applications to different users.
The only configuration difference between single application and domain level is the host you specify.
For single application, you'd use the domain which the application is running on, and only /akprox
is redirect to the outpost.
For domain level, you'd use the same domain as authentik.
## Nginx
import Tabs from '@theme/Tabs';
import TabItem from '@theme/TabItem';
<Tabs
defaultValue="standalone-nginx"
values={[
{label: 'Standalone nginx', value: 'standalone-nginx'},
{label: 'Ingress', value: 'ingress'},
]}>
<TabItem value="standalone-nginx">
```
server {
# SSL and VHost configuration
listen 443 ssl http2;
server_name _;
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
location / {
# Put your proxy_pass to your application here
# proxy_pass http://localhost:5000;
# authentik-specific config
auth_request /akprox/auth;
error_page 401 = @akprox_signin;
# translate headers from the outposts back to the actual upstream
auth_request_set $username $upstream_http_x_auth_username;
auth_request_set $email $upstream_http_X_Forwarded_Email;
proxy_set_header X-Auth-Username $username;
proxy_set_header X-Forwarded-Email $email;
}
# all requests to /akprox must be accessible without authentication
location /akprox {
proxy_pass http://*ip or hostname of the authentik OUTPOST*:4180;
# ensure the host of this vserver matches your external URL you've configured
# in authentik
proxy_set_header Host $host;
add_header Set-Cookie $auth_cookie;
auth_request_set $auth_cookie $upstream_http_set_cookie;
}
# Special location for when the /auth endpoint returns a 401,
# redirect to the /start URL which initiates SSO
location @akprox_signin {
internal;
add_header Set-Cookie $auth_cookie;
return 302 /akprox/start?rd=$request_uri;
}
}
```
</TabItem>
<TabItem value="ingress">
Create a new ingress for the outpost
```yaml
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: authentik-outpost
spec:
rules:
- host: *external host that you configured in authentik*
http:
paths:
- backend:
serviceName: authentik-outpost-*uuid of the service generated by authentik*
servicePort: 4180
path: /akprox
```
This ingress handles authentication requests, and the sign-in flow.
Add these annotations to the ingress you want to protect
```yaml
metadata:
annotations:
nginx.ingress.kubernetes.io/auth-url: https://*external host that you configured in authentik*/akprox/auth?nginx
nginx.ingress.kubernetes.io/auth-signin: https://*external host that you configured in authentik*/akprox/start?rd=$escaped_request_uri
nginx.ingress.kubernetes.io/auth-response-headers: X-Auth-Username,X-Forwarded-Email,X-Forwarded-Preferred-Username,X-Forwarded-User,X-Auth-Groups
nginx.ingress.kubernetes.io/auth-snippet: |
proxy_set_header X-Forwarded-Host $http_host;
```
</TabItem>
</Tabs>
## Traefik
<Tabs
defaultValue="standalone-traefik"
values={[
{label: 'Standalone traefik', value: 'standalone-traefik'},
{label: 'docker-compose', value: 'docker-compose'},
{label: 'Ingress', value: 'ingress'},
]}>
<TabItem value="standalone-traefik">
```yaml
http:
middlewares:
authentik:
forwardAuth:
address: http://authentik-outpost-*uuid of the service generated by authentik*:4180/akprox/auth?traefik
trustForwardHeader: true
authResponseHeaders:
- Set-Cookie
- X-Auth-Username
- X-Auth-Groups
- X-Forwarded-Email
- X-Forwarded-Preferred-Username
- X-Forwarded-User
routers:
default-router:
rule: "Host(`*external host that you configured in authentik*`)"
middlewares:
- name: authentik
priority: 10
services: # Unchanged
default-router-auth
match: "Host(`*external host that you configured in authentik*`) && PathPrefix(`/akprox/`)"
priority: 15
services: http://*ip of your outpost*:4180/akprox
```
</TabItem>
<TabItem value="docker-compose">
```yaml
version: '3.7'
services:
traefik:
image: traefik:v2.2
container_name: traefik
volumes:
- /var/run/docker.sock:/var/run/docker.sock
labels:
traefik.enable: true
traefik.http.routers.api.rule: Host(`traefik.example.com`)
traefik.http.routers.api.entrypoints: https
traefik.http.routers.api.service: api@internal
traefik.http.routers.api.tls: true
ports:
- 80:80
- 443:443
command:
- '--api'
- '--log=true'
- '--log.level=DEBUG'
- '--log.filepath=/var/log/traefik.log'
- '--providers.docker=true'
- '--providers.docker.exposedByDefault=false'
- '--entrypoints.http=true'
- '--entrypoints.http.address=:80'
- '--entrypoints.http.http.redirections.entrypoint.to=https'
- '--entrypoints.http.http.redirections.entrypoint.scheme=https'
- '--entrypoints.https=true'
- '--entrypoints.https.address=:443'
authentik_proxy:
image: ghcr.io/goauthentik/proxy:2021.5.1
ports:
- 4180:4180
- 4443:4443
environment:
AUTHENTIK_HOST: https://your-authentik.tld
AUTHENTIK_INSECURE: "false"
AUTHENTIK_TOKEN: token-generated-by-authentik
labels:
traefik.enable: true
traefik.port: 4180
traefik.http.routers.authentik.rule: Host(`*external host that you configured in authentik*`) && PathPrefix(`/akprox/`)
traefik.http.routers.authentik.entrypoints: https
traefik.http.routers.authentik.tls: true
traefik.http.middlewares.authentik.forwardauth.address: http://authentik_proxy:4180/akprox/auth?traefik
traefik.http.middlewares.authentik.forwardauth.trustForwardHeader: true
traefik.http.middlewares.authentik.forwardauth.authResponseHeaders: Set-Cookie,X-Auth-Username,X-Auth-Groups,X-Forwarded-Email,X-Forwarded-Preferred-Username,X-Forwarded-User
restart: unless-stopped
whoami:
image: containous/whoami
labels:
traefik.enable: true
traefik.http.routers.whoami.rule: Host(`*external host that you configured in authentik*`)
traefik.http.routers.whoami.entrypoints: https
traefik.http.routers.whoami.tls: true
traefik.http.routers.whoami.middlewares: authentik@docker
restart: unless-stopped
```
</TabItem>
<TabItem value="ingress">
Create a middleware:
```yaml
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: authentik
spec:
forwardAuth:
address: http://authentik-outpost-*uuid of the service generated by authentik*:4180/akprox/auth?traefik
trustForwardHeader: true
authResponseHeaders:
- Set-Cookie
- X-Auth-Username
- X-Auth-Groups
- X-Forwarded-Email
- X-Forwarded-Preferred-Username
- X-Forwarded-User
```
Add the following settings to your IngressRoute
```yaml
spec:
routes:
- kind: Rule
match: "Host(`*external host that you configured in authentik*`)"
middlewares:
- name: authentik
priority: 10
services: # Unchanged
- kind: Rule
match: "Host(`*external host that you configured in authentik*`) && PathPrefix(`/akprox/`)"
priority: 15
services:
- kind: Service
name: authentik-outpost-*uuid of the service generated by authentik*
port: 4180
```
</TabItem>
</Tabs>

35
website/docs/providers/proxy/proxy.md Normal file
View File

@ -0,0 +1,35 @@
---
title: Proxy provider
---
The proxy outpost sets the following headers:
```
X-Auth-Username: akadmin # The username of the currently logged in user
X-Auth-Groups: foo|bar|baz # The groups the user is member of, separated by a pipe
X-Forwarded-Email: root@localhost # The email address of the currently logged in user
X-Forwarded-Preferred-Username: akadmin # The username of the currently logged in user
X-Forwarded-User: 900347b8a29876b45ca6f75722635ecfedf0e931c6022e3a29a8aa13fb5516fb # The hashed identifier of the currently logged in user.
```
Additionally, you can set `additionalHeaders` on groups or users to set additional headers.
If you enable *Set HTTP-Basic Authentication* option, the HTTP Authorization header is being set.
# HTTPS
The outpost listens on both 4180 for HTTP and 4443 for HTTPS.
:::info
If your upstream host is HTTPS, and you're not using forward auth, you need to access the outpost over HTTPS too.
:::
# Logging out
Login is done automatically when you visit the domain without a valid cookie.
When using single-application mode, navigate to `app.domain.tld/akprox/sign_out`.
When using domain-level mode, navigate to `auth.domain.tld/akprox/sign_out`, where auth.domain.tld is the external host configured for the provider.
To log out, navigate to `/akprox/sign_out`.