habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Revert "website/docs: revert to akprox for now"

Browse Source 
This reverts commit 9070df6c26.

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

# Conflicts:
#	website/docs/providers/proxy/_nginx_ingress.md
#	website/docs/providers/proxy/_nginx_proxy_manager.md
#	website/docs/providers/proxy/_nginx_standalone.md
This commit is contained in:
Jens Langhammer
2022-02-16 10:19:33 +01:00
parent eb05a3ddb8
commit 4e317c10c5
12 changed files with 31 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
website/docs/providers/proxy/_nginx_ingress.md
View File

@ -15,7 +15,7 @@ spec:
# See https://kubernetes.io/docs/concepts/services-networking/service/#externalname
serviceName: ak-outpost-example-outpost
servicePort: 9000
path: /akprox
path: /outpost.goauthentik.io
```
This ingress handles authentication requests, and the sign-in flow.
@ -26,10 +26,10 @@ Add these annotations to the ingress you want to protect
metadata:
annotations:
nginx.ingress.kubernetes.io/auth-url: |-
http://outpost.company:9000/akprox/auth/nginx
http://outpost.company:9000/outpost.goauthentik.io/auth/nginx
# If you're using domain-level auth, use the authentication URL instead of the application URL
nginx.ingress.kubernetes.io/auth-signin: |-
https://app.company/akprox/start
https://app.company/outpost.goauthentik.io/start?rd=$escaped_request_uri
nginx.ingress.kubernetes.io/auth-response-headers: |-
Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid
nginx.ingress.kubernetes.io/auth-snippet: |

12
website/docs/providers/proxy/_nginx_proxy_manager.md
View File

@ -12,7 +12,7 @@ location / {
proxy_pass $forward_scheme://$server:$port;
# authentik-specific config
auth_request /akprox/auth/nginx;
auth_request /outpost.goauthentik.io/auth/nginx;
error_page 401 = @goauthentik_proxy_signin;
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
@ -31,9 +31,9 @@ location / {
proxy_set_header X-authentik-uid $authentik_uid;
}
# all requests to /akprox must be accessible without authentication
location /akprox {
proxy_pass http://outpost.company:9000/akprox;
# all requests to /outpost.goauthentik.io must be accessible without authentication
location /outpost.goauthentik.io {
proxy_pass http://outpost.company:9000/outpost.goauthentik.io;
# ensure the host of this vserver matches your external URL you've configured
# in authentik
proxy_set_header Host $host;
@ -47,8 +47,8 @@ location /akprox {
location @goauthentik_proxy_signin {
internal;
add_header Set-Cookie $auth_cookie;
return 302 /akprox/start?rd=$request_uri;
return 302 /outpost.goauthentik.io/start?rd=$request_uri;
# For domain level, use the below error_page to redirect to your authentik server with the full redirect path
# return 302 https://authentik.company/akprox/start?rd=$scheme://$http_host$request_uri;
# return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
}
```

12
website/docs/providers/proxy/_nginx_standalone.md
View File

@ -19,7 +19,7 @@ server {
# proxy_pass http://localhost:5000;
# authentik-specific config
auth_request /akprox/auth/nginx;
auth_request /outpost.goauthentik.io/auth/nginx;
error_page 401 = @goauthentik_proxy_signin;
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
@ -38,9 +38,9 @@ server {
proxy_set_header X-authentik-uid $authentik_uid;
}
# all requests to /akprox must be accessible without authentication
location /akprox {
proxy_pass http://outpost.company:9000/akprox;
# all requests to /outpost.goauthentik.io must be accessible without authentication
location /outpost.goauthentik.io {
proxy_pass http://outpost.company:9000/outpost.goauthentik.io;
# ensure the host of this vserver matches your external URL you've configured
# in authentik
proxy_set_header Host $host;
@ -54,9 +54,9 @@ server {
location @goauthentik_proxy_signin {
internal;
add_header Set-Cookie $auth_cookie;
return 302 /akprox/start?rd=$request_uri;
return 302 /outpost.goauthentik.io/start?rd=$request_uri;
# For domain level, use the below error_page to redirect to your authentik server with the full redirect path
# return 302 https://authentik.company/akprox/start?rd=$scheme://$http_host$request_uri;
# return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
}
}
```

4
website/docs/providers/proxy/_traefik_compose.md
View File

@ -30,9 +30,9 @@ services:
labels:
traefik.enable: true
traefik.port: 9000
traefik.http.routers.authentik.rule: Host(`app.company`) && PathPrefix(`/akprox/`)
traefik.http.routers.authentik.rule: Host(`app.company`) && PathPrefix(`/outpost.goauthentik.io/`)
# `authentik-proxy` refers to the service name in the compose file.
traefik.http.middlewares.authentik.forwardauth.address: http://authentik-proxy:9000/akprox/auth/traefik
traefik.http.middlewares.authentik.forwardauth.address: http://authentik-proxy:9000/outpost.goauthentik.io/auth/traefik
traefik.http.middlewares.authentik.forwardauth.trustForwardHeader: true
traefik.http.middlewares.authentik.forwardauth.authResponseHeaders: X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version
restart: unless-stopped

4
website/docs/providers/proxy/_traefik_ingress.md
View File

@ -7,7 +7,7 @@ metadata:
name: authentik
spec:
forwardAuth:
address: http://outpost.company:9000/akprox/auth/traefik
address: http://outpost.company:9000/outpost.goauthentik.io/auth/traefik
trustForwardHeader: true
authResponseHeaders:
- X-authentik-username
@ -41,7 +41,7 @@ spec:
services: # Unchanged
# This part is only required for single-app setups
- kind: Rule
match: "Host(`app.company`) && PathPrefix(`/akprox/`)"
match: "Host(`app.company`) && PathPrefix(`/outpost.goauthentik.io/`)"
priority: 15
services:
- kind: Service

6
website/docs/providers/proxy/_traefik_standalone.md
View File

@ -3,7 +3,7 @@ http:
middlewares:
authentik:
forwardAuth:
address: http://outpost.company:9000/akprox/auth/traefik
address: http://outpost.company:9000/outpost.goauthentik.io/auth/traefik
trustForwardHeader: true
authResponseHeaders:
- X-authentik-username
@ -25,7 +25,7 @@ http:
priority: 10
services: # Unchanged
default-router-auth:
match: "Host(`app.company`) && PathPrefix(`/akprox/`)"
match: "Host(`app.company`) && PathPrefix(`/outpost.goauthentik.io/`)"
priority: 15
services: http://outpost.company:9000/akprox
services: http://outpost.company:9000/outpost.goauthentik.io
```

2
website/docs/providers/proxy/forward_auth.mdx
View File

@ -27,7 +27,7 @@ applications to different users.
The only configuration difference between single application and domain level is the host you specify.
For single application, you'd use the domain which the application is running on, and only /akprox
For single application, you'd use the domain which the application is running on, and only /outpost.goauthentik.io
is redirected to the outpost.
For domain level, you'd use the same domain as authentik.

6
website/docs/providers/proxy/proxy.md
View File

@ -64,11 +64,11 @@ If your upstream host is HTTPS, and you're not using forward auth, you need to a
Login is done automatically when you visit the domain without a valid cookie.
When using single-application mode, navigate to `app.domain.tld/akprox/sign_out`.
When using single-application mode, navigate to `app.domain.tld/outpost.goauthentik.io/sign_out`.
When using domain-level mode, navigate to `auth.domain.tld/akprox/sign_out`, where auth.domain.tld is the external host configured for the provider.
When using domain-level mode, navigate to `auth.domain.tld/outpost.goauthentik.io/sign_out`, where auth.domain.tld is the external host configured for the provider.
To log out, navigate to `/akprox/sign_out`.
To log out, navigate to `/outpost.goauthentik.io/sign_out`.
## Allowing unauthenticated requests