Revert "website/docs: revert to akprox for now"
This reverts commit 9070df6c26.
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
# Conflicts:
#	website/docs/providers/proxy/_nginx_ingress.md
#	website/docs/providers/proxy/_nginx_proxy_manager.md
#	website/docs/providers/proxy/_nginx_standalone.md
			
			
This commit is contained in:
		| @ -26,7 +26,7 @@ Make sure to set it to full URL, only configuring a hostname or FQDN will not wo | ||||
| Routing is handled like this: | ||||
|  | ||||
| 1. Paths starting with `/static`, `/media` and `/help` return packaged CSS/JS files, and user-uploaded media files. | ||||
| 2. Paths starting with `/akprox` are sent to the embedded outpost. | ||||
| 2. Paths starting with `/outpost.goauthentik.io` are sent to the embedded outpost. | ||||
| 3. Any hosts configured in the providers assigned to the embedded outpost are sent to the outpost. | ||||
| 4. Everything remaining is sent to the authentik backend server. | ||||
|  | ||||
|  | ||||
| @ -26,7 +26,7 @@ The container is created with the following hardcoded properties: | ||||
|     - `traefik.http.routers.ak-outpost-<outpost-name>-router.rule`: `Host(...)` | ||||
|     - `traefik.http.routers.ak-outpost-<outpost-name>-router.service`: `ak-outpost-<outpost-name>-service` | ||||
|     - `traefik.http.routers.ak-outpost-<outpost-name>-router.tls`: "true" | ||||
|     - `traefik.http.services.ak-outpost-<outpost-name>-service.loadbalancer.healthcheck.path`: "/akprox/ping" | ||||
|     - `traefik.http.services.ak-outpost-<outpost-name>-service.loadbalancer.healthcheck.path`: "/outpost.goauthentik.io/ping" | ||||
|     - `traefik.http.services.ak-outpost-<outpost-name>-service.loadbalancer.healthcheck.port`: "9300" | ||||
|     - `traefik.http.services.ak-outpost-<outpost-name>-service.loadbalancer.server.port`: "9000" | ||||
|  | ||||
|  | ||||
| @ -15,7 +15,7 @@ spec: | ||||
|           # See https://kubernetes.io/docs/concepts/services-networking/service/#externalname | ||||
|           serviceName: ak-outpost-example-outpost | ||||
|           servicePort: 9000 | ||||
|         path: /akprox | ||||
|         path: /outpost.goauthentik.io | ||||
| ``` | ||||
|  | ||||
| This ingress handles authentication requests, and the sign-in flow. | ||||
| @ -26,10 +26,10 @@ Add these annotations to the ingress you want to protect | ||||
| metadata: | ||||
|   annotations: | ||||
|     nginx.ingress.kubernetes.io/auth-url: |- | ||||
|       http://outpost.company:9000/akprox/auth/nginx | ||||
|       http://outpost.company:9000/outpost.goauthentik.io/auth/nginx | ||||
|     # If you're using domain-level auth, use the authentication URL instead of the application URL | ||||
|     nginx.ingress.kubernetes.io/auth-signin: |- | ||||
|       https://app.company/akprox/start | ||||
|       https://app.company/outpost.goauthentik.io/start?rd=$escaped_request_uri | ||||
|     nginx.ingress.kubernetes.io/auth-response-headers: |- | ||||
|       Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid | ||||
|     nginx.ingress.kubernetes.io/auth-snippet: | | ||||
|  | ||||
| @ -12,7 +12,7 @@ location / { | ||||
|     proxy_pass          $forward_scheme://$server:$port; | ||||
|  | ||||
|     # authentik-specific config | ||||
|     auth_request        /akprox/auth/nginx; | ||||
|     auth_request        /outpost.goauthentik.io/auth/nginx; | ||||
|     error_page          401 = @goauthentik_proxy_signin; | ||||
|     auth_request_set $auth_cookie $upstream_http_set_cookie; | ||||
|     add_header Set-Cookie $auth_cookie; | ||||
| @ -31,9 +31,9 @@ location / { | ||||
|     proxy_set_header X-authentik-uid $authentik_uid; | ||||
| } | ||||
|  | ||||
| # all requests to /akprox must be accessible without authentication | ||||
| location /akprox { | ||||
|     proxy_pass          http://outpost.company:9000/akprox; | ||||
| # all requests to /outpost.goauthentik.io must be accessible without authentication | ||||
| location /outpost.goauthentik.io { | ||||
|     proxy_pass          http://outpost.company:9000/outpost.goauthentik.io; | ||||
|     # ensure the host of this vserver matches your external URL you've configured | ||||
|     # in authentik | ||||
|     proxy_set_header    Host $host; | ||||
| @ -47,8 +47,8 @@ location /akprox { | ||||
| location @goauthentik_proxy_signin { | ||||
|     internal; | ||||
|     add_header Set-Cookie $auth_cookie; | ||||
|     return 302 /akprox/start?rd=$request_uri; | ||||
|     return 302 /outpost.goauthentik.io/start?rd=$request_uri; | ||||
|     # For domain level, use the below error_page to redirect to your authentik server with the full redirect path | ||||
|     # return 302 https://authentik.company/akprox/start?rd=$scheme://$http_host$request_uri; | ||||
|     # return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri; | ||||
| } | ||||
| ``` | ||||
|  | ||||
| @ -19,7 +19,7 @@ server { | ||||
|         # proxy_pass          http://localhost:5000; | ||||
|  | ||||
|         # authentik-specific config | ||||
|         auth_request        /akprox/auth/nginx; | ||||
|         auth_request        /outpost.goauthentik.io/auth/nginx; | ||||
|         error_page          401 = @goauthentik_proxy_signin; | ||||
|         auth_request_set $auth_cookie $upstream_http_set_cookie; | ||||
|         add_header Set-Cookie $auth_cookie; | ||||
| @ -38,9 +38,9 @@ server { | ||||
|         proxy_set_header X-authentik-uid $authentik_uid; | ||||
|     } | ||||
|  | ||||
|     # all requests to /akprox must be accessible without authentication | ||||
|     location /akprox { | ||||
|         proxy_pass          http://outpost.company:9000/akprox; | ||||
|     # all requests to /outpost.goauthentik.io must be accessible without authentication | ||||
|     location /outpost.goauthentik.io { | ||||
|         proxy_pass          http://outpost.company:9000/outpost.goauthentik.io; | ||||
|         # ensure the host of this vserver matches your external URL you've configured | ||||
|         # in authentik | ||||
|         proxy_set_header    Host $host; | ||||
| @ -54,9 +54,9 @@ server { | ||||
|     location @goauthentik_proxy_signin { | ||||
|         internal; | ||||
|         add_header Set-Cookie $auth_cookie; | ||||
|         return 302 /akprox/start?rd=$request_uri; | ||||
|         return 302 /outpost.goauthentik.io/start?rd=$request_uri; | ||||
|         # For domain level, use the below error_page to redirect to your authentik server with the full redirect path | ||||
|         # return 302 https://authentik.company/akprox/start?rd=$scheme://$http_host$request_uri; | ||||
|         # return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri; | ||||
|     } | ||||
| } | ||||
| ``` | ||||
|  | ||||
| @ -30,9 +30,9 @@ services: | ||||
|     labels: | ||||
|       traefik.enable: true | ||||
|       traefik.port: 9000 | ||||
|       traefik.http.routers.authentik.rule: Host(`app.company`) && PathPrefix(`/akprox/`) | ||||
|       traefik.http.routers.authentik.rule: Host(`app.company`) && PathPrefix(`/outpost.goauthentik.io/`) | ||||
|       # `authentik-proxy` refers to the service name in the compose file. | ||||
|       traefik.http.middlewares.authentik.forwardauth.address: http://authentik-proxy:9000/akprox/auth/traefik | ||||
|       traefik.http.middlewares.authentik.forwardauth.address: http://authentik-proxy:9000/outpost.goauthentik.io/auth/traefik | ||||
|       traefik.http.middlewares.authentik.forwardauth.trustForwardHeader: true | ||||
|       traefik.http.middlewares.authentik.forwardauth.authResponseHeaders: X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version | ||||
|     restart: unless-stopped | ||||
|  | ||||
| @ -7,7 +7,7 @@ metadata: | ||||
|   name: authentik | ||||
| spec: | ||||
|   forwardAuth: | ||||
|     address: http://outpost.company:9000/akprox/auth/traefik | ||||
|     address: http://outpost.company:9000/outpost.goauthentik.io/auth/traefik | ||||
|     trustForwardHeader: true | ||||
|     authResponseHeaders: | ||||
|       - X-authentik-username | ||||
| @ -41,7 +41,7 @@ spec: | ||||
|       services: # Unchanged | ||||
|     # This part is only required for single-app setups | ||||
|     - kind: Rule | ||||
|       match: "Host(`app.company`) && PathPrefix(`/akprox/`)" | ||||
|       match: "Host(`app.company`) && PathPrefix(`/outpost.goauthentik.io/`)" | ||||
|       priority: 15 | ||||
|       services: | ||||
|         - kind: Service | ||||
|  | ||||
| @ -3,7 +3,7 @@ http: | ||||
|   middlewares: | ||||
|     authentik: | ||||
|       forwardAuth: | ||||
|         address: http://outpost.company:9000/akprox/auth/traefik | ||||
|         address: http://outpost.company:9000/outpost.goauthentik.io/auth/traefik | ||||
|         trustForwardHeader: true | ||||
|         authResponseHeaders: | ||||
|           - X-authentik-username | ||||
| @ -25,7 +25,7 @@ http: | ||||
|       priority: 10 | ||||
|       services: # Unchanged | ||||
|     default-router-auth: | ||||
|       match: "Host(`app.company`) && PathPrefix(`/akprox/`)" | ||||
|       match: "Host(`app.company`) && PathPrefix(`/outpost.goauthentik.io/`)" | ||||
|       priority: 15 | ||||
|       services: http://outpost.company:9000/akprox | ||||
|       services: http://outpost.company:9000/outpost.goauthentik.io | ||||
| ``` | ||||
|  | ||||
| @ -27,7 +27,7 @@ applications to different users. | ||||
|  | ||||
| The only configuration difference between single application and domain level is the host you specify. | ||||
|  | ||||
| For single application, you'd use the domain which the application is running on, and only /akprox | ||||
| For single application, you'd use the domain which the application is running on, and only /outpost.goauthentik.io | ||||
| is redirected to the outpost. | ||||
|  | ||||
| For domain level, you'd use the same domain as authentik. | ||||
|  | ||||
| @ -64,11 +64,11 @@ If your upstream host is HTTPS, and you're not using forward auth, you need to a | ||||
|  | ||||
| Login is done automatically when you visit the domain without a valid cookie. | ||||
|  | ||||
| When using single-application mode, navigate to `app.domain.tld/akprox/sign_out`. | ||||
| When using single-application mode, navigate to `app.domain.tld/outpost.goauthentik.io/sign_out`. | ||||
|  | ||||
| When using domain-level mode, navigate to `auth.domain.tld/akprox/sign_out`, where auth.domain.tld is the external host configured for the provider. | ||||
| When using domain-level mode, navigate to `auth.domain.tld/outpost.goauthentik.io/sign_out`, where auth.domain.tld is the external host configured for the provider. | ||||
|  | ||||
| To log out, navigate to `/akprox/sign_out`. | ||||
| To log out, navigate to `/outpost.goauthentik.io/sign_out`. | ||||
|  | ||||
| ## Allowing unauthenticated requests | ||||
|  | ||||
|  | ||||
| @ -10,7 +10,7 @@ slug: "2021.8" | ||||
|     To simplify the setup, an embedded outpost has been added. This outpost runs as part of the main authentik server, and requires no additional setup. | ||||
|  | ||||
|     You can simply assign providers to the embedded outpost, and either use the integrations to configure reverse proxies, or point your traffic to the main authentik server. | ||||
|     Traffic is routed based on host-header, meaning every host that has been configured as a provider and is assigned to the embedded proxy will be sent to the outpost, and every sub-path under `/akprox` is sent to the outpost too. The rest is sent to authentik itself. | ||||
|     Traffic is routed based on host-header, meaning every host that has been configured as a provider and is assigned to the embedded proxy will be sent to the outpost, and every sub-path under `/outpost.goauthentik.io` is sent to the outpost too. The rest is sent to authentik itself. | ||||
|  | ||||
| - App passwords | ||||
|  | ||||
|  | ||||
| @ -47,7 +47,7 @@ This release mostly removes legacy fields and features that have been deprecated | ||||
| - internal: route traffic to proxy providers based on cookie domain when multiple domain-level providers exist | ||||
| - internal: use math.MaxInt for compatibility | ||||
| - lifecycle: add early check for missing/invalid secret key | ||||
| - outposts/proxyv2: allow access to /akprox urls in forward auth mode to make routing in nginx/traefik easier | ||||
| - outposts/proxyv2: allow access to /outpost.goauthentik.io urls in forward auth mode to make routing in nginx/traefik easier | ||||
| - outposts/proxyv2: fix before-redirect url not being saved in proxy mode | ||||
| - outposts/proxyv2: fix JWKS url pointing to localhost on embedded outpost | ||||
| - providers/oauth2: change default redirect uri behaviour; set first used url when blank and use star for wildcard | ||||
| @ -64,7 +64,7 @@ This release mostly removes legacy fields and features that have been deprecated | ||||
|  | ||||
| ## Fixed in 2022.1.2 | ||||
|  | ||||
| - internal/proxyv2: only allow access to /akprox in nginx mode when forward url could be extracted | ||||
| - internal/proxyv2: only allow access to /outpost.goauthentik.io in nginx mode when forward url could be extracted | ||||
| - lib: disable backup by default, add note to configuration | ||||
| - lifecycle: replace lowercase, deprecated prometheus_multiproc_dir | ||||
| - outposts: allow custom label for docker containers | ||||
|  | ||||
		Reference in New Issue
	
	Block a user
	 Jens Langhammer
					Jens Langhammer