From 5e72ec9c0c9d826c048627180d96a3e94df7bedd Mon Sep 17 00:00:00 2001
From: "Jens L." <jens@goauthentik.io>
Date: Tue, 26 Nov 2024 15:38:23 +0100
Subject: [PATCH] root: support running authentik in subpath (#8675)

* initial subpath support

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* make outpost compatible

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix static files somewhat

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix web interface

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix most static stuff

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix most web links

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix websocket

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix URL for static files

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* format web

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add root redirect for subpath

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* update docs

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* set cookie path

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* Update internal/config/struct.go

Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Signed-off-by: Jens L. <jens@beryju.org>

* fix sfe

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* bump required version

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix flow background

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix lint and some more links

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* format

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix impersonate

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Signed-off-by: Jens L. <jens@beryju.org>
Signed-off-by: Jens L. <jens@goauthentik.io>
Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
---
 authentik/brands/api.py                       |  4 +-
 authentik/brands/models.py                    | 13 ++++
 authentik/core/templates/base/header_js.html  |  3 +
 authentik/core/templates/base/skeleton.html   |  4 +-
 authentik/core/templates/login/base_full.html |  6 +-
 authentik/core/views/interface.py             |  2 +
 .../providers/rac/templates/if/rac.html       |  4 +-
 authentik/flows/models.py                     |  9 ++-
 authentik/flows/templates/if/flow-sfe.html    |  4 +-
 authentik/lib/default.yml                     |  1 +
 authentik/lib/sentry.py                       |  3 +-
 authentik/root/settings.py                    |  4 +-
 authentik/root/urls.py                        |  9 ++-
 authentik/root/websocket.py                   | 14 +++-
 cmd/server/healthcheck.go                     |  2 +-
 cmd/server/server.go                          |  2 +-
 internal/config/struct.go                     |  5 ++
 internal/outpost/ak/api.go                    | 17 +++--
 internal/outpost/ak/api_ws.go                 |  5 +-
 internal/web/metrics.go                       |  2 +-
 internal/web/proxy.go                         | 10 ++-
 internal/web/static.go                        | 72 +++++++++++++------
 internal/web/web.go                           | 39 +++++-----
 web/packages/sfe/src/index.ts                 |  5 +-
 web/src/admin/AdminInterface/AdminSidebar.ts  |  3 +-
 web/src/admin/users/UserImpersonateForm.ts    |  3 +-
 web/src/common/api/config.ts                  |  2 +-
 web/src/common/global.ts                      |  6 ++
 web/src/common/ws.ts                          |  6 +-
 .../enterprise/EnterpriseStatusBanner.ts      |  5 +-
 web/src/elements/notifications/APIDrawer.ts   |  5 +-
 .../notifications/NotificationDrawer.ts       |  3 +-
 web/src/elements/sidebar/SidebarUser.ts       | 13 +++-
 web/src/flow/FlowExecutor.ts                  |  1 +
 web/src/flow/FlowInspector.ts                 |  6 +-
 web/src/flow/providers/SessionEnd.ts          |  5 +-
 web/src/user/LibraryApplication/index.ts      |  4 +-
 .../ak-library-application-empty-list.ts      |  4 +-
 web/src/user/UserInterface.ts                 |  5 +-
 .../details/UserSettingsFlowExecutor.ts       |  6 +-
 .../details/stages/prompt/PromptStage.ts      |  4 +-
 .../configuration/configuration.mdx           | 10 +++
 website/docs/install-config/reverse-proxy.md  |  2 +
 43 files changed, 236 insertions(+), 96 deletions(-)

diff --git a/authentik/brands/api.py b/authentik/brands/api.py
index 2f0486a688..5f730e0403 100644
--- a/authentik/brands/api.py
+++ b/authentik/brands/api.py
@@ -84,8 +84,8 @@ class CurrentBrandSerializer(PassiveSerializer):
 
     matched_domain = CharField(source="domain")
     branding_title = CharField()
-    branding_logo = CharField()
-    branding_favicon = CharField()
+    branding_logo = CharField(source="branding_logo_url")
+    branding_favicon = CharField(source="branding_favicon_url")
     ui_footer_links = ListField(
         child=FooterLinkSerializer(),
         read_only=True,
diff --git a/authentik/brands/models.py b/authentik/brands/models.py
index 3a7bc775cf..12e975b1de 100644
--- a/authentik/brands/models.py
+++ b/authentik/brands/models.py
@@ -10,6 +10,7 @@ from structlog.stdlib import get_logger
 
 from authentik.crypto.models import CertificateKeyPair
 from authentik.flows.models import Flow
+from authentik.lib.config import CONFIG
 from authentik.lib.models import SerializerModel
 
 LOGGER = get_logger()
@@ -71,6 +72,18 @@ class Brand(SerializerModel):
     )
     attributes = models.JSONField(default=dict, blank=True)
 
+    def branding_logo_url(self) -> str:
+        """Get branding_logo with the correct prefix"""
+        if self.branding_logo.startswith("/static"):
+            return CONFIG.get("web.path", "/")[:-1] + self.branding_logo
+        return self.branding_logo
+
+    def branding_favicon_url(self) -> str:
+        """Get branding_favicon with the correct prefix"""
+        if self.branding_favicon.startswith("/static"):
+            return CONFIG.get("web.path", "/")[:-1] + self.branding_favicon
+        return self.branding_favicon
+
     @property
     def serializer(self) -> Serializer:
         from authentik.brands.api import BrandSerializer
diff --git a/authentik/core/templates/base/header_js.html b/authentik/core/templates/base/header_js.html
index 4e1b53c2fa..944bf587ed 100644
--- a/authentik/core/templates/base/header_js.html
+++ b/authentik/core/templates/base/header_js.html
@@ -9,6 +9,9 @@
         versionFamily: "{{ version_family }}",
         versionSubdomain: "{{ version_subdomain }}",
         build: "{{ build }}",
+        api: {
+            base: "{{ base_url }}",
+        },
     };
     window.addEventListener("DOMContentLoaded", function () {
         {% for message in messages %}
diff --git a/authentik/core/templates/base/skeleton.html b/authentik/core/templates/base/skeleton.html
index 074fcc1556..e2f063b071 100644
--- a/authentik/core/templates/base/skeleton.html
+++ b/authentik/core/templates/base/skeleton.html
@@ -9,8 +9,8 @@
         <meta charset="UTF-8">
         <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
         <title>{% block title %}{% trans title|default:brand.branding_title %}{% endblock %}</title>
-        <link rel="icon" href="{{ brand.branding_favicon }}">
-        <link rel="shortcut icon" href="{{ brand.branding_favicon }}">
+        <link rel="icon" href="{{ brand.branding_favicon_url }}">
+        <link rel="shortcut icon" href="{{ brand.branding_favicon_url }}">
         {% block head_before %}
         {% endblock %}
         <link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}">
diff --git a/authentik/core/templates/login/base_full.html b/authentik/core/templates/login/base_full.html
index 483bae7245..cbab6c2ed5 100644
--- a/authentik/core/templates/login/base_full.html
+++ b/authentik/core/templates/login/base_full.html
@@ -4,7 +4,7 @@
 {% load i18n %}
 
 {% block head_before %}
-<link rel="prefetch" href="/static/dist/assets/images/flow_background.jpg" />
+<link rel="prefetch" href="{% static 'dist/assets/images/flow_background.jpg' %}" />
 <link rel="stylesheet" type="text/css" href="{% static 'dist/patternfly.min.css' %}">
 <link rel="stylesheet" type="text/css" href="{% static 'dist/theme-dark.css' %}" media="(prefers-color-scheme: dark)">
 {% include "base/header_js.html" %}
@@ -13,7 +13,7 @@
 {% block head %}
 <style>
 :root {
-    --ak-flow-background: url("/static/dist/assets/images/flow_background.jpg");
+    --ak-flow-background: url("{% static 'dist/assets/images/flow_background.jpg' %}");
     --pf-c-background-image--BackgroundImage: var(--ak-flow-background);
     --pf-c-background-image--BackgroundImage-2x: var(--ak-flow-background);
     --pf-c-background-image--BackgroundImage--sm: var(--ak-flow-background);
@@ -50,7 +50,7 @@
     <div class="ak-login-container">
         <main class="pf-c-login__main">
             <div class="pf-c-login__main-header pf-c-brand ak-brand">
-                <img src="{{ brand.branding_logo }}" alt="authentik Logo" />
+                <img src="{{ brand.branding_logo_url }}" alt="authentik Logo" />
             </div>
             <header class="pf-c-login__main-header">
                 <h1 class="pf-c-title pf-m-3xl">
diff --git a/authentik/core/views/interface.py b/authentik/core/views/interface.py
index 4a7d06b772..20fddf8606 100644
--- a/authentik/core/views/interface.py
+++ b/authentik/core/views/interface.py
@@ -16,6 +16,7 @@ from authentik.api.v3.config import ConfigView
 from authentik.brands.api import CurrentBrandSerializer
 from authentik.brands.models import Brand
 from authentik.core.models import UserTypes
+from authentik.lib.config import CONFIG
 from authentik.policies.denied import AccessDeniedResponse
 
 
@@ -51,6 +52,7 @@ class InterfaceView(TemplateView):
         kwargs["version_subdomain"] = f"version-{LOCAL_VERSION.major}-{LOCAL_VERSION.minor}"
         kwargs["build"] = get_build_hash()
         kwargs["url_kwargs"] = self.kwargs
+        kwargs["base_url"] = self.request.build_absolute_uri(CONFIG.get("web.path", "/"))
         return super().get_context_data(**kwargs)
 
 
diff --git a/authentik/enterprise/providers/rac/templates/if/rac.html b/authentik/enterprise/providers/rac/templates/if/rac.html
index fde3f30ad8..156d96085e 100644
--- a/authentik/enterprise/providers/rac/templates/if/rac.html
+++ b/authentik/enterprise/providers/rac/templates/if/rac.html
@@ -6,8 +6,8 @@
 <script src="{% versioned_script 'dist/enterprise/rac/index-%v.js' %}" type="module"></script>
 <meta name="theme-color" content="#18191a" media="(prefers-color-scheme: dark)">
 <meta name="theme-color" content="#ffffff" media="(prefers-color-scheme: light)">
-<link rel="icon" href="{{ tenant.branding_favicon }}">
-<link rel="shortcut icon" href="{{ tenant.branding_favicon }}">
+<link rel="icon" href="{{ tenant.branding_favicon_url }}">
+<link rel="shortcut icon" href="{{ tenant.branding_favicon_url }}">
 {% include "base/header_js.html" %}
 {% endblock %}
 
diff --git a/authentik/flows/models.py b/authentik/flows/models.py
index d871aab5ec..622fdff4e3 100644
--- a/authentik/flows/models.py
+++ b/authentik/flows/models.py
@@ -14,6 +14,7 @@ from structlog.stdlib import get_logger
 from authentik.core.models import Token
 from authentik.core.types import UserSettingSerializer
 from authentik.flows.challenge import FlowLayout
+from authentik.lib.config import CONFIG
 from authentik.lib.models import InheritanceForeignKey, SerializerModel
 from authentik.lib.utils.reflection import class_to_path
 from authentik.policies.models import PolicyBindingModel
@@ -177,9 +178,13 @@ class Flow(SerializerModel, PolicyBindingModel):
         """Get the URL to the background image. If the name is /static or starts with http
         it is returned as-is"""
         if not self.background:
-            return "/static/dist/assets/images/flow_background.jpg"
-        if self.background.name.startswith("http") or self.background.name.startswith("/static"):
+            return (
+                CONFIG.get("web.path", "/")[:-1] + "/static/dist/assets/images/flow_background.jpg"
+            )
+        if self.background.name.startswith("http"):
             return self.background.name
+        if self.background.name.startswith("/static"):
+            return CONFIG.get("web.path", "/")[:-1] + self.background.name
         return self.background.url
 
     stages = models.ManyToManyField(Stage, through="FlowStageBinding", blank=True)
diff --git a/authentik/flows/templates/if/flow-sfe.html b/authentik/flows/templates/if/flow-sfe.html
index b664fa8efa..abea71934b 100644
--- a/authentik/flows/templates/if/flow-sfe.html
+++ b/authentik/flows/templates/if/flow-sfe.html
@@ -9,8 +9,8 @@
         <meta charset="UTF-8">
         <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
         <title>{% block title %}{% trans title|default:brand.branding_title %}{% endblock %}</title>
-        <link rel="icon" href="{{ brand.branding_favicon }}">
-        <link rel="shortcut icon" href="{{ brand.branding_favicon }}">
+        <link rel="icon" href="{{ brand.branding_favicon_url }}">
+        <link rel="shortcut icon" href="{{ brand.branding_favicon_url }}">
         {% block head_before %}
         {% endblock %}
         <link rel="stylesheet" type="text/css" href="{% static 'dist/sfe/bootstrap.min.css' %}">
diff --git a/authentik/lib/default.yml b/authentik/lib/default.yml
index 9d6d0dff1a..9a8289a0df 100644
--- a/authentik/lib/default.yml
+++ b/authentik/lib/default.yml
@@ -135,6 +135,7 @@ web:
   # No default here as it's set dynamically
   # workers: 2
   threads: 4
+  path: /
 
 worker:
   concurrency: 2
diff --git a/authentik/lib/sentry.py b/authentik/lib/sentry.py
index 9027d06e62..9f6793df4a 100644
--- a/authentik/lib/sentry.py
+++ b/authentik/lib/sentry.py
@@ -36,6 +36,7 @@ from authentik.lib.utils.http import authentik_user_agent
 from authentik.lib.utils.reflection import get_env
 
 LOGGER = get_logger()
+_root_path = CONFIG.get("web.path", "/")
 
 
 class SentryIgnoredException(Exception):
@@ -90,7 +91,7 @@ def traces_sampler(sampling_context: dict) -> float:
     path = sampling_context.get("asgi_scope", {}).get("path", "")
     _type = sampling_context.get("asgi_scope", {}).get("type", "")
     # Ignore all healthcheck routes
-    if path.startswith("/-/health") or path.startswith("/-/metrics"):
+    if path.startswith(f"{_root_path}-/health") or path.startswith(f"{_root_path}-/metrics"):
         return 0
     if _type == "websocket":
         return 0
diff --git a/authentik/root/settings.py b/authentik/root/settings.py
index afc5dccfa8..266085c150 100644
--- a/authentik/root/settings.py
+++ b/authentik/root/settings.py
@@ -32,6 +32,8 @@ LOGIN_URL = "authentik_flows:default-authentication"
 # Custom user model
 AUTH_USER_MODEL = "authentik_core.User"
 
+CSRF_COOKIE_PATH = LANGUAGE_COOKIE_PATH = SESSION_COOKIE_PATH = CONFIG.get("web.path", "/")
+
 CSRF_COOKIE_NAME = "authentik_csrf"
 CSRF_HEADER_NAME = "HTTP_X_AUTHENTIK_CSRF"
 LANGUAGE_COOKIE_NAME = "authentik_language"
@@ -427,7 +429,7 @@ if _ERROR_REPORTING:
 # https://docs.djangoproject.com/en/2.1/howto/static-files/
 
 STATICFILES_DIRS = [BASE_DIR / Path("web")]
-STATIC_URL = "/static/"
+STATIC_URL = CONFIG.get("web.path", "/") + "static/"
 
 STORAGES = {
     "staticfiles": {
diff --git a/authentik/root/urls.py b/authentik/root/urls.py
index 1b03051fdd..b12eb83168 100644
--- a/authentik/root/urls.py
+++ b/authentik/root/urls.py
@@ -4,6 +4,7 @@ from django.urls import include, path
 from structlog.stdlib import get_logger
 
 from authentik.core.views import error
+from authentik.lib.config import CONFIG
 from authentik.lib.utils.reflection import get_apps
 from authentik.root.monitoring import LiveView, MetricsView, ReadyView
 
@@ -14,7 +15,7 @@ handler403 = error.ForbiddenView.as_view()
 handler404 = error.NotFoundView.as_view()
 handler500 = error.ServerErrorView.as_view()
 
-urlpatterns = []
+_urlpatterns = []
 
 for _authentik_app in get_apps():
     mountpoints = None
@@ -35,7 +36,7 @@ for _authentik_app in get_apps():
                 namespace=namespace,
             ),
         )
-        urlpatterns.append(_path)
+        _urlpatterns.append(_path)
         LOGGER.debug(
             "Mounted URLs",
             app_name=_authentik_app.name,
@@ -43,8 +44,10 @@ for _authentik_app in get_apps():
             namespace=namespace,
         )
 
-urlpatterns += [
+_urlpatterns += [
     path("-/metrics/", MetricsView.as_view(), name="metrics"),
     path("-/health/live/", LiveView.as_view(), name="health-live"),
     path("-/health/ready/", ReadyView.as_view(), name="health-ready"),
 ]
+
+urlpatterns = [path(CONFIG.get("web.path", "/")[1:], include(_urlpatterns))]
diff --git a/authentik/root/websocket.py b/authentik/root/websocket.py
index 560a39c07d..70fec2055f 100644
--- a/authentik/root/websocket.py
+++ b/authentik/root/websocket.py
@@ -2,13 +2,16 @@
 
 from importlib import import_module
 
+from channels.routing import URLRouter
+from django.urls import path
 from structlog.stdlib import get_logger
 
+from authentik.lib.config import CONFIG
 from authentik.lib.utils.reflection import get_apps
 
 LOGGER = get_logger()
 
-websocket_urlpatterns = []
+_websocket_urlpatterns = []
 for _authentik_app in get_apps():
     try:
         api_urls = import_module(f"{_authentik_app.name}.urls")
@@ -17,8 +20,15 @@ for _authentik_app in get_apps():
     if not hasattr(api_urls, "websocket_urlpatterns"):
         continue
     urls: list = api_urls.websocket_urlpatterns
-    websocket_urlpatterns.extend(urls)
+    _websocket_urlpatterns.extend(urls)
     LOGGER.debug(
         "Mounted Websocket URLs",
         app_name=_authentik_app.name,
     )
+
+websocket_urlpatterns = [
+    path(
+        CONFIG.get("web.path", "/")[1:],
+        URLRouter(_websocket_urlpatterns),
+    ),
+]
diff --git a/cmd/server/healthcheck.go b/cmd/server/healthcheck.go
index d37cfb483e..0f0ccec029 100644
--- a/cmd/server/healthcheck.go
+++ b/cmd/server/healthcheck.go
@@ -47,7 +47,7 @@ func checkServer() int {
 	h := &http.Client{
 		Transport: web.NewUserAgentTransport("goauthentik.io/healthcheck", http.DefaultTransport),
 	}
-	url := fmt.Sprintf("http://%s/-/health/live/", config.Get().Listen.HTTP)
+	url := fmt.Sprintf("http://%s%s-/health/live/", config.Get().Listen.HTTP, config.Get().Web.Path)
 	res, err := h.Head(url)
 	if err != nil {
 		log.WithError(err).Warning("failed to send healthcheck request")
diff --git a/cmd/server/server.go b/cmd/server/server.go
index 9324c984de..a09451d125 100644
--- a/cmd/server/server.go
+++ b/cmd/server/server.go
@@ -61,7 +61,7 @@ var rootCmd = &cobra.Command{
 		ex := common.Init()
 		defer common.Defer()
 
-		u, err := url.Parse(fmt.Sprintf("http://%s", config.Get().Listen.HTTP))
+		u, err := url.Parse(fmt.Sprintf("http://%s%s", config.Get().Listen.HTTP, config.Get().Web.Path))
 		if err != nil {
 			panic(err)
 		}
diff --git a/internal/config/struct.go b/internal/config/struct.go
index 17dd3ba246..a9252ec4e3 100644
--- a/internal/config/struct.go
+++ b/internal/config/struct.go
@@ -14,6 +14,7 @@ type Config struct {
 	// Config for both core and outposts
 	Debug  bool         `yaml:"debug" env:"AUTHENTIK_DEBUG, overwrite"`
 	Listen ListenConfig `yaml:"listen" env:", prefix=AUTHENTIK_LISTEN__"`
+	Web    WebConfig    `yaml:"web" env:", prefix=AUTHENTIK_WEB__"`
 
 	// Outpost specific config
 	// These are only relevant for proxy/ldap outposts, and cannot be set via YAML
@@ -72,3 +73,7 @@ type OutpostConfig struct {
 	Discover               bool   `yaml:"discover" env:"DISCOVER, overwrite"`
 	DisableEmbeddedOutpost bool   `yaml:"disable_embedded_outpost" env:"DISABLE_EMBEDDED_OUTPOST, overwrite"`
 }
+
+type WebConfig struct {
+	Path string `yaml:"path" env:"PATH, overwrite"`
+}
diff --git a/internal/outpost/ak/api.go b/internal/outpost/ak/api.go
index 2def064273..fd8050042a 100644
--- a/internal/outpost/ak/api.go
+++ b/internal/outpost/ak/api.go
@@ -56,10 +56,10 @@ type APIController struct {
 func NewAPIController(akURL url.URL, token string) *APIController {
 	rsp := sentry.StartSpan(context.Background(), "authentik.outposts.init")
 
-	config := api.NewConfiguration()
-	config.Host = akURL.Host
-	config.Scheme = akURL.Scheme
-	config.HTTPClient = &http.Client{
+	apiConfig := api.NewConfiguration()
+	apiConfig.Host = akURL.Host
+	apiConfig.Scheme = akURL.Scheme
+	apiConfig.HTTPClient = &http.Client{
 		Transport: web.NewUserAgentTransport(
 			constants.OutpostUserAgent(),
 			web.NewTracingTransport(
@@ -68,10 +68,15 @@ func NewAPIController(akURL url.URL, token string) *APIController {
 			),
 		),
 	}
-	config.AddDefaultHeader("Authorization", fmt.Sprintf("Bearer %s", token))
+	apiConfig.Servers = api.ServerConfigurations{
+		{
+			URL: fmt.Sprintf("%sapi/v3", akURL.Path),
+		},
+	}
+	apiConfig.AddDefaultHeader("Authorization", fmt.Sprintf("Bearer %s", token))
 
 	// create the API client, with the transport
-	apiClient := api.NewAPIClient(config)
+	apiClient := api.NewAPIClient(apiConfig)
 
 	log := log.WithField("logger", "authentik.outpost.ak-api-controller")
 
diff --git a/internal/outpost/ak/api_ws.go b/internal/outpost/ak/api_ws.go
index cda7bd03d2..3b450736e6 100644
--- a/internal/outpost/ak/api_ws.go
+++ b/internal/outpost/ak/api_ws.go
@@ -17,7 +17,7 @@ import (
 )
 
 func (ac *APIController) initWS(akURL url.URL, outpostUUID string) error {
-	pathTemplate := "%s://%s/ws/outpost/%s/?%s"
+	pathTemplate := "%s://%s%sws/outpost/%s/?%s"
 	query := akURL.Query()
 	query.Set("instance_uuid", ac.instanceUUID.String())
 	scheme := strings.ReplaceAll(akURL.Scheme, "http", "ws")
@@ -37,7 +37,7 @@ func (ac *APIController) initWS(akURL url.URL, outpostUUID string) error {
 		},
 	}
 
-	ws, _, err := dialer.Dial(fmt.Sprintf(pathTemplate, scheme, akURL.Host, outpostUUID, akURL.Query().Encode()), header)
+	ws, _, err := dialer.Dial(fmt.Sprintf(pathTemplate, scheme, akURL.Host, akURL.Path, outpostUUID, akURL.Query().Encode()), header)
 	if err != nil {
 		ac.logger.WithError(err).Warning("failed to connect websocket")
 		return err
@@ -83,6 +83,7 @@ func (ac *APIController) reconnectWS() {
 	u := url.URL{
 		Host:   ac.Client.GetConfig().Host,
 		Scheme: ac.Client.GetConfig().Scheme,
+		Path:   strings.ReplaceAll(ac.Client.GetConfig().Servers[0].URL, "api/v3", ""),
 	}
 	attempt := 1
 	for {
diff --git a/internal/web/metrics.go b/internal/web/metrics.go
index 40d9671f6e..21778ba99e 100644
--- a/internal/web/metrics.go
+++ b/internal/web/metrics.go
@@ -46,7 +46,7 @@ func (ws *WebServer) runMetricsServer() {
 		).ServeHTTP(rw, r)
 
 		// Get upstream metrics
-		re, err := http.NewRequest("GET", fmt.Sprintf("%s/-/metrics/", ws.ul.String()), nil)
+		re, err := http.NewRequest("GET", fmt.Sprintf("%s%s-/metrics/", ws.upstreamURL.String(), config.Get().Web.Path), nil)
 		if err != nil {
 			l.WithError(err).Warning("failed to get upstream metrics")
 			return
diff --git a/internal/web/proxy.go b/internal/web/proxy.go
index ccc9bd0eb0..8961fc7d09 100644
--- a/internal/web/proxy.go
+++ b/internal/web/proxy.go
@@ -9,14 +9,15 @@ import (
 	"time"
 
 	"github.com/prometheus/client_golang/prometheus"
+	"goauthentik.io/internal/config"
 	"goauthentik.io/internal/utils/sentry"
 )
 
 func (ws *WebServer) configureProxy() {
 	// Reverse proxy to the application server
 	director := func(req *http.Request) {
-		req.URL.Scheme = ws.ul.Scheme
-		req.URL.Host = ws.ul.Host
+		req.URL.Scheme = ws.upstreamURL.Scheme
+		req.URL.Host = ws.upstreamURL.Host
 		if _, ok := req.Header["User-Agent"]; !ok {
 			// explicitly disable User-Agent so it's not set to default value
 			req.Header.Set("User-Agent", "")
@@ -32,7 +33,10 @@ func (ws *WebServer) configureProxy() {
 	}
 	rp.ErrorHandler = ws.proxyErrorHandler
 	rp.ModifyResponse = ws.proxyModifyResponse
-	ws.m.PathPrefix("/").HandlerFunc(sentry.SentryNoSample(func(rw http.ResponseWriter, r *http.Request) {
+	ws.mainRouter.PathPrefix(config.Get().Web.Path).Path("/-/health/live/").HandlerFunc(sentry.SentryNoSample(func(rw http.ResponseWriter, r *http.Request) {
+		rw.WriteHeader(204)
+	}))
+	ws.mainRouter.PathPrefix(config.Get().Web.Path).HandlerFunc(sentry.SentryNoSample(func(rw http.ResponseWriter, r *http.Request) {
 		if !ws.g.IsRunning() {
 			ws.proxyErrorHandler(rw, r, errors.New("authentik starting"))
 			return
diff --git a/internal/web/static.go b/internal/web/static.go
index 650e38b058..33a538179a 100644
--- a/internal/web/static.go
+++ b/internal/web/static.go
@@ -14,46 +14,74 @@ import (
 )
 
 func (ws *WebServer) configureStatic() {
-	staticRouter := ws.lh.NewRoute().Subrouter()
+	// Setup routers
+	staticRouter := ws.loggingRouter.NewRoute().Subrouter()
 	staticRouter.Use(ws.staticHeaderMiddleware)
-	staticRouter.Use(web.DisableIndex)
+	indexLessRouter := staticRouter.NewRoute().Subrouter()
+	// Specifically disable index
+	indexLessRouter.Use(web.DisableIndex)
 
 	distFs := http.FileServer(http.Dir("./web/dist"))
-	authentikHandler := http.StripPrefix("/static/authentik/", http.FileServer(http.Dir("./web/authentik")))
 
-	// Root file paths, from which they should be accessed
-	staticRouter.PathPrefix("/static/dist/").Handler(http.StripPrefix("/static/dist/", distFs))
-	staticRouter.PathPrefix("/static/authentik/").Handler(authentikHandler)
+	pathStripper := func(handler http.Handler, paths ...string) http.Handler {
+		h := handler
+		for _, path := range paths {
+			h = http.StripPrefix(path, h)
+		}
+		return h
+	}
 
-	// Also serve assets folder in specific interfaces since fonts in patternfly are imported
-	// with a relative path
-	staticRouter.PathPrefix("/if/flow/{flow_slug}/assets").HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
+	helpHandler := http.FileServer(http.Dir("./website/help/"))
+
+	indexLessRouter.PathPrefix(config.Get().Web.Path).PathPrefix("/static/dist/").Handler(pathStripper(
+		distFs,
+		"static/dist/",
+		config.Get().Web.Path,
+	))
+	indexLessRouter.PathPrefix(config.Get().Web.Path).PathPrefix("/static/authentik/").Handler(pathStripper(
+		http.FileServer(http.Dir("./web/authentik")),
+		"static/authentik/",
+		config.Get().Web.Path,
+	))
+
+	indexLessRouter.PathPrefix(config.Get().Web.Path).PathPrefix("/if/flow/{flow_slug}/assets").HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
 		vars := mux.Vars(r)
 
-		web.DisableIndex(http.StripPrefix(fmt.Sprintf("/if/flow/%s", vars["flow_slug"]), distFs)).ServeHTTP(rw, r)
+		pathStripper(
+			distFs,
+			"if/flow/"+vars["flow_slug"],
+			config.Get().Web.Path,
+		).ServeHTTP(rw, r)
 	})
-	staticRouter.PathPrefix("/if/admin/assets").Handler(http.StripPrefix("/if/admin", distFs))
-	staticRouter.PathPrefix("/if/user/assets").Handler(http.StripPrefix("/if/user", distFs))
-	staticRouter.PathPrefix("/if/rac/{app_slug}/assets").HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
+	indexLessRouter.PathPrefix(config.Get().Web.Path).PathPrefix("/if/admin/assets").Handler(http.StripPrefix(fmt.Sprintf("%sif/admin", config.Get().Web.Path), distFs))
+	indexLessRouter.PathPrefix(config.Get().Web.Path).PathPrefix("/if/user/assets").Handler(http.StripPrefix(fmt.Sprintf("%sif/user", config.Get().Web.Path), distFs))
+	indexLessRouter.PathPrefix(config.Get().Web.Path).PathPrefix("/if/rac/{app_slug}/assets").HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
 		vars := mux.Vars(r)
 
-		web.DisableIndex(http.StripPrefix(fmt.Sprintf("/if/rac/%s", vars["app_slug"]), distFs)).ServeHTTP(rw, r)
+		pathStripper(
+			distFs,
+			"if/rac/"+vars["app_slug"],
+			config.Get().Web.Path,
+		).ServeHTTP(rw, r)
 	})
 
 	// Media files, if backend is file
 	if config.Get().Storage.Media.Backend == "file" {
 		fsMedia := http.StripPrefix("/media", http.FileServer(http.Dir(config.Get().Storage.Media.File.Path)))
-		staticRouter.PathPrefix("/media/").HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		    w.Header().Set("Content-Security-Policy", "default-src 'none'; style-src 'unsafe-inline'; sandbox")
-		    fsMedia.ServeHTTP(w, r)
+		indexLessRouter.PathPrefix(config.Get().Web.Path).PathPrefix("/media/").HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			w.Header().Set("Content-Security-Policy", "default-src 'none'; style-src 'unsafe-inline'; sandbox")
+			fsMedia.ServeHTTP(w, r)
 		})
 	}
 
-	staticRouter.PathPrefix("/if/help/").Handler(http.StripPrefix("/if/help/", http.FileServer(http.Dir("./website/help/"))))
-	staticRouter.PathPrefix("/help").Handler(http.RedirectHandler("/if/help/", http.StatusMovedPermanently))
+	staticRouter.PathPrefix(config.Get().Web.Path).PathPrefix("/if/help/").Handler(pathStripper(
+		helpHandler,
+		config.Get().Web.Path,
+		"/if/help/",
+	))
+	staticRouter.PathPrefix(config.Get().Web.Path).PathPrefix("/help").Handler(http.RedirectHandler(fmt.Sprintf("%sif/help/", config.Get().Web.Path), http.StatusMovedPermanently))
 
-	// Static misc files
-	ws.lh.Path("/robots.txt").HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
+	staticRouter.PathPrefix(config.Get().Web.Path).Path("/robots.txt").HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
 		rw.Header()["Content-Type"] = []string{"text/plain"}
 		rw.WriteHeader(200)
 		_, err := rw.Write(staticWeb.RobotsTxt)
@@ -61,7 +89,7 @@ func (ws *WebServer) configureStatic() {
 			ws.log.WithError(err).Warning("failed to write response")
 		}
 	})
-	ws.lh.Path("/.well-known/security.txt").HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
+	staticRouter.PathPrefix(config.Get().Web.Path).Path("/.well-known/security.txt").HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
 		rw.Header()["Content-Type"] = []string{"text/plain"}
 		rw.WriteHeader(200)
 		_, err := rw.Write(staticWeb.SecurityTxt)
diff --git a/internal/web/web.go b/internal/web/web.go
index 186dd4ddf0..6729b688e8 100644
--- a/internal/web/web.go
+++ b/internal/web/web.go
@@ -33,13 +33,13 @@ type WebServer struct {
 	ProxyServer *proxyv2.ProxyServer
 	BrandTLS    *brand_tls.Watcher
 
-	g   *gounicorn.GoUnicorn
-	gr  bool
-	m   *mux.Router
-	lh  *mux.Router
-	log *log.Entry
-	uc  *http.Client
-	ul  *url.URL
+	g              *gounicorn.GoUnicorn
+	gunicornReady  bool
+	mainRouter     *mux.Router
+	loggingRouter  *mux.Router
+	log            *log.Entry
+	upstreamClient *http.Client
+	upstreamURL    *url.URL
 }
 
 const UnixSocketName = "authentik-core.sock"
@@ -73,17 +73,22 @@ func NewWebServer() *WebServer {
 	u, _ := url.Parse("http://localhost:8000")
 
 	ws := &WebServer{
-		m:   mainHandler,
-		lh:  loggingHandler,
-		log: l,
-		gr:  true,
-		uc:  upstreamClient,
-		ul:  u,
+		mainRouter:     mainHandler,
+		loggingRouter:  loggingHandler,
+		log:            l,
+		gunicornReady:  true,
+		upstreamClient: upstreamClient,
+		upstreamURL:    u,
 	}
 	ws.configureStatic()
 	ws.configureProxy()
+	// Redirect for sub-folder
+	if sp := config.Get().Web.Path; sp != "/" {
+		ws.mainRouter.Path("/").Handler(http.RedirectHandler(sp, http.StatusFound))
+	}
+	hcUrl := fmt.Sprintf("%s%s-/health/live/", ws.upstreamURL.String(), config.Get().Web.Path)
 	ws.g = gounicorn.New(func() bool {
-		req, err := http.NewRequest(http.MethodGet, fmt.Sprintf("%s/-/health/live/", ws.ul.String()), nil)
+		req, err := http.NewRequest(http.MethodGet, hcUrl, nil)
 		if err != nil {
 			ws.log.WithError(err).Warning("failed to create request for healthcheck")
 			return false
@@ -107,7 +112,7 @@ func (ws *WebServer) Start() {
 
 func (ws *WebServer) attemptStartBackend() {
 	for {
-		if !ws.gr {
+		if !ws.gunicornReady {
 			return
 		}
 		err := ws.g.Start()
@@ -135,7 +140,7 @@ func (ws *WebServer) Core() *gounicorn.GoUnicorn {
 }
 
 func (ws *WebServer) upstreamHttpClient() *http.Client {
-	return ws.uc
+	return ws.upstreamClient
 }
 
 func (ws *WebServer) Shutdown() {
@@ -160,7 +165,7 @@ func (ws *WebServer) listenPlain() {
 
 func (ws *WebServer) serve(listener net.Listener) {
 	srv := &http.Server{
-		Handler: ws.m,
+		Handler: ws.mainRouter,
 	}
 
 	// See https://golang.org/pkg/net/http/#Server.Shutdown
diff --git a/web/packages/sfe/src/index.ts b/web/packages/sfe/src/index.ts
index 4a027bc8fc..93620e58ed 100644
--- a/web/packages/sfe/src/index.ts
+++ b/web/packages/sfe/src/index.ts
@@ -20,6 +20,9 @@ interface GlobalAuthentik {
     brand: {
         branding_logo: string;
     };
+    api: {
+        base: string;
+    };
 }
 
 function ak(): GlobalAuthentik {
@@ -41,7 +44,7 @@ class SimpleFlowExecutor {
     }
 
     get apiURL() {
-        return `/api/v3/flows/executor/${this.flowSlug}/?query=${encodeURIComponent(window.location.search.substring(1))}`;
+        return `${ak().api.base}api/v3/flows/executor/${this.flowSlug}/?query=${encodeURIComponent(window.location.search.substring(1))}`;
     }
 
     start() {
diff --git a/web/src/admin/AdminInterface/AdminSidebar.ts b/web/src/admin/AdminInterface/AdminSidebar.ts
index d2ac789152..f171c9ce88 100644
--- a/web/src/admin/AdminInterface/AdminSidebar.ts
+++ b/web/src/admin/AdminInterface/AdminSidebar.ts
@@ -1,5 +1,6 @@
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import { EVENT_SIDEBAR_TOGGLE, VERSION } from "@goauthentik/common/constants";
+import { globalAK } from "@goauthentik/common/global";
 import { me } from "@goauthentik/common/users";
 import { AKElement } from "@goauthentik/elements/Base";
 import {
@@ -112,7 +113,7 @@ export class AkAdminSidebar extends WithCapabilitiesConfig(AKElement) {
 
         // prettier-ignore
         const sidebarContent: SidebarEntry[] = [
-            ["/if/user/", msg("User interface"), { "?isAbsoluteLink": true, "?highlight": true }],
+            [`${globalAK().api.base}if/user/`, msg("User interface"), { "?isAbsoluteLink": true, "?highlight": true }],
             [null, msg("Dashboards"), { "?expanded": true }, [
                 ["/administration/overview", msg("Overview")],
                 ["/administration/dashboard/users", msg("User Statistics")],
diff --git a/web/src/admin/users/UserImpersonateForm.ts b/web/src/admin/users/UserImpersonateForm.ts
index 756f1ae7ab..153a47a039 100644
--- a/web/src/admin/users/UserImpersonateForm.ts
+++ b/web/src/admin/users/UserImpersonateForm.ts
@@ -1,4 +1,5 @@
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
+import { globalAK } from "@goauthentik/common/global";
 import "@goauthentik/components/ak-text-input";
 import { Form } from "@goauthentik/elements/forms/Form";
 
@@ -20,7 +21,7 @@ export class UserImpersonateForm extends Form<ImpersonationRequest> {
                 impersonationRequest: data,
             })
             .then(() => {
-                window.location.href = "/";
+                window.location.href = globalAK().api.base;
             });
     }
 
diff --git a/web/src/common/api/config.ts b/web/src/common/api/config.ts
index 52b2f8f55c..7464564bd4 100644
--- a/web/src/common/api/config.ts
+++ b/web/src/common/api/config.ts
@@ -68,7 +68,7 @@ export function getMetaContent(key: string): string {
 }
 
 export const DEFAULT_CONFIG = new Configuration({
-    basePath: (process.env.AK_API_BASE_PATH || window.location.origin) + "/api/v3",
+    basePath: `${globalAK().api.base}api/v3`,
     headers: {
         "sentry-trace": getMetaContent("sentry-trace"),
     },
diff --git a/web/src/common/global.ts b/web/src/common/global.ts
index 990303df0d..7e6046def2 100644
--- a/web/src/common/global.ts
+++ b/web/src/common/global.ts
@@ -11,6 +11,9 @@ export interface GlobalAuthentik {
     versionFamily: string;
     versionSubdomain: string;
     build: string;
+    api: {
+        base: string;
+    };
 }
 
 export interface AuthentikWindow {
@@ -35,6 +38,9 @@ export function globalAK(): GlobalAuthentik {
             versionFamily: "",
             versionSubdomain: "",
             build: "",
+            api: {
+                base: process.env.AK_API_BASE_PATH || window.location.origin,
+            },
         };
     }
     return ak;
diff --git a/web/src/common/ws.ts b/web/src/common/ws.ts
index 29823d603b..8c6c9b26eb 100644
--- a/web/src/common/ws.ts
+++ b/web/src/common/ws.ts
@@ -1,4 +1,5 @@
 import { EVENT_MESSAGE, EVENT_WS_MESSAGE } from "@goauthentik/common/constants";
+import { globalAK } from "@goauthentik/common/global";
 import { MessageLevel } from "@goauthentik/common/messages";
 
 import { msg } from "@lit/localize";
@@ -21,9 +22,8 @@ export class WebsocketClient {
 
     connect(): void {
         if (navigator.webdriver) return;
-        const wsUrl = `${window.location.protocol.replace("http", "ws")}//${
-            window.location.host
-        }/ws/client/`;
+        const apiURL = new URL(globalAK().api.base);
+        const wsUrl = `${window.location.protocol.replace("http", "ws")}//${apiURL.host}${apiURL.pathname}ws/client/`;
         this.messageSocket = new WebSocket(wsUrl);
         this.messageSocket.addEventListener("open", () => {
             console.debug(`authentik/ws: connected to ${wsUrl}`);
diff --git a/web/src/elements/enterprise/EnterpriseStatusBanner.ts b/web/src/elements/enterprise/EnterpriseStatusBanner.ts
index 34a779db12..7a7d36208a 100644
--- a/web/src/elements/enterprise/EnterpriseStatusBanner.ts
+++ b/web/src/elements/enterprise/EnterpriseStatusBanner.ts
@@ -1,3 +1,4 @@
+import { globalAK } from "@goauthentik/common/global";
 import { AKElement } from "@goauthentik/elements/Base";
 import { WithLicenseSummary } from "@goauthentik/elements/Interface/licenseSummaryProvider";
 
@@ -75,7 +76,9 @@ export class EnterpriseStatusBanner extends WithLicenseSummary(AKElement) {
                 : "pf-m-gold"}"
         >
             ${message}
-            <a href="/if/admin/#/enterprise/licenses"> ${msg("Click here for more info.")} </a>
+            <a href="${globalAK().api.base}if/admin/#/enterprise/licenses"
+                >${msg("Click here for more info.")}</a
+            >
         </div>`;
     }
 
diff --git a/web/src/elements/notifications/APIDrawer.ts b/web/src/elements/notifications/APIDrawer.ts
index 68de3bb57c..c460a327dc 100644
--- a/web/src/elements/notifications/APIDrawer.ts
+++ b/web/src/elements/notifications/APIDrawer.ts
@@ -1,5 +1,6 @@
 import { RequestInfo } from "@goauthentik/common/api/middleware";
 import { EVENT_API_DRAWER_TOGGLE, EVENT_REQUEST_POST } from "@goauthentik/common/constants";
+import { globalAK } from "@goauthentik/common/global";
 import { AKElement } from "@goauthentik/elements/Base";
 
 import { msg } from "@lit/localize";
@@ -86,7 +87,9 @@ export class APIDrawer extends AKElement {
                         <h1 class="pf-c-notification-drawer__header-title">
                             ${msg("API Requests")}
                         </h1>
-                        <a href="/api/v3/" target="_blank">${msg("Open API Browser")}</a>
+                        <a href="${globalAK().api.base}api/v3/" target="_blank"
+                            >${msg("Open API Browser")}</a
+                        >
                     </div>
                     <div class="pf-c-notification-drawer__header-action">
                         <div class="pf-c-notification-drawer__header-action-close">
diff --git a/web/src/elements/notifications/NotificationDrawer.ts b/web/src/elements/notifications/NotificationDrawer.ts
index beaae682a6..88c7ad5913 100644
--- a/web/src/elements/notifications/NotificationDrawer.ts
+++ b/web/src/elements/notifications/NotificationDrawer.ts
@@ -1,5 +1,6 @@
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import { EVENT_NOTIFICATION_DRAWER_TOGGLE, EVENT_REFRESH } from "@goauthentik/common/constants";
+import { globalAK } from "@goauthentik/common/global";
 import { actionToLabel } from "@goauthentik/common/labels";
 import { MessageLevel } from "@goauthentik/common/messages";
 import { me } from "@goauthentik/common/users";
@@ -100,7 +101,7 @@ export class NotificationDrawer extends AKElement {
                 html`
                     <a
                         class="pf-c-dropdown__toggle pf-m-plain"
-                        href="/if/admin/#/events/log/${item.event?.pk}"
+                        href="${globalAK().api.base}if/admin/#/events/log/${item.event?.pk}"
                     >
                         <pf-tooltip position="top" content=${msg("Show details")}>
                             <i class="fas fa-share-square"></i>
diff --git a/web/src/elements/sidebar/SidebarUser.ts b/web/src/elements/sidebar/SidebarUser.ts
index 4408fc0df7..3f39263129 100644
--- a/web/src/elements/sidebar/SidebarUser.ts
+++ b/web/src/elements/sidebar/SidebarUser.ts
@@ -1,3 +1,4 @@
+import { globalAK } from "@goauthentik/common/global";
 import { me } from "@goauthentik/common/users";
 import { AKElement } from "@goauthentik/elements/Base";
 
@@ -35,7 +36,11 @@ export class SidebarUser extends AKElement {
 
     render(): TemplateResult {
         return html`
-            <a href="/if/user/#/settings" class="pf-c-nav__link user-avatar" id="user-settings">
+            <a
+                href="${globalAK().api.base}if/user/#/settings"
+                class="pf-c-nav__link user-avatar"
+                id="user-settings"
+            >
                 ${until(
                     me().then((u) => {
                         return html`<img
@@ -47,7 +52,11 @@ export class SidebarUser extends AKElement {
                     html``,
                 )}
             </a>
-            <a href="/flows/-/default/invalidation/" class="pf-c-nav__link user-logout" id="logout">
+            <a
+                href="${globalAK().api.base}flows/-/default/invalidation/"
+                class="pf-c-nav__link user-logout"
+                id="logout"
+            >
                 <i class="fas fa-sign-out-alt" aria-hidden="true"></i>
             </a>
         `;
diff --git a/web/src/flow/FlowExecutor.ts b/web/src/flow/FlowExecutor.ts
index 72be3ebadf..1375e6430c 100644
--- a/web/src/flow/FlowExecutor.ts
+++ b/web/src/flow/FlowExecutor.ts
@@ -461,6 +461,7 @@ export class FlowExecutor extends Interface implements StageHost {
         await import("@goauthentik/flow/FlowInspector");
         return html`<ak-flow-inspector
             class="pf-c-drawer__panel pf-m-width-33"
+            .flowSlug=${this.flowSlug}
         ></ak-flow-inspector>`;
     }
 
diff --git a/web/src/flow/FlowInspector.ts b/web/src/flow/FlowInspector.ts
index d9a1421134..8f8ba27f97 100644
--- a/web/src/flow/FlowInspector.ts
+++ b/web/src/flow/FlowInspector.ts
@@ -19,7 +19,8 @@ import { FlowInspection, FlowsApi, ResponseError, Stage } from "@goauthentik/api
 
 @customElement("ak-flow-inspector")
 export class FlowInspector extends AKElement {
-    flowSlug: string;
+    @property()
+    flowSlug?: string;
 
     @property({ attribute: false })
     state?: FlowInspection;
@@ -55,7 +56,6 @@ export class FlowInspector extends AKElement {
 
     constructor() {
         super();
-        this.flowSlug = window.location.pathname.split("/")[3];
         window.addEventListener(EVENT_FLOW_ADVANCE, this.advanceHandler as EventListener);
     }
 
@@ -67,7 +67,7 @@ export class FlowInspector extends AKElement {
     advanceHandler = (): void => {
         new FlowsApi(DEFAULT_CONFIG)
             .flowsInspectorGet({
-                flowSlug: this.flowSlug,
+                flowSlug: this.flowSlug || "",
             })
             .then((state) => {
                 this.error = undefined;
diff --git a/web/src/flow/providers/SessionEnd.ts b/web/src/flow/providers/SessionEnd.ts
index 4df09411f2..3e58d70d01 100644
--- a/web/src/flow/providers/SessionEnd.ts
+++ b/web/src/flow/providers/SessionEnd.ts
@@ -1,3 +1,4 @@
+import { globalAK } from "@goauthentik/common/global";
 import "@goauthentik/flow/FormStatic";
 import { BaseStage } from "@goauthentik/flow/stages/base";
 
@@ -47,7 +48,9 @@ export class SessionEnd extends BaseStage<SessionEndChallenge, unknown> {
                             str`You've logged out of ${this.challenge.applicationName}. You can go back to the overview to launch another application, or log out of your authentik account.`,
                         )}
                     </p>
-                    <a href="/" class="pf-c-button pf-m-primary"> ${msg("Go back to overview")} </a>
+                    <a href="${globalAK().api.base}" class="pf-c-button pf-m-primary">
+                        ${msg("Go back to overview")}
+                    </a>
                     ${this.challenge.invalidationFlowUrl
                         ? html`
                               <a
diff --git a/web/src/user/LibraryApplication/index.ts b/web/src/user/LibraryApplication/index.ts
index 2a91dc62d5..76d88b7922 100644
--- a/web/src/user/LibraryApplication/index.ts
+++ b/web/src/user/LibraryApplication/index.ts
@@ -1,4 +1,5 @@
 import { PFSize } from "@goauthentik/common/enums.js";
+import { globalAK } from "@goauthentik/common/global";
 import { truncateWords } from "@goauthentik/common/utils";
 import "@goauthentik/elements/AppIcon";
 import { AKElement, rootInterface } from "@goauthentik/elements/Base";
@@ -77,7 +78,8 @@ export class LibraryApplication extends AKElement {
                 ? html`
                       <a
                           class="pf-c-button pf-m-control pf-m-small pf-m-block"
-                          href="/if/admin/#/core/applications/${application?.slug}"
+                          href="${globalAK().api
+                              .base}if/admin/#/core/applications/${application?.slug}"
                       >
                           <i class="fas fa-edit"></i>&nbsp;${msg("Edit")}
                       </a>
diff --git a/web/src/user/LibraryPage/ak-library-application-empty-list.ts b/web/src/user/LibraryPage/ak-library-application-empty-list.ts
index e364bb3b3d..6965d4b91c 100644
--- a/web/src/user/LibraryPage/ak-library-application-empty-list.ts
+++ b/web/src/user/LibraryPage/ak-library-application-empty-list.ts
@@ -1,4 +1,4 @@
-import { docLink } from "@goauthentik/common/global";
+import { docLink, globalAK } from "@goauthentik/common/global";
 import { AKElement } from "@goauthentik/elements/Base";
 import { paramURL } from "@goauthentik/elements/router/RouterOutlet";
 
@@ -49,7 +49,7 @@ export class LibraryPageApplicationEmptyList extends AKElement {
                 <a
                     aria-disabled="false"
                     class="cta pf-c-button pf-m-secondary"
-                    href="/if/admin/${href}"
+                    href="${globalAK().api.base}if/admin/${href}"
                     >${msg("Create a new application")}</a
                 >
             </div>
diff --git a/web/src/user/UserInterface.ts b/web/src/user/UserInterface.ts
index 175d7efd5a..dca7fcb296 100644
--- a/web/src/user/UserInterface.ts
+++ b/web/src/user/UserInterface.ts
@@ -4,6 +4,7 @@ import {
     EVENT_NOTIFICATION_DRAWER_TOGGLE,
     EVENT_WS_MESSAGE,
 } from "@goauthentik/common/constants";
+import { globalAK } from "@goauthentik/common/global";
 import { configureSentry } from "@goauthentik/common/sentry";
 import { UIConfig, UserDisplay } from "@goauthentik/common/ui/config";
 import { me } from "@goauthentik/common/users";
@@ -207,7 +208,7 @@ class UserInterfacePresentation extends AKElement {
                             ${this.renderSettings()}
                             <div class="pf-c-page__header-tools-item">
                                 <a
-                                    href="/flows/-/default/invalidation/"
+                                    href="${globalAK().api.base}flows/-/default/invalidation/"
                                     class="pf-c-button pf-m-plain"
                                 >
                                     <pf-tooltip position="top" content=${msg("Sign out")}>
@@ -349,7 +350,7 @@ class UserInterfacePresentation extends AKElement {
 
         return html`<a
             class="pf-c-button pf-m-secondary pf-m-small pf-u-display-none pf-u-display-block-on-md"
-            href="/if/admin/"
+            href="${globalAK().api.base}if/admin/"
         >
             ${msg("Admin interface")}
         </a>`;
diff --git a/web/src/user/user-settings/details/UserSettingsFlowExecutor.ts b/web/src/user/user-settings/details/UserSettingsFlowExecutor.ts
index f362f3e2fe..4ad334e59e 100644
--- a/web/src/user/user-settings/details/UserSettingsFlowExecutor.ts
+++ b/web/src/user/user-settings/details/UserSettingsFlowExecutor.ts
@@ -1,5 +1,6 @@
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import { EVENT_REFRESH } from "@goauthentik/common/constants";
+import { globalAK } from "@goauthentik/common/global";
 import { MessageLevel } from "@goauthentik/common/messages";
 import { refreshMe } from "@goauthentik/common/users";
 import { AKElement } from "@goauthentik/elements/Base";
@@ -173,7 +174,10 @@ export class UserSettingsFlowExecutor
                     `authentik/user/flows: unsupported stage type ${this.challenge.component}`,
                 );
                 return html`
-                    <a href="/if/flow/${this.flowSlug}/" class="pf-c-button pf-m-primary">
+                    <a
+                        href="${globalAK().api.base}if/flow/${this.flowSlug}/"
+                        class="pf-c-button pf-m-primary"
+                    >
                         ${msg("Open settings")}
                     </a>
                 `;
diff --git a/web/src/user/user-settings/details/stages/prompt/PromptStage.ts b/web/src/user/user-settings/details/stages/prompt/PromptStage.ts
index 3511f938d4..1c06efb89f 100644
--- a/web/src/user/user-settings/details/stages/prompt/PromptStage.ts
+++ b/web/src/user/user-settings/details/stages/prompt/PromptStage.ts
@@ -1,3 +1,4 @@
+import { globalAK } from "@goauthentik/common/global";
 import "@goauthentik/elements/forms/HorizontalFormElement";
 import { PromptStage } from "@goauthentik/flow/stages/prompt/PromptStage";
 
@@ -50,7 +51,8 @@ export class UserSettingsPromptStage extends PromptStage {
                     ${this.host.brand?.flowUnenrollment
                         ? html` <a
                               class="pf-c-button pf-m-danger"
-                              href="/if/flow/${this.host.brand.flowUnenrollment}/"
+                              href="${globalAK().api.base}if/flow/${this.host.brand
+                                  .flowUnenrollment}/"
                           >
                               ${msg("Delete account")}
                           </a>`
diff --git a/website/docs/install-config/configuration/configuration.mdx b/website/docs/install-config/configuration/configuration.mdx
index 1bf72fa6b8..728bc4e8ea 100644
--- a/website/docs/install-config/configuration/configuration.mdx
+++ b/website/docs/install-config/configuration/configuration.mdx
@@ -345,6 +345,16 @@ Configure Celery worker concurrency for authentik worker (see https://docs.celer
 
 Defaults to 2.
 
+### `AUTHENTIK_WEB__PATH`
+
+:::info
+Requires authentik 2024.8
+:::
+
+Configure the path under which authentik is serverd. For example to access authentik under `https://my.domain/authentik/`, set this to `/authentik/`. Value _must_ contain both a leading and trailing slash.
+
+Defaults to `/`.
+
 ## System settings <span class="badge badge--version">authentik 2024.2+</span>
 
 Additional settings are configurable using the Admin interface, under **System** -> **Settings** or using the API.
diff --git a/website/docs/install-config/reverse-proxy.md b/website/docs/install-config/reverse-proxy.md
index 6dd6ecbba7..340cf35bee 100644
--- a/website/docs/install-config/reverse-proxy.md
+++ b/website/docs/install-config/reverse-proxy.md
@@ -51,6 +51,8 @@ server {
     add_header Strict-Transport-Security "max-age=63072000" always;
 
     # Proxy site
+    # Location can be set to a subpath if desired, see documentation linked below:
+    # https://goauthentik.io/docs/installation/configuration#authentik_web__path
     location / {
         proxy_pass https://authentik;
         proxy_http_version 1.1;