habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

website/docs: improve nginx examples

Browse Source 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens Langhammer
2022-01-25 14:25:21 +01:00
parent 947ecec02b
commit 63b3434b6f
5 changed files with 12 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
internal/outpost/proxyv2/application/mode_common.go
View File

@ -74,9 +74,9 @@ func (a *Application) getTraefikForwardUrl(r *http.Request) *url.URL {
return u return u
} }
// getNginxForwardUrl See https://github.com/kubernetes/ingress-nginx/blob/main/rootfs/etc/nginx/template/nginx.tmpl#L1044 // getNginxForwardUrl See https://github.com/kubernetes/ingress-nginx/blob/main/rootfs/etc/nginx/template/nginx.tmpl
func (a *Application) getNginxForwardUrl(r *http.Request) *url.URL { func (a *Application) getNginxForwardUrl(r *http.Request) *url.URL {
h := r.Header.Get("X-Original-URI") h := r.Header.Get("X-Original-URL")
if len(h) < 1 { if len(h) < 1 {
a.log.WithError(errors.New("blank URL")).Warning("blank URL") a.log.WithError(errors.New("blank URL")).Warning("blank URL")
return r.URL return r.URL

6
internal/outpost/proxyv2/application/mode_forward_nginx_test.go
View File

@ -23,7 +23,7 @@ func TestForwardHandleNginx_Single_Blank(t *testing.T) {
func TestForwardHandleNginx_Single_Skip(t *testing.T) { func TestForwardHandleNginx_Single_Skip(t *testing.T) {
a := newTestApplication() a := newTestApplication()
req, _ := http.NewRequest("GET", "/akprox/auth/nginx", nil) req, _ := http.NewRequest("GET", "/akprox/auth/nginx", nil)
req.Header.Set("X-Original-URI", "http://test.goauthentik.io/skip") req.Header.Set("X-Original-URL", "http://test.goauthentik.io/skip")
rr := httptest.NewRecorder() rr := httptest.NewRecorder()
a.forwardHandleNginx(rr, req) a.forwardHandleNginx(rr, req)
@ -34,7 +34,7 @@ func TestForwardHandleNginx_Single_Skip(t *testing.T) {
func TestForwardHandleNginx_Single_Headers(t *testing.T) { func TestForwardHandleNginx_Single_Headers(t *testing.T) {
a := newTestApplication() a := newTestApplication()
req, _ := http.NewRequest("GET", "/akprox/auth/nginx", nil) req, _ := http.NewRequest("GET", "/akprox/auth/nginx", nil)
req.Header.Set("X-Original-URI", "http://test.goauthentik.io/app") req.Header.Set("X-Original-URL", "http://test.goauthentik.io/app")
rr := httptest.NewRecorder() rr := httptest.NewRecorder()
a.forwardHandleNginx(rr, req) a.forwardHandleNginx(rr, req)
@ -110,7 +110,7 @@ func TestForwardHandleNginx_Domain_Header(t *testing.T) {
a.proxyConfig.CookieDomain = api.PtrString("foo") a.proxyConfig.CookieDomain = api.PtrString("foo")
a.proxyConfig.ExternalHost = "http://auth.test.goauthentik.io" a.proxyConfig.ExternalHost = "http://auth.test.goauthentik.io"
req, _ := http.NewRequest("GET", "/akprox/auth/nginx", nil) req, _ := http.NewRequest("GET", "/akprox/auth/nginx", nil)
req.Header.Set("X-Original-URI", "http://test.goauthentik.io/app") req.Header.Set("X-Original-URL", "http://test.goauthentik.io/app")
rr := httptest.NewRecorder() rr := httptest.NewRecorder()
a.forwardHandleNginx(rr, req) a.forwardHandleNginx(rr, req)

2
website/docs/providers/proxy/_nginx_ingress.md
View File

@ -32,5 +32,5 @@ metadata:
nginx.ingress.kubernetes.io/auth-response-headers: | nginx.ingress.kubernetes.io/auth-response-headers: |
Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid
nginx.ingress.kubernetes.io/auth-snippet: | nginx.ingress.kubernetes.io/auth-snippet: |
proxy_set_header X-Forwarded-Host $http_host; proxy_set_header Host $http_host;
``` ```

5
website/docs/providers/proxy/_nginx_proxy_manager.md
View File

@ -6,8 +6,6 @@ For Nginx Proxy Manager you can use this snippet
# header from upstream' error when trying to access an application protected by goauthentik # header from upstream' error when trying to access an application protected by goauthentik
proxy_buffers 8 16k; proxy_buffers 8 16k;
proxy_buffer_size 32k; proxy_buffer_size 32k;
fastcgi_buffers 16 16k;
fastcgi_buffer_size 32k;
location / { location / {
# Put your proxy_pass to your application here # Put your proxy_pass to your application here
@ -16,6 +14,8 @@ location / {
# authentik-specific config # authentik-specific config
auth_request /akprox/auth/nginx; auth_request /akprox/auth/nginx;
error_page 401 = @akprox_signin; error_page 401 = @akprox_signin;
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
# translate headers from the outposts back to the actual upstream # translate headers from the outposts back to the actual upstream
auth_request_set $authentik_username $upstream_http_x_authentik_username; auth_request_set $authentik_username $upstream_http_x_authentik_username;
@ -37,6 +37,7 @@ location /akprox {
# ensure the host of this vserver matches your external URL you've configured # ensure the host of this vserver matches your external URL you've configured
# in authentik # in authentik
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
add_header Set-Cookie $auth_cookie; add_header Set-Cookie $auth_cookie;
auth_request_set $auth_cookie $upstream_http_set_cookie; auth_request_set $auth_cookie $upstream_http_set_cookie;
} }

5
website/docs/providers/proxy/_nginx_standalone.md
View File

@ -13,8 +13,6 @@ server {
# header from upstream' error when trying to access an application protected by goauthentik # header from upstream' error when trying to access an application protected by goauthentik
proxy_buffers 8 16k; proxy_buffers 8 16k;
proxy_buffer_size 32k; proxy_buffer_size 32k;
fastcgi_buffers 16 16k;
fastcgi_buffer_size 32k;
location / { location / {
# Put your proxy_pass to your application here # Put your proxy_pass to your application here
@ -25,6 +23,8 @@ server {
error_page 401 = @akprox_signin; error_page 401 = @akprox_signin;
# For domain level, use the below error_page to redirect to your authentik server with the full redirect path # For domain level, use the below error_page to redirect to your authentik server with the full redirect path
# error_page 401 =302 https://authentik.company/akprox/start?rd=$scheme://$http_host$request_uri; # error_page 401 =302 https://authentik.company/akprox/start?rd=$scheme://$http_host$request_uri;
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
# translate headers from the outposts back to the actual upstream # translate headers from the outposts back to the actual upstream
auth_request_set $authentik_username $upstream_http_x_authentik_username; auth_request_set $authentik_username $upstream_http_x_authentik_username;
@ -46,6 +46,7 @@ server {
# ensure the host of this vserver matches your external URL you've configured # ensure the host of this vserver matches your external URL you've configured
# in authentik # in authentik
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
add_header Set-Cookie $auth_cookie; add_header Set-Cookie $auth_cookie;
auth_request_set $auth_cookie $upstream_http_set_cookie; auth_request_set $auth_cookie $upstream_http_set_cookie;
} }