website: latest PR for new Docs structure (#11639)

* first pass * dependency shenanigans * move blueprints * few broken links * change config the throw errors * internal file edits * fighting links * remove sidebarDev * fix subdomain Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix relative URL Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix mismatched package versions Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix api reference build Signed-off-by: Jens Langhammer <jens@goauthentik.io> * test tweak * links hell * more links hell * links hell2 * yep last of the links * last broken link fixed * re-add cves Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add devdocs redirects * add dir * tweak netlify.toml * move latest 2 CVES into dir * fix links to moved cves * typoed title fix * fix link * remove banner * remove committed api docs Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * integrations: remove version dropdown Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * Update Makefile Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * change doc links in web as well Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * fix some more docs paths Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * fix more docs paths Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * ci: require ci-web.build for merging Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * Revert "ci: require ci-web.build for merging" This reverts commit b99a4842a9. * remove sluf for Application * put slug back in * minor fix to trigger deploy * Spelled out Documentation in menu bar * remove image redirects... Signed-off-by: Jens Langhammer <jens@goauthentik.io> * remove explicit index.md Signed-off-by: Jens Langhammer <jens@goauthentik.io> * remove mdx first Signed-off-by: Jens Langhammer <jens@goauthentik.io> * then remove .md Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add missing prefix Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> Co-authored-by: Tana M Berry <tana@goauthentik.com> Co-authored-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
2024-10-09 09:33:40 -05:00
parent 6b2fced1b9
commit 6d5172d18a
336 changed files with 2138 additions and 872 deletions
--- a/website/docs/install-config/reverse-proxy.md
+++ b/website/docs/install-config/reverse-proxy.md
@ -0,0 +1,64 @@
+---
+title: Reverse-proxy
+---
+
+:::info
+Since authentik uses WebSockets to communicate with Outposts, it does not support HTTP/1.0 reverse-proxies. The HTTP/1.0 specification does not officially support WebSockets or protocol upgrades, though some clients may allow it.
+:::
+
+If you want to access authentik behind a reverse proxy, there are a few headers that must be passed upstream:
+
+-   `X-Forwarded-Proto`: Tells authentik and Proxy Providers if they are being served over an HTTPS connection.
+-   `X-Forwarded-For`: Without this, authentik will not know the IP addresses of clients.
+-   `Host`: Required for various security checks, WebSocket handshake, and Outpost and Proxy Provider communication.
+-   `Connection: Upgrade` and `Upgrade: WebSocket`: Required to upgrade protocols for requests to the WebSocket endpoints under HTTP/1.1.
+
+It is also recommended to use a [modern TLS configuration](https://ssl-config.mozilla.org/) and disable SSL/TLS protocols older than TLS 1.3.
+
+The following nginx configuration can be used as a starting point for your own configuration.
+
+```
+# Upstream where your authentik server is hosted.
+upstream authentik {
+    server <hostname of your authentik server>:9443;
+    # Improve performance by keeping some connections alive.
+    keepalive 10;
+}
+
+# Upgrade WebSocket if requested, otherwise use keepalive
+map $http_upgrade $connection_upgrade_keepalive {
+    default upgrade;
+    ''      '';
+}
+
+server {
+    # HTTP server config
+    listen 80;
+    listen [::]:80;
+    server_name sso.domain.tld;
+    # 301 redirect to HTTPS
+    return 301 https://$host$request_uri;
+}
+server {
+    # HTTPS server config
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name sso.domain.tld;
+
+    # TLS certificates
+    ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem;
+    add_header Strict-Transport-Security "max-age=63072000" always;
+
+    # Proxy site
+    location / {
+        proxy_pass https://authentik;
+        proxy_http_version 1.1;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header Host $http_host;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade_keepalive;
+    }
+}
+```