diff --git a/authentik/providers/proxy/controllers/k8s/ingress.py b/authentik/providers/proxy/controllers/k8s/ingress.py index bf0c588ab6..8f6b1f98dc 100644 --- a/authentik/providers/proxy/controllers/k8s/ingress.py +++ b/authentik/providers/proxy/controllers/k8s/ingress.py @@ -84,6 +84,7 @@ class IngressReconciler(KubernetesObjectReconciler[NetworkingV1beta1Ingress]): "traefik.ingress.kubernetes.io/affinity": "true", "nginx.ingress.kubernetes.io/proxy-buffers-number": "4", "nginx.ingress.kubernetes.io/proxy-buffer-size": "16k", + "nginx.ingress.kubernetes.io/backend-protocol": "HTTPS" } annotations.update( self.controller.outpost.config.kubernetes_ingress_annotations @@ -113,7 +114,7 @@ class IngressReconciler(KubernetesObjectReconciler[NetworkingV1beta1Ingress]): NetworkingV1beta1HTTPIngressPath( backend=NetworkingV1beta1IngressBackend( service_name=self.name, - service_port="http", + service_port="https", ), path="/akprox", ) diff --git a/website/docs/outposts/proxy.mdx b/website/docs/outposts/proxy.mdx index ecbfa21ec1..1da39f4e78 100644 --- a/website/docs/outposts/proxy.mdx +++ b/website/docs/outposts/proxy.mdx @@ -15,6 +15,14 @@ Additionally, you can set `additionalHeaders` on groups or users to set addition If you enable *Set HTTP-Basic Authentication* option, the HTTP Authorization header is being set. +# HTTPS + +The outpost listens on both 4180 for HTTP and 4443 for HTTPS. + +:::warning +If your upstream host is HTTPS, and you're not using forward auth, you need to access the outpost over HTTPS too. +::: + # Forward auth To use forward auth instead of proxying, you have to change a couple of settings. In the Proxy Provider, make sure to enable `Enable forward-auth mode` on the provider.