website: latest migration to new structure (#11522)

* first pass

* dependency shenanigans

* move blueprints

* few broken links

* change config the throw errors

* internal file edits

* fighting links

* remove sidebarDev

* fix subdomain

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix relative URL

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix mismatched package versions

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix api reference build

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* test tweak

* links hell

* more links hell

* links hell2

* yep last of the links

* last broken link fixed

* re-add cves

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add devdocs redirects

* add dir

* tweak netlify.toml

* move latest 2 CVES into dir

* fix links to moved cves

* typoed title fix

* fix link

* remove banner

* remove committed api docs

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* integrations: remove version dropdown

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* Update Makefile

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* change doc links in web as well

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* fix some more docs paths

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* fix more docs paths

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* ci: require ci-web.build for merging

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* Revert "ci: require ci-web.build for merging"

This reverts commit b99a4842a9.

* remove sluf for Application

* put slug back in

* minor fix to trigger deploy

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Co-authored-by: Tana M Berry <tana@goauthentik.com>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

website/docs/add-secure-apps/providers/proxy/index.md

@@ -0,0 +1,148 @@
+---
+title: Proxy Provider
+---
+
+```mermaid
+sequenceDiagram
+    participant u as User accesses service
+    participant rp as Reverse proxy
+    participant ak as authentik
+    participant s as Service
+
+    u->>rp: Initial request
+    rp->>ak: Checks authentication
+    alt User is authenticated
+        ak ->> rp: Successful response
+        rp ->> s: Initial request is forwarded
+    else User needs to be authenticated
+        ak ->> rp: Redirect to the login page
+        rp ->> u: Redirect is passed to enduser
+    end
+```
+
+## Headers
+
+The proxy outpost sets the following user-specific headers:
+
+### `X-authentik-username`
+
+Example value: `akadmin`
+
+The username of the currently logged in user
+
+### `X-authentik-groups`
+
+Example value: `foo|bar|baz`
+
+The groups the user is member of, separated by a pipe
+
+### `X-authentik-email`
+
+Example value: `root@localhost`
+
+The email address of the currently logged in user
+
+### `X-authentik-name`
+
+Example value: `authentik Default Admin`
+
+Full name of the current user
+
+### `X-authentik-uid`
+
+Example value: `900347b8a29876b45ca6f75722635ecfedf0e931c6022e3a29a8aa13fb5516fb`
+
+The hashed identifier of the currently logged in user.
+
+Besides these user-specific headers, some application specific headers are also set:
+
+### `X-authentik-meta-outpost`
+
+Example value: `authentik Embedded Outpost`
+
+The authentik outpost's name.
+
+### `X-authentik-meta-provider`
+
+Example value: `test`
+
+The authentik provider's name.
+
+### `X-authentik-meta-app`
+
+Example value: `test`
+
+The authentik application's slug.
+
+### `X-authentik-meta-version`
+
+Example value: `goauthentik.io/outpost/1.2.3`
+
+The authentik outpost's version.
+
+### `X-Forwarded-Host`
+
+:::info
+Only set in proxy mode
+:::
+
+The original Host header sent by the client. This is set as the `Host` header is set to the host of the configured backend.
+
+### Additional headers
+
+Additionally, you can set `additionalHeaders` attribute on groups or users to set additional headers:
+
+```yaml
+additionalHeaders:
+    X-test-header: test-value
+```
+
+## HTTPS
+
+The outpost listens on both 9000 for HTTP and 9443 for HTTPS.
+
+:::info
+If your upstream host is HTTPS, and you're not using forward auth, you need to access the outpost over HTTPS too.
+:::
+
+## Logging out
+
+Login is done automatically when you visit the domain without a valid cookie.
+
+When using single-application mode, navigate to `app.domain.tld/outpost.goauthentik.io/sign_out`.
+
+When using domain-level mode, navigate to `auth.domain.tld/outpost.goauthentik.io/sign_out`, where auth.domain.tld is the external host configured for the provider.
+
+To log out, navigate to `/outpost.goauthentik.io/sign_out`.
+
+Starting with authentik 2023.2, when logging out of a provider, all the users sessions within the respective outpost are invalidated.
+
+## Allowing unauthenticated requests
+
+To allow un-authenticated requests to certain paths/URLs, you can use the _Unauthenticated URLs_ / _Unauthenticated Paths_ field.
+
+Each new line is interpreted as a regular expression, and is compiled and checked using the standard Golang regex parser.
+
+The behaviour of this field changes depending on which mode you're in.
+
+### Proxy and Forward auth (single application)
+
+In this mode, the regular expressions are matched against the Request's Path.
+
+### Forward auth (domain level)
+
+In this mode, the regular expressions are matched against the Request's full URL.
+
+## Dynamic backend selection
+
+You can configure the backend the proxy should access dynamically via _Scope mappings_. To do so, create a new _Scope mapping_, with a name and scope of your choice. As expression, use this:
+
+```python
+return {
+    "ak_proxy": {
+        "backend_override": f"http://foo.bar.baz/{request.user.username}"
+    }
+}
+```
+
+Afterwards, edit the _Proxy provider_ and add this new mapping. The expression is only evaluated when the user logs into the application.