108 lines
3.0 KiB
Plaintext
108 lines
3.0 KiB
Plaintext
---
|
|
title: Forward auth
|
|
---
|
|
|
|
Using forward auth uses your existing reverse proxy to do the proxying, and only uses the
|
|
authentik outpost to check authentication and authorization.
|
|
|
|
To use forward auth instead of proxying, you have to change a couple of settings.
|
|
In the Proxy Provider, make sure to use one of the Forward auth modes.
|
|
|
|
## Single application
|
|
|
|
Single application mode works for a single application hosted on its dedicated subdomain. This
|
|
has the advantage that you can still do per-application access policies in authentik.
|
|
|
|
## Domain level
|
|
|
|
To use forward auth instead of proxying, you have to change a couple of settings.
|
|
In the Proxy Provider, make sure to use the *Forward auth (domain level)* mode.
|
|
|
|
This mode differs from the *Forward auth (single application)* mode in the following points:
|
|
- You don't have to configure an application in authentik for each domain
|
|
- Users don't have to authorize multiple times
|
|
|
|
There are however also some downsides, mainly the fact that you **can't** restrict individual
|
|
applications to different users.
|
|
|
|
The only configuration difference between single application and domain level is the host you specify.
|
|
|
|
For single application, you'd use the domain which the application is running on, and only /outpost.goauthentik.io
|
|
is redirected to the outpost.
|
|
|
|
For domain level, you'd use the same domain as authentik.
|
|
|
|
:::info
|
|
*example-outpost* is used as a placeholder for the outpost name.
|
|
*authentik.company* is used as a placeholder for the authentik install.
|
|
*app.company* is used as a placeholder for the external domain for the application.
|
|
*outpost.company* is used as a placeholder for the outpost. When using the embedded outpost, this can be the same as *authentik.company*
|
|
:::
|
|
|
|
## Nginx
|
|
|
|
import Tabs from '@theme/Tabs';
|
|
import TabItem from '@theme/TabItem';
|
|
|
|
<Tabs
|
|
defaultValue="standalone-nginx"
|
|
values={[
|
|
{label: 'Standalone nginx', value: 'standalone-nginx'},
|
|
{label: 'Ingress', value: 'ingress'},
|
|
{label: 'Nginx Proxy Manager', value: 'proxy-manager'},
|
|
]}>
|
|
<TabItem value="standalone-nginx">
|
|
|
|
import NginxStandalone from './_nginx_standalone.md'
|
|
|
|
<NginxStandalone />
|
|
|
|
</TabItem>
|
|
<TabItem value="ingress">
|
|
|
|
import NginxIngress from './_nginx_ingress.md'
|
|
|
|
<NginxIngress />
|
|
|
|
</TabItem>
|
|
<TabItem value="proxy-manager">
|
|
|
|
import NginxProxyManager from './_nginx_proxy_manager.md'
|
|
|
|
<NginxProxyManager />
|
|
|
|
</TabItem>
|
|
</Tabs>
|
|
|
|
## Traefik
|
|
|
|
<Tabs
|
|
defaultValue="standalone-traefik"
|
|
values={[
|
|
{label: 'Standalone traefik', value: 'standalone-traefik'},
|
|
{label: 'docker-compose', value: 'docker-compose'},
|
|
{label: 'Ingress', value: 'ingress'},
|
|
]}>
|
|
<TabItem value="standalone-traefik">
|
|
|
|
import TraefikStandalone from './_traefik_standalone.md'
|
|
|
|
<TraefikStandalone />
|
|
|
|
</TabItem>
|
|
<TabItem value="docker-compose">
|
|
|
|
import TraefikCompose from './_traefik_compose.md'
|
|
|
|
<TraefikCompose />
|
|
|
|
</TabItem>
|
|
<TabItem value="ingress">
|
|
|
|
import TraefikIngress from './_traefik_ingress.md'
|
|
|
|
<TraefikIngress />
|
|
|
|
</TabItem>
|
|
</Tabs>
|