f9469e3f99
* run prettier Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add scim to comparison Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
109 lines
3.0 KiB
Plaintext
109 lines
3.0 KiB
Plaintext
---
|
|
title: Forward auth
|
|
---
|
|
|
|
Using forward auth uses your existing reverse proxy to do the proxying, and only uses the
|
|
authentik outpost to check authentication and authorization.
|
|
|
|
To use forward auth instead of proxying, you have to change a couple of settings.
|
|
In the Proxy Provider, make sure to use one of the Forward auth modes.
|
|
|
|
## Single application
|
|
|
|
Single application mode works for a single application hosted on its dedicated subdomain. This
|
|
has the advantage that you can still do per-application access policies in authentik.
|
|
|
|
## Domain level
|
|
|
|
To use forward auth instead of proxying, you have to change a couple of settings.
|
|
In the Proxy Provider, make sure to use the _Forward auth (domain level)_ mode.
|
|
|
|
This mode differs from the _Forward auth (single application)_ mode in the following points:
|
|
|
|
- You don't have to configure an application in authentik for each domain
|
|
- Users don't have to authorize multiple times
|
|
|
|
There are however also some downsides, mainly the fact that you **can't** restrict individual
|
|
applications to different users.
|
|
|
|
The only configuration difference between single application and domain level is the host you specify.
|
|
|
|
For single application, you'd use the domain which the application is running on, and only /outpost.goauthentik.io
|
|
is redirected to the outpost.
|
|
|
|
For domain level, you'd use the same domain as authentik.
|
|
|
|
:::info
|
|
_example-outpost_ is used as a placeholder for the outpost name.
|
|
_authentik.company_ is used as a placeholder for the authentik install.
|
|
_app.company_ is used as a placeholder for the external domain for the application.
|
|
_outpost.company_ is used as a placeholder for the outpost. When using the embedded outpost, this can be the same as _authentik.company_
|
|
:::
|
|
|
|
## Nginx
|
|
|
|
import Tabs from "@theme/Tabs";
|
|
import TabItem from "@theme/TabItem";
|
|
|
|
<Tabs
|
|
defaultValue="standalone-nginx"
|
|
values={[
|
|
{label: 'Standalone nginx', value: 'standalone-nginx'},
|
|
{label: 'Ingress', value: 'ingress'},
|
|
{label: 'Nginx Proxy Manager', value: 'proxy-manager'},
|
|
]}>
|
|
<TabItem value="standalone-nginx">
|
|
|
|
import NginxStandalone from "./_nginx_standalone.md";
|
|
|
|
<NginxStandalone />
|
|
|
|
</TabItem>
|
|
<TabItem value="ingress">
|
|
|
|
import NginxIngress from "./_nginx_ingress.md";
|
|
|
|
<NginxIngress />
|
|
|
|
</TabItem>
|
|
<TabItem value="proxy-manager">
|
|
|
|
import NginxProxyManager from "./_nginx_proxy_manager.md";
|
|
|
|
<NginxProxyManager />
|
|
|
|
</TabItem>
|
|
</Tabs>
|
|
|
|
## Traefik
|
|
|
|
<Tabs
|
|
defaultValue="standalone-traefik"
|
|
values={[
|
|
{label: 'Standalone traefik', value: 'standalone-traefik'},
|
|
{label: 'docker-compose', value: 'docker-compose'},
|
|
{label: 'Ingress', value: 'ingress'},
|
|
]}>
|
|
<TabItem value="standalone-traefik">
|
|
|
|
import TraefikStandalone from "./_traefik_standalone.md";
|
|
|
|
<TraefikStandalone />
|
|
|
|
</TabItem>
|
|
<TabItem value="docker-compose">
|
|
|
|
import TraefikCompose from "./_traefik_compose.md";
|
|
|
|
<TraefikCompose />
|
|
|
|
</TabItem>
|
|
<TabItem value="ingress">
|
|
|
|
import TraefikIngress from "./_traefik_ingress.md";
|
|
|
|
<TraefikIngress />
|
|
|
|
</TabItem>
|
|
</Tabs>
|