Comments (15)
nope still waiting for an answer :)
from authentik.
The “internal host” is local to that server. Use the public URL if the outpost is on a different server
from authentik.
how would I do that? internal host: "app2.server2.domain.com"?
but that public URL directs to the authentik-outpost container on server2, I need to forward the traffic to the specific container on server2 (app2)
or did I misunderstand you?
from authentik.
correct me if I am wrong, but I think I need to use "Forward auth (single app)" instead of "Proxy" in the provider settings.
External host: "app2.server2.domain.com"
nginx on server2: forward to app2:port
And then I need to use the nginx config.
I am not sure how I should adjust this line:
proxy_pass http://outpost.company:9000/outpost.goauthentik.io;
to the authentik-outpost container on server2?
If yes then the nginx entry is listed as "offline"
# Increase buffer size for large headers
# This is needed only if you get 'upstream sent too big header while reading response
# header from upstream' error when trying to access an application protected by goauthentik
proxy_buffers 8 16k;
proxy_buffer_size 32k;
# Make sure not to redirect traffic to a port 4443
port_in_redirect off;
location / {
# Put your proxy_pass to your application here
proxy_pass $forward_scheme://$server:$port;
# Set any other headers your application might need
# proxy_set_header Host $host;
# proxy_set_header ...
##############################
# authentik-specific config
##############################
auth_request /outpost.goauthentik.io/auth/nginx;
error_page 401 = @goauthentik_proxy_signin;
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
# translate headers from the outposts back to the actual upstream
auth_request_set $authentik_username $upstream_http_x_authentik_username;
auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
auth_request_set $authentik_email $upstream_http_x_authentik_email;
auth_request_set $authentik_name $upstream_http_x_authentik_name;
auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
proxy_set_header X-authentik-username $authentik_username;
proxy_set_header X-authentik-groups $authentik_groups;
proxy_set_header X-authentik-email $authentik_email;
proxy_set_header X-authentik-name $authentik_name;
proxy_set_header X-authentik-uid $authentik_uid;
}
# all requests to /outpost.goauthentik.io must be accessible without authentication
location /outpost.goauthentik.io {
proxy_pass http://authentik-outpost:9000/outpost.goauthentik.io;
# ensure the host of this vserver matches your external URL you've configured
# in authentik
proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
add_header Set-Cookie $auth_cookie;
auth_request_set $auth_cookie $upstream_http_set_cookie;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
}
# Special location for when the /auth endpoint returns a 401,
# redirect to the /start URL which initiates SSO
location @goauthentik_proxy_signin {
internal;
add_header Set-Cookie $auth_cookie;
return 302 /outpost.goauthentik.io/start?rd=$request_uri;
# For domain level, use the below error_page to redirect to your authentik server with the full redirect path
# return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
}
from authentik.
I have same issue, did you fixed it?
from authentik.
@BeryJu is this known issue or can be fixed by users?
Also talked with @cooptonian in discord he has same issue.
https://discord.com/channels/809154715984199690/1236010860300730573/1236010860300730573
from authentik.
@stephanschorer can you enter local in outpost? Or you have 404?
from authentik.
Fixed by another way
https://discord.com/channels/809154715984199690/1236010860300730573/1237323226841878609
from authentik.
@masterwishx so you fixed it by creating a multi tenant?
could you maybe explain what you did?
I read it briefly and changed the following settings:
Authentik instance on server1 changed the provider for app2 to 'transparent proxy' and entered app2.server2.domain.com and for the internal address the local ip/port of app2 on the server2
Then changed the npm entry on nginx.server2.domain.com to forward its traffic to the authentik-outpost:9000 without any advanced config
But I still get an 502 Bad Gateway
from authentik.
@masterwishx so you fixed it by creating a multi tenant?
could you maybe explain what you did?
I read it briefly and changed the following settings:
Authentik instance on server1 changed the provider for app2 to 'transparent proxy' and entered app2.server2.domain.com and for the internal address the local ip/port of app2 on the server2
Then changed the npm entry on nginx.server2.domain.com to forward its traffic to the authentik-outpost:9000 without any advanced config
But I still get an 502 Bad Gateway
Strange, I have no issue but I have one account in cloudflare with two domains.
It was a little confusing, but it's like you discribed.
auth.domain.net with cloudflare tunnel cert and grafana.domain.work with domain.work cert
from authentik.
Can you see your outpost connected in authentik?
from authentik.
yes the outpost is online..
normally a 502 bad gateway occurs if the proxy cannot find the service behind which means my main authentik server cannot find the target container service on server2 but I dunno how that works in the background in authentik 😐
from authentik.
yes the outpost is online.. normally a 502 bad gateway occurs if the proxy cannot find the service behind which means my main authentik server cannot find the target container service on server2 but I dunno how that works in the background in authentik 😐
Maybe related to certificates? Are you using domains in cloudflare?
from authentik.
nah I dont think cause I dont even get a cert error
and its just one domain
and no the domain is not at cloudflare
from authentik.
nah I dont think cause I dont even get a cert error and its just one domain and no the domain is not at cloudflare
Oh so should not be a problem
from authentik.
Related Issues (20)
- Authentik OIDC Provider Does Not Use TLS Certificates HOT 2
- Proxy provider unauthenticated blacklist
- Broken macOS/Safari support
- An option to sync LDAP sources partially
- Deadlock reported by database HOT 1
- Missing Space in Login Screen for Applications HOT 2
- Jellyfin LDAP Bind User Permissions HOT 2
- OIDC Error - POST default-provider-authorization-explicit-consent - duplicate key value violates unique constraint HOT 1
- Generated recovery link doesn't bypass email stage
- Automatic Outpost Deployment via Docker Integration prodouces invalid Traefik Labels
- Creating application or provider via core API causes validation errors HOT 4
- federated
- ldap_sync shows last synced with "[object Object]" with no further error details
- [OAuth2] How to handle migration to 2024.4.2 HOT 1
- German login message misses a blank HOT 4
- Can’t log in : showing [objet] [object] instead user login field HOT 2
- Not getting custom user attribute in LDAP
- SAML Provider with ecdsa certificate HOT 1
- Authentik + traefik labels doesn't promt for authentication.
- Harbor documentation is incorrect and should include offline_access OIDC scope
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from authentik.