nginx-proxy-manager setup on authentik & other apps #18445
-
|
I am lost. Spent probably 24 hours collectively trying to figure this out & I can't. I'm trying to have NPM in front of all my apps(including authentik) & configure forward auth for each of my apps. I am stuck where authentik is giving 404 Not Found but when I perform curl on the same request forcing Host header to be my TLD for my test app, it works as expected. However, using the same routing by passing X-Original-URI & X-Forwarded-Host in the location /outpost.goauthentik.io block has no effect. My network has multiple VMs & each VM has their own instance of nginx-proxy-manager. NPM is responsible for forwarding the port for each docker service on each VM to a common domain with Let's Encrypt certificates on my TLD. The same goes for authentik, I have a proxy host on the NPM instance for authentik that forwards http, server & 9443 to the domain I specified for authentik's IP(see screenshot) This is not a normal reverse proxy setup where all apps are on the same docker container with authentik. Each VM is on a different IP thus none of them share the same docker network. The goal is to have SSL between each request from the app to authentik but still have authentik route to the correct outpost for authentication. My test app is homepage so I am forwarding http, homepage & 3000 in NPM for homepage VM. Here's the advanced NPM configuration I have for this: I've tried...
I mentioned this before, but if I run a curl command to http://:9000/outpost.goauthentik.io/start & pass Host header as the app's domain name, the correct response is returned but online told me that authentik finds the correct outpost based on X-Original-URI, this still doesn't work after having this set as stated above. Here are the logs from "server" docker container on authentik when accessing my test app with hostname "apps" Need to figure out why I am getting a 404 when the logs show that I'm getting a correct match for my test app application in authentik |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 4 replies
-
|
Heya, # Increase buffer size for large headers
# This is needed only if you get 'upstream sent too big header while reading response
# header from upstream' error when trying to access an application protected by goauthentik
proxy_buffers 8 16k;
proxy_buffer_size 32k;
location / {
# Put your proxy_pass to your application here
proxy_pass $forward_scheme://$server:$port;
# CUSTOM - Websocket behind authenticated proxy
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
# authentik-specific config
auth_request /outpost.goauthentik.io/auth/nginx;
error_page 401 = @goauthentik_proxy_signin;
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
# translate headers from the outposts back to the actual upstream
auth_request_set $authentik_username $upstream_http_x_authentik_username;
auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
auth_request_set $authentik_email $upstream_http_x_authentik_email;
auth_request_set $authentik_name $upstream_http_x_authentik_name;
auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
proxy_set_header X-authentik-username $authentik_username;
proxy_set_header X-authentik-groups $authentik_groups;
proxy_set_header X-authentik-email $authentik_email;
proxy_set_header X-authentik-name $authentik_name;
proxy_set_header X-authentik-uid $authentik_uid;
}
# all requests to /outpost.goauthentik.io must be accessible without authentication
location /outpost.goauthentik.io {
proxy_pass http://10.10.20.213:9000/outpost.goauthentik.io;
# ensure the host of this vserver matches your external URL you've configured
# in authentik
proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
add_header Set-Cookie $auth_cookie;
auth_request_set $auth_cookie $upstream_http_set_cookie;
# required for POST requests to work
proxy_pass_request_body off;
proxy_set_header Content-Length "";
}
# Special location for when the /auth endpoint returns a 401,
# redirect to the /start URL which initiates SSO
location @goauthentik_proxy_signin {
internal;
add_header Set-Cookie $auth_cookie;
return 302 /outpost.goauthentik.io/start?rd=$request_uri;
# For domain level, use the below error_page to redirect to your authentik server with the full redirect path
# return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
} |
Beta Was this translation helpful? Give feedback.
-
|
Thanks! Do you have authentik behind NPM too? Is this NPM config for one of your apps? Is that app in a reverse proxy with authentik or it’s own app with it’s own reverse proxy? |
Beta Was this translation helpful? Give feedback.
-
|
Yes authentik is behind NPM, but only for the user. For the forward auth I use the direct IP:Port, I think that's how it's supposed to be but I'm not sure abt that. Yes this is an NPM config for an app that uses forward auth. You need to create a new forward auth app, enter the public url and assign the provider to the default outpost, that's it. I'm unsure what you mean with the last question, I have one single NPM instance that has all my reverse proxy entries, the "normal" ones which I just use with OIDC. If they don't have OIDC SSO integration I run them with forward auth. Yes each app has it's own nginxproxymanager "reverse-proxy-entry", I run everything like this: https://{app}.mydomain.tld Hope that helps ^^ |
Beta Was this translation helpful? Give feedback.
-
|
This worked! Can you explain how authentik knows how to display the domain name I have for authentik's web UI? I have a proxy host on NPM's instance of authentik that exposes the HTTPS port & that's not defined anywhere in the NPM proxy host for my app yet it still redirects to that domain name. I am happy that it does this, but I don't understand why. Also, I want to force a certain user to be logged into authentik. For example, user A can be logged into authentik which is used for configuration but user B will be used to authenticate for all my other apps that use similar forward auth. Do you know if this is possible? I configured a passwordless flow but I'm seeing this message, probably because it thinks that I am trying to sign in as akadmin? |
Beta Was this translation helpful? Give feedback.
-
|
For Flows I've personally never yet really customized them, so I can't really help here, maybe this is helpful? https://blog.joshuastock.net/authentik-passwordless-authentication-integrating-social-login-and-yubikey Regarding how authentik knows your domain name, this is set up on the outpost afaik: 
|
Beta Was this translation helpful? Give feedback.
-
|
Gotcha. Thank you so much for everything! I’ll try to figure out somewhere else on how to force login for a specific user on authentik |
Beta Was this translation helpful? Give feedback.
Heya,
This config worked for my use case, though I'm not sure how much this helps in your custom config, but possibly it can serve you as inspiration.