search

dgtlmoon / changedetection.io

The best and simplest free open source web page change detection, website watcher, restock monitor and notification service. Restock Monitor, change detection. Designed for simplicity - Simply monitor which websites had a text change for free. Free Open source web page change detection, Website defacement monitoring, Price change notification
https://changedetection.io
Apache License 2.0
17.09k stars 957 forks source link

Using Authentik to secure external access #2449

Closed xyeoda closed 2 months ago

xyeoda commented 3 months ago

Describe the bug Instead of using the native password manager I was planning on using Authentik's logon for my homelab domain (Proxy Manager is Nginix). On Authentik am using the default outpost and forwarding the authorization to this application. And i didnt enable password authentication on changedetection either.

Custom configuration on Nginix:

Increase buffer size for large headers

This is needed only if you get 'upstream sent too big header while reading response

header from upstream' error when trying to access an application protected by goauthentik

proxy_buffers 8 16k; proxy_buffer_size 32k;

location / {

Put your proxy_pass to your application here

proxy_pass          $forward_scheme://$server:$port;

# authentik-specific config
auth_request        /outpost.goauthentik.io/auth/nginx;
error_page          401 = @goauthentik_proxy_signin;
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;

# translate headers from the outposts back to the actual upstream
auth_request_set $authentik_username $upstream_http_x_authentik_username;
auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
auth_request_set $authentik_email $upstream_http_x_authentik_email;
auth_request_set $authentik_name $upstream_http_x_authentik_name;
auth_request_set $authentik_uid $upstream_http_x_authentik_uid;

proxy_set_header X-authentik-username $authentik_username;
proxy_set_header X-authentik-groups $authentik_groups;
proxy_set_header X-authentik-email $authentik_email;
proxy_set_header X-authentik-name $authentik_name;
proxy_set_header X-authentik-uid $authentik_uid;

}

all requests to /outpost.goauthentik.io must be accessible without authentication

location /outpost.goauthentik.io { proxy_pass https://authentik.x.space/outpost.goauthentik.io;

ensure the host of this vserver matches your external URL you've configured

# in authentik
proxy_set_header    Host $host;
proxy_set_header    X-Original-URL $scheme://$http_host$request_uri;
add_header          Set-Cookie $auth_cookie;
auth_request_set    $auth_cookie $upstream_http_set_cookie;

# required for POST requests to work
proxy_pass_request_body off;
proxy_set_header Content-Length "";

}

Special location for when the /auth endpoint returns a 401,

redirect to the /start URL which initiates SSO

location @goauthentik_proxy_signin { internal; add_header Set-Cookie $auth_cookie; return 302 /outpost.goauthentik.io/start?rd=$request_uri;

For domain level, use the below error_page to redirect to your authentik server with the full redirect path

# return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;

}

Version v0.45.24

Expected behavior I thought i could use Authentik to log on then just land on the main page of changedetection but i was getting a 501 error. if i remove the custom settings on NPM then the error goes away and the page loads. Typically for other homelab applcations such as homepage it just displays the dashboard after logon to Authentik is successful.

Screenshots

Screenshot 2024-06-30 at 3 17 56 PM

Additional context Add any other context about the problem here.