Open leon1995 opened 1 week ago
I ran into this as well, and I think it's an issue on NPM's side since any custom location seems to break it. Related issues:
Also it seems this issue is a duplicate of #10010
Hi
I had a lot of trouble with that as well, eventually I found this config, which seems to work for me.
# Increase buffer size for large headers
# This is needed only if you get 'upstream sent too big header while reading response
# header from upstream' error when trying to access an application protected by goauthentik
proxy_buffers 8 16k;
proxy_buffer_size 32k;
location / {
# Put your proxy_pass to your application here
proxy_pass $forward_scheme://$server:$port;
# #########################################
# CUSTOM - START Websocket behind authenticated proxy
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
# END Websockets FIX
# #########################################
# authentik-specific config
auth_request /outpost.goauthentik.io/auth/nginx;
error_page 401 = @goauthentik_proxy_signin;
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
# translate headers from the outposts back to the actual upstream
auth_request_set $authentik_username $upstream_http_x_authentik_username;
auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
auth_request_set $authentik_email $upstream_http_x_authentik_email;
auth_request_set $authentik_name $upstream_http_x_authentik_name;
auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
proxy_set_header X-authentik-username $authentik_username;
proxy_set_header X-authentik-groups $authentik_groups;
proxy_set_header X-authentik-email $authentik_email;
proxy_set_header X-authentik-name $authentik_name;
proxy_set_header X-authentik-uid $authentik_uid;
}
# all requests to /outpost.goauthentik.io must be accessible without authentication
location /outpost.goauthentik.io {
# ################################
# CHANGE IP TO AUTHENTIK IP here.
proxy_pass http://10.10.20.213:9000/outpost.goauthentik.io;
# ################################
# ensure the host of this vserver matches your external URL you've configured
# in authentik
proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
add_header Set-Cookie $auth_cookie;
auth_request_set $auth_cookie $upstream_http_set_cookie;
# required for POST requests to work
proxy_pass_request_body off;
proxy_set_header Content-Length "";
}
# Special location for when the /auth endpoint returns a 401,
# redirect to the /start URL which initiates SSO
location @goauthentik_proxy_signin {
internal;
add_header Set-Cookie $auth_cookie;
return 302 /outpost.goauthentik.io/start?rd=$request_uri;
# For domain level, use the below error_page to redirect to your authentik server with the full redirect path
# return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
}
CrazyWolf13 That fixed it for me, can you tell me what you did to fix the issue?
I copy and pasted that into my custom Nginx Configuration, and of course I changed the proxy pass to match my authentik instance.
But I would like to know what actually changed so I have a better idea what I am doing.
Thank you
@Seekinsj Awesome!
To be honest, I don't know, I had the same issue, started diggin and found a random blog from some homelabber writing on this exact issue and posting that code, I copied it and it worked for me too.
https://www.diffchecker.com/9ouR3ucD/
Maybe this help :)
@CrazyWolf13 this did not fix it for me. What version are you using? EDIT: My host is still shown as offline
@leon1995 are you sure you changed the IP to the correct IP of authentik? in my snippet?
And when removing all custom code the host shows online?
Are you running latest nginxproxymanager?
Describe the bug After I pasted the nginx (proxy manager) configuration into nginx proxy manager the status has gone offline
To Reproduce Steps to reproduce the behavior:
proxy_pass http://authentik.company:9000/outpost.goauthentik.io;
to match your authentik installation e.g.https://sso.mydomain.tld/outpust.goauthentik.io
Expected behavior That the proxy host stays online and I can protect it with authentik's sso
Version and Deployment (please complete the following information):
Additional context this is the (unedited) config that makes the proxy host offline