search

goauthentik / authentik

The authentication glue you need.
https://goauthentik.io
Other
13k stars 866 forks source link

configuration for nginx proxy manager makes host offline #11453

Open leon1995 opened 1 week ago

leon1995 commented 1 week ago

Describe the bug After I pasted the nginx (proxy manager) configuration into nginx proxy manager the status has gone offline

To Reproduce Steps to reproduce the behavior:

  1. Go to Providers
  2. Click on your provider
  3. Scroll down to setup
  4. copy configuration and paste it into nginx proxy manager
  5. change proxy_pass http://authentik.company:9000/outpost.goauthentik.io; to match your authentik installation e.g. https://sso.mydomain.tld/outpust.goauthentik.io
  6. After saving configuration the status of the proxy host has gone offline

Expected behavior That the proxy host stays online and I can protect it with authentik's sso

Version and Deployment (please complete the following information):

Additional context this is the (unedited) config that makes the proxy host offline

# Upgrade WebSocket if requested, otherwise use keepalive
map $http_upgrade $connection_upgrade_keepalive {
    default upgrade;
    ''      '';
}

# Increase buffer size for large headers
# This is needed only if you get 'upstream sent too big header while reading response
# header from upstream' error when trying to access an application protected by goauthentik
proxy_buffers 8 16k;
proxy_buffer_size 32k;

# Make sure not to redirect traffic to a port 4443
port_in_redirect off;

location / {
    # Put your proxy_pass to your application here
    proxy_pass          $forward_scheme://$server:$port;
    # Set any other headers your application might need
    # proxy_set_header Host $host;
    # proxy_set_header ...
    # Support for websocket
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade_keepalive;

    ##############################
    # authentik-specific config
    ##############################
    auth_request     /outpost.goauthentik.io/auth/nginx;
    error_page       401 = @goauthentik_proxy_signin;
    auth_request_set $auth_cookie $upstream_http_set_cookie;
    add_header       Set-Cookie $auth_cookie;

    # translate headers from the outposts back to the actual upstream
    auth_request_set $authentik_username $upstream_http_x_authentik_username;
    auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
    auth_request_set $authentik_email $upstream_http_x_authentik_email;
    auth_request_set $authentik_name $upstream_http_x_authentik_name;
    auth_request_set $authentik_uid $upstream_http_x_authentik_uid;

    proxy_set_header X-authentik-username $authentik_username;
    proxy_set_header X-authentik-groups $authentik_groups;
    proxy_set_header X-authentik-email $authentik_email;
    proxy_set_header X-authentik-name $authentik_name;
    proxy_set_header X-authentik-uid $authentik_uid;

    # This section should be uncommented when the "Send HTTP Basic authentication" option
    # is enabled in the proxy provider
    # auth_request_set $authentik_auth $upstream_http_authorization;
    # proxy_set_header Authorization $authentik_auth;
}

# all requests to /outpost.goauthentik.io must be accessible without authentication
location /outpost.goauthentik.io {
    # When using the embedded outpost, use:
    proxy_pass              http://authentik.company:9000/outpost.goauthentik.io;
    # For manual outpost deployments:
    # proxy_pass              http://outpost.company:9000;

    # Note: ensure the Host header matches your external authentik URL:
    proxy_set_header        Host $host;

    proxy_set_header        X-Original-URL $scheme://$http_host$request_uri;
    add_header              Set-Cookie $auth_cookie;
    auth_request_set        $auth_cookie $upstream_http_set_cookie;
    proxy_pass_request_body off;
    proxy_set_header        Content-Length "";
}

# Special location for when the /auth endpoint returns a 401,
# redirect to the /start URL which initiates SSO
location @goauthentik_proxy_signin {
    internal;
    add_header Set-Cookie $auth_cookie;
    return 302 /outpost.goauthentik.io/start?rd=$request_uri;
    # For domain level, use the below error_page to redirect to your authentik server with the full redirect path
    # return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
}
tjhorner commented 5 days ago

I ran into this as well, and I think it's an issue on NPM's side since any custom location seems to break it. Related issues:

tjhorner commented 5 days ago

Also it seems this issue is a duplicate of #10010

CrazyWolf13 commented 4 days ago

Hi

I had a lot of trouble with that as well, eventually I found this config, which seems to work for me.

# Increase buffer size for large headers
# This is needed only if you get 'upstream sent too big header while reading response
# header from upstream' error when trying to access an application protected by goauthentik
proxy_buffers 8 16k;
proxy_buffer_size 32k;

location / {
    # Put your proxy_pass to your application here
    proxy_pass          $forward_scheme://$server:$port;
    # #########################################
    # CUSTOM - START Websocket behind authenticated proxy
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $host;
    # END Websockets FIX
    # #########################################

    # authentik-specific config
    auth_request        /outpost.goauthentik.io/auth/nginx;
    error_page          401 = @goauthentik_proxy_signin;
    auth_request_set $auth_cookie $upstream_http_set_cookie;
    add_header Set-Cookie $auth_cookie;

    # translate headers from the outposts back to the actual upstream
    auth_request_set $authentik_username $upstream_http_x_authentik_username;
    auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
    auth_request_set $authentik_email $upstream_http_x_authentik_email;
    auth_request_set $authentik_name $upstream_http_x_authentik_name;
    auth_request_set $authentik_uid $upstream_http_x_authentik_uid;

    proxy_set_header X-authentik-username $authentik_username;
    proxy_set_header X-authentik-groups $authentik_groups;
    proxy_set_header X-authentik-email $authentik_email;
    proxy_set_header X-authentik-name $authentik_name;
    proxy_set_header X-authentik-uid $authentik_uid;
}

# all requests to /outpost.goauthentik.io must be accessible without authentication
location /outpost.goauthentik.io {
    # ################################
    #  CHANGE IP TO AUTHENTIK IP here.
    proxy_pass          http://10.10.20.213:9000/outpost.goauthentik.io;
    # ################################
    # ensure the host of this vserver matches your external URL you've configured
    # in authentik
    proxy_set_header    Host $host;
    proxy_set_header    X-Original-URL $scheme://$http_host$request_uri;
    add_header          Set-Cookie $auth_cookie;
    auth_request_set    $auth_cookie $upstream_http_set_cookie;

    # required for POST requests to work
    proxy_pass_request_body off;
    proxy_set_header Content-Length "";
}

# Special location for when the /auth endpoint returns a 401,
# redirect to the /start URL which initiates SSO
location @goauthentik_proxy_signin {
    internal;
    add_header Set-Cookie $auth_cookie;
    return 302 /outpost.goauthentik.io/start?rd=$request_uri;
    # For domain level, use the below error_page to redirect to your authentik server with the full redirect path
    # return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
}
Seekinsj commented 1 day ago

CrazyWolf13 That fixed it for me, can you tell me what you did to fix the issue?

I copy and pasted that into my custom Nginx Configuration, and of course I changed the proxy pass to match my authentik instance.

But I would like to know what actually changed so I have a better idea what I am doing.

Thank you

CrazyWolf13 commented 1 day ago

@Seekinsj Awesome!

To be honest, I don't know, I had the same issue, started diggin and found a random blog from some homelabber writing on this exact issue and posting that code, I copied it and it worked for me too.

CrazyWolf13 commented 1 day ago

https://www.diffchecker.com/9ouR3ucD/

Maybe this help :)

leon1995 commented 20 hours ago

@CrazyWolf13 this did not fix it for me. What version are you using? EDIT: My host is still shown as offline

CrazyWolf13 commented 20 hours ago

@leon1995 are you sure you changed the IP to the correct IP of authentik? in my snippet?

And when removing all custom code the host shows online?

Are you running latest nginxproxymanager?

leon1995 commented 20 hours ago

what do you mean with custom code? when I not add the authentik proxy stuff then the host is online. I just changed the ip to my authentik ip. I also tried to use my authentik domain sso.mydomain.tld. I am running npmplus