Redirect to Uptimekuma not working with Authentik, using NGINX reverse proxy.

[gibrich]

I'm running latest Authentik and Uptimekuma on Unraid, using Cloudflare Tunnels (zero trust), and no issues going to authentik or uptimekuma separately with Nginx Reverse Proxy (NPM). So now I'm trying reverse proxy to Uptimekuma with Authentik in front. I've followed this documentation + and added/changed some parameters for me to get it working: https://geekscircuit.com/set-up-authentik-sso-with-nginx-proxy-manager/

It works perfectly when redirecting locally, but not when changing the host config (authentik_host under outpost) from local (http://192.168.1.124:9000) to http://auth.MYDOMAIN.net. After login via Authentik (using admin account) I get redirect to a HTTP ERROR 400-page. And this is the the URL: https://uptimekuma.MYDOMAIN.net/outpost.goauthentik.io/callback?X-authentik-auth-callback=true&code=3de215940d144d46845a5d0df4ef2b47&state=WRAkjxlTr1VUh9HNjBjicWAX6UfGbu0qZScqNpwpCqc

On iphone (safari) I get this:

---

If using my local adress under authentik_host, it goes directly to uptimekuma after auth login. Though that's on my LAN.

Outpost config:
log_level: info
docker_labels: null
authentik_host: http://auth.MYDOMAIN.net   <<<--- (Redirect works on LAN when changing to http://192.168.1.124:9000)
docker_network: null
container_image: null
docker_map_ports: true
kubernetes_replicas: 1
kubernetes_namespace: default
authentik_host_browser: ""
object_naming_template: ak-outpost-%(name)s
authentik_host_insecure: false
kubernetes_service_type: ClusterIP
kubernetes_image_pull_secrets: []
kubernetes_ingress_class_name: null
kubernetes_disabled_components:
  - deployment
  - secret
kubernetes_ingress_annotations: {}
kubernetes_ingress_secret_name: authentik-outpost-tls

This is my NPM setting for auth.MYDOMAIN.net

NPM setting for Uptimekuma:

Uptimekuma Custom Nginx Configuration:

# Increase buffer size for large headers
# This is needed only if you get 'upstream sent too big header while reading response
# header from upstream' error when trying to access an application protected by goauthentik
proxy_buffers 8 16k;
proxy_buffer_size 32k;

# Make sure not to redirect traffic to a port 4443
port_in_redirect off;

location / {
    # Put your proxy_pass to your application here
    proxy_pass          $forward_scheme://$server:$port;
    # Set any other headers your application might need
    # proxy_set_header Host $host;
    # proxy_set_header ...
    proxy_set_header Host $host;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";

    ##############################
    # authentik-specific config
    ##############################
    auth_request     /outpost.goauthentik.io/auth/nginx;
    error_page       401 = @goauthentik_proxy_signin;
    auth_request_set $auth_cookie $upstream_http_set_cookie;
    add_header       Set-Cookie $auth_cookie;

    # translate headers from the outposts back to the actual upstream
    auth_request_set $authentik_username $upstream_http_x_authentik_username;
    auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
    auth_request_set $authentik_email $upstream_http_x_authentik_email;
    auth_request_set $authentik_name $upstream_http_x_authentik_name;
    auth_request_set $authentik_uid $upstream_http_x_authentik_uid;

    proxy_set_header X-authentik-username $authentik_username;
    proxy_set_header X-authentik-groups $authentik_groups;
    proxy_set_header X-authentik-email $authentik_email;
    proxy_set_header X-authentik-name $authentik_name;
    proxy_set_header X-authentik-uid $authentik_uid;
}

# all requests to /outpost.goauthentik.io must be accessible without authentication
location /outpost.goauthentik.io {
    proxy_pass              http://192.168.1.124:9000/outpost.goauthentik.io;
    # ensure the host of this vserver matches your external URL you've configured
    # in authentik
    proxy_set_header        Host $host;
    proxy_set_header        X-Original-URL $scheme://$http_host$request_uri;
    add_header              Set-Cookie $auth_cookie;
    auth_request_set        $auth_cookie $upstream_http_set_cookie;
    proxy_pass_request_body off;
    proxy_set_header        Content-Length "";
}

# Special location for when the /auth endpoint returns a 401,
# redirect to the /start URL which initiates SSO
location @goauthentik_proxy_signin {
    internal;
    add_header Set-Cookie $auth_cookie;
    return 302 /outpost.goauthentik.io/start?rd=$request_uri;
    # For domain level, use the below error_page to redirect to your authentik server with the full redirect path
    # return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
}

Let me know if you need any more info. Thanks!

[kmanwar89]

This is interesting...I'm also trying to get UptimeKuma behind Authentik (using Nginx Proxy Manager [NPM] as well) and just came to Github to see if any others had filed issues for the same thing...

In my case however, as soon as I add the advanced config to my proxy host in NPM, I instantly get a 500 internal server error for UptimeKuma. I've isolated it to the auth_request /outpost.goauthentik.io/auth/nginx; line in my config, which points to the location /outpost.goauthentik.io {} stanza, however I noticed that @gibrich does not have this same line in their config, so it appears I may have more digging to do. I would note that my config is identical to the one posted above, and the only way I can

I should note that in no case can I get it working, LAN or otherwise, and I am also not using CF tunnels, so the setup is slightly different. I just have a "normal" setup, in the sense of domain.com ---> CNAME to home router WAN IP --> forward 80/443 to --> NPM ---> downstream proxied servers.

FWIW, I have found instructions to not use the FQDN in the proxy_pass URL in setting up hosts to forward to Authentik, but this may be because I'm hosting everything at home, so it has to try to resolve the FQDN which points to the same machine it's resolving from, resulting in a loop. I am running 20+ microservices, (almost) all secured by Authentik with zero issues, so it appears Kuma is the only one causing any issues in "playing nice" with Authentik

In any case, I'm +1'ing this issue as I'm essentially facing the same issue and would love to see a resolution.

[gibrich]

This is interesting...I'm also trying to get UptimeKuma behind Authentik (using Nginx Proxy Manager [NPM] as well) and just came to Github to see if any others had filed issues for the same thing...

In my case however, as soon as I add the advanced config to my proxy host in NPM, I instantly get a 500 internal server error for UptimeKuma. I've isolated it to the auth_request /outpost.goauthentik.io/auth/nginx; line in my config, which points to the location /outpost.goauthentik.io {} stanza, however I noticed that @gibrich does not have this same line in their config, so it appears I may have more digging to do. I would note that my config is identical to the one posted above, and the only way I can

I should note that in no case can I get it working, LAN or otherwise, and I am also not using CF tunnels, so the setup is slightly different. I just have a "normal" setup, in the sense of domain.com ---> CNAME to home router WAN IP --> forward 80/443 to --> NPM ---> downstream proxied servers.

FWIW, I have found instructions to not use the FQDN in the proxy_pass URL in setting up hosts to forward to Authentik, but this may be because I'm hosting everything at home, so it has to try to resolve the FQDN which points to the same machine it's resolving from, resulting in a loop. I am running 20+ microservices, (almost) all secured by Authentik with zero issues, so it appears Kuma is the only one causing any issues in "playing nice" with Authentik

In any case, I'm +1'ing this issue as I'm essentially facing the same issue and would love to see a resolution.

Yeah sorry, probably not the same issue here. Did you solve yours? I have still no clue why it doesnt work for me. Tried now with Sonarr too, and same problem.

[mrcheap1984]

I'm getting the same issue as well. Tried it with a couple of programs and still no go! I'm using the Geeks Circuit guide as well.

I'm tempted to use the old version of Authentik and NPM from when that article was written, to help determine if it's a bug.

[mrcheap1984]

I used an old version 2022.7.3 and it works. Not sure if it's bug in the creation of new applications or just the new build in general.

[osevenlan]

Also experiencing this issue 😢

[mrcheap1984]

I just updated to 2023.2.1 and it's working now :)

[osevenlan]

I just updated to 2023.2.1 and it's working now :)

Man you just made my day haha I've been terrified to start the troubleshooting XD

[BeryJu]

@gibrich is this still an issue?

[Aetherinox]

For some of us it is. I'm stuck getting http error 400. If I'm signed out and go to a subdomain, it'll redirect me to sign in with authentik. As soon as I sign in, it goes back to the subdomain with a 400 error and the url

https://traefik.domain.com/outpost.goauthentik.io/callback?X-authentik-auth-callback=true&code=ecde95392d5d1419ac943e03b4e4c3b8&state=xR_v8AhcJ84yL6eA_sfKT0e5CBe5n3Wduq6rcDL2bAU

[Adeophan]

I'm on latest version and this still persists. Especially the iOS Safari issue with "download" callback.

My config

proxy_buffers 8 16k;
proxy_buffer_size 32k;

location / {
    # Put your proxy_pass to your application here
    proxy_pass          $forward_scheme://$server:$port;

# Add WebSocket support (add these two lines here)
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";

    # authentik-specific config
    auth_request        /outpost.goauthentik.io/auth/nginx;
    error_page          401 = @goauthentik_proxy_signin;
    auth_request_set $auth_cookie $upstream_http_set_cookie;
    add_header Set-Cookie $auth_cookie;

    # translate headers from the outposts back to the actual upstream
    auth_request_set $authentik_username $upstream_http_x_authentik_username;
    auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
    auth_request_set $authentik_email $upstream_http_x_authentik_email;
    auth_request_set $authentik_name $upstream_http_x_authentik_name;
    auth_request_set $authentik_uid $upstream_http_x_authentik_uid;

    proxy_set_header X-authentik-username $authentik_username;
    proxy_set_header X-authentik-groups $authentik_groups;
    proxy_set_header X-authentik-email $authentik_email;
    proxy_set_header X-authentik-name $authentik_name;
    proxy_set_header X-authentik-uid $authentik_uid;
}

# all requests to /outpost.goauthentik.io must be accessible without authentication
location /outpost.goauthentik.io {
    proxy_pass          https://192.168.1.11:9443/outpost.goauthentik.io;
    # ensure the host of this vserver matches your external URL you've configured
    # in authentik
    proxy_set_header    Host $host;
    proxy_set_header    X-Original-URL $scheme://$http_host$request_uri;
    add_header          Set-Cookie $auth_cookie;
    auth_request_set    $auth_cookie $upstream_http_set_cookie;

    # required for POST requests to work
    proxy_pass_request_body off;
    proxy_set_header Content-Length "";
}

# Special location for when the /auth endpoint returns a 401,
# redirect to the /start URL which initiates SSO
location @goauthentik_proxy_signin {
    internal;
    add_header Set-Cookie $auth_cookie;
    return 302 /outpost.goauthentik.io/start?rd=$request_uri;
    # For domain level, use the below error_page to redirect to your authentik server with the full redirect path
    # return 302 https://192.168.1.11:9443/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
}

[Adeophan]

I managed to resolve the issue. I changed my Cloudflare domain config to Always Use HTTPS and Enable HTTP Strict Transport Security (HSTS). On top of that in NGINX I changed the certificates from Let's Encrypt to Origin Server TLS Certificate. Now I no longer have the error on iOS devices. The core issue seems to be the way that iOS is handling the domain addresses if there is no HTTPS enforced.