PythonCoderAS
commented
6 months ago The “internal host” is local to that server. Use the public URL if the outpost is on a different server
Open stephanschorer opened 6 months ago
PythonCoderAS
commented
6 months ago The “internal host” is local to that server. Use the public URL if the outpost is on a different server
stephanschorer
commented
6 months ago how would I do that? internal host: "app2.server2.domain.com"? but that public URL directs to the authentik-outpost container on server2, I need to forward the traffic to the specific container on server2 (app2)
or did I misunderstand you?
stephanschorer
commented
6 months ago correct me if I am wrong, but I think I need to use "Forward auth (single app)" instead of "Proxy" in the provider settings.
External host: "app2.server2.domain.com" nginx on server2: forward to app2:port
And then I need to use the nginx config. I am not sure how I should adjust this line:
proxy_pass http://outpost.company:9000/outpost.goauthentik.io;to the authentik-outpost container on server2? If yes then the nginx entry is listed as "offline"
# Increase buffer size for large headers
# This is needed only if you get 'upstream sent too big header while reading response
# header from upstream' error when trying to access an application protected by goauthentik
proxy_buffers 8 16k;
proxy_buffer_size 32k;
# Make sure not to redirect traffic to a port 4443
port_in_redirect off;
location / {
# Put your proxy_pass to your application here
proxy_pass $forward_scheme://$server:$port;
# Set any other headers your application might need
# proxy_set_header Host $host;
# proxy_set_header ...
##############################
# authentik-specific config
##############################
auth_request /outpost.goauthentik.io/auth/nginx;
error_page 401 = @goauthentik_proxy_signin;
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
# translate headers from the outposts back to the actual upstream
auth_request_set $authentik_username $upstream_http_x_authentik_username;
auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
auth_request_set $authentik_email $upstream_http_x_authentik_email;
auth_request_set $authentik_name $upstream_http_x_authentik_name;
auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
proxy_set_header X-authentik-username $authentik_username;
proxy_set_header X-authentik-groups $authentik_groups;
proxy_set_header X-authentik-email $authentik_email;
proxy_set_header X-authentik-name $authentik_name;
proxy_set_header X-authentik-uid $authentik_uid;
}
# all requests to /outpost.goauthentik.io must be accessible without authentication
location /outpost.goauthentik.io {
proxy_pass http://authentik-outpost:9000/outpost.goauthentik.io;
# ensure the host of this vserver matches your external URL you've configured
# in authentik
proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
add_header Set-Cookie $auth_cookie;
auth_request_set $auth_cookie $upstream_http_set_cookie;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
}
# Special location for when the /auth endpoint returns a 401,
# redirect to the /start URL which initiates SSO
location @goauthentik_proxy_signin {
internal;
add_header Set-Cookie $auth_cookie;
return 302 /outpost.goauthentik.io/start?rd=$request_uri;
# For domain level, use the below error_page to redirect to your authentik server with the full redirect path
# return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
}
masterwishx
commented
6 months ago I have same issue, did you fixed it?
stephanschorer
commented
6 months ago nope still waiting for an answer :)
masterwishx
commented
6 months ago @BeryJu is this known issue or can be fixed by users? Also talked with @cooptonian in discord he has same issue. https://discord.com/channels/809154715984199690/1236010860300730573/1236010860300730573
masterwishx
commented
6 months ago @stephanschorer can you enter local in outpost? Or you have 404?
masterwishx
commented
6 months ago stephanschorer
commented
6 months ago @masterwishx so you fixed it by creating a multi tenant?
could you maybe explain what you did?
I read it briefly and changed the following settings:
Authentik instance on server1 changed the provider for app2 to 'transparent proxy' and entered app2.server2.domain.com and for the internal address the local ip/port of app2 on the server2
Then changed the npm entry on nginx.server2.domain.com to forward its traffic to the authentik-outpost:9000 without any advanced config
But I still get an 502 Bad Gateway
masterwishx
commented
6 months ago @masterwishx so you fixed it by creating a multi tenant?
could you maybe explain what you did?
I read it briefly and changed the following settings:
Authentik instance on server1 changed the provider for app2 to 'transparent proxy' and entered app2.server2.domain.com and for the internal address the local ip/port of app2 on the server2
Then changed the npm entry on nginx.server2.domain.com to forward its traffic to the authentik-outpost:9000 without any advanced config
But I still get an 502 Bad Gateway
Strange, I have no issue but I have one account in cloudflare with two domains. It was a little confusing, but it's like you discribed. auth.domain.net with cloudflare tunnel cert and grafana.domain.work with domain.work cert
masterwishx
commented
6 months ago Can you see your outpost connected in authentik?
stephanschorer
commented
6 months ago yes the outpost is online.. normally a 502 bad gateway occurs if the proxy cannot find the service behind which means my main authentik server cannot find the target container service on server2 but I dunno how that works in the background in authentik 😐
masterwishx
commented
6 months ago yes the outpost is online.. normally a 502 bad gateway occurs if the proxy cannot find the service behind which means my main authentik server cannot find the target container service on server2 but I dunno how that works in the background in authentik 😐
Maybe related to certificates? Are you using domains in cloudflare?
stephanschorer
commented
6 months ago nah I dont think cause I dont even get a cert error and its just one domain and no the domain is not at cloudflare
masterwishx
commented
6 months ago nah I dont think cause I dont even get a cert error and its just one domain and no the domain is not at cloudflare
Oh so should not be a problem
I have two servers with the following services server1: authentik, nginx-proxy-manager, app1 server2: nginx-proxy-manager, authentik-outpost, app2
the servers are reachable like that: server1: domain.com server2: server2.domain.com
So I can access authentik on server1 with auth.domain.com
I want to use the authentik on server1 to authenticate the login to the app2 on server2. I tried to deploy a authentik proxy to server2 with the token from authentik service on server1. That container is running fine.
Now I create a provider in authentik on server1 like this: type: Proxy External host: app2.server2.domain.com Internal host: http://app2:port
And then assign that provider to an app and to the outpost..
The container authentik-outpost on server2 is in the same network (services_default) as the app2 on server2, so they can reach each other!
On server2: But if I then change nginx-proxy-manager to forward the traffic on app2.server2.domain.com to the container "authentik-outpost" I just get 502 Bad Gateway if I try to access: app2.server2.domain.com
Am I missing something?!
Please help me :)
Cheers Stephan