{"id":1292,"date":"2025-12-20T14:22:08","date_gmt":"2025-12-20T13:22:08","guid":{"rendered":"https:\/\/www.homeserver.lu\/?p=1292"},"modified":"2025-12-20T14:22:08","modified_gmt":"2025-12-20T13:22:08","slug":"reverse-proxy-protection-by-authentik","status":"publish","type":"post","link":"https:\/\/www.homeserver.lu\/?p=1292","title":{"rendered":"Reverse Proxy Protection by Authentik"},"content":{"rendered":"\n

auth_basic is a lousy protection for your websites. Better use en SSO solution like Authentik. Here is my NGINX reverse proxy host configuration:<\/p>\n\n\n\n

server {\n    server_name HOST.DOMAIN.NAME;\n    access_log \/var\/log\/nginx\/HOST.DOMAIN.NAME.access.log;\n    error_log \/var\/log\/nginx\/HOST.DOMAIN.NAME.error.log;\n    \n    # Increase buffer size for large headers from Authentik\n    proxy_buffers 8 16k;\n    proxy_buffer_size 32k;\n    \n    # All requests to \/outpost.goauthentik.io must be accessible without authentication\n    location \/outpost.goauthentik.io {\n        # When using the embedded outpost, proxy to Authentik backend\n        proxy_pass http:\/\/AUTHENTIK_IP:9000\/outpost.goauthentik.io;\n        \n        # CRITICAL: Set Host to auth.DOMAIN.NAME so Authentik knows which provider to use\n        proxy_set_header Host auth.DOMAIN.NAME;\n        \n        proxy_set_header X-Original-URL $scheme:\/\/$http_host$request_uri;\n        add_header Set-Cookie $auth_cookie;\n        auth_request_set $auth_cookie $upstream_http_set_cookie;\n        proxy_pass_request_body off;\n        proxy_set_header Content-Length "";\n    }\n    \n    # Special location for when the \/auth endpoint returns a 401\n    # For domain level, redirect to your authentik server with the full redirect path\n    location @goauthentik_proxy_signin {\n        internal;\n        add_header Set-Cookie $auth_cookie;\n        # CHANGED: Use full auth.DOMAIN.NAME URL for domain-level auth\n        return 302 https:\/\/auth.DOMAIN.NAME\/outpost.goauthentik.io\/start?rd=$scheme:\/\/$http_host$request_uri;\n    }\n    \n    location \/ {\n        # -------------------------\n        # BYPASS AUTH FOR LOCAL IPS\n        # -------------------------\n        satisfy any;\n        allow 192.168.1.0\/24;\n        deny all;\n\n        ##############################\n        # authentik-specific config\n        ##############################\n        auth_request \/outpost.goauthentik.io\/auth\/nginx;\n        error_page 401 = @goauthentik_proxy_signin;\n        auth_request_set $auth_cookie $upstream_http_set_cookie;\n        add_header Set-Cookie $auth_cookie;\n\n        # Translate headers from the outposts back to the actual upstream\n        auth_request_set $authentik_username $upstream_http_x_authentik_username;\n        auth_request_set $authentik_groups $upstream_http_x_authentik_groups;\n        auth_request_set $authentik_entitlements $upstream_http_x_authentik_entitlements;\n        auth_request_set $authentik_email $upstream_http_x_authentik_email;\n        auth_request_set $authentik_name $upstream_http_x_authentik_name;\n        auth_request_set $authentik_uid $upstream_http_x_authentik_uid;\n\n        proxy_set_header X-authentik-username $authentik_username;\n        proxy_set_header X-authentik-groups $authentik_groups;\n        proxy_set_header X-authentik-entitlements $authentik_entitlements;\n        proxy_set_header X-authentik-email $authentik_email;\n        proxy_set_header X-authentik-name $authentik_name;\n        proxy_set_header X-authentik-uid $authentik_uid;\n        \n        # Your original proxy settings to Homer\n        proxy_set_header X-Real-IP $remote_addr;\n        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;\n        proxy_set_header Host $host;\n        \n        # Support for websocket\n        proxy_set_header Upgrade $http_upgrade;\n        proxy_set_header Connection "upgrade";\n        \n        proxy_pass http:\/\/AUTHENTIK_IP:8090;\n     }\n    \n    listen 443 ssl;\n    ssl_certificate \/etc\/letsencrypt\/live\/HOST.DOMAIN.NAME\/fullchain.pem;\n    ssl_certificate_key \/etc\/letsencrypt\/live\/HOST.DOMAIN.NAME\/privkey.pem;\n    include \/etc\/letsencrypt\/options-ssl-nginx.conf;\n    ssl_dhparam \/etc\/letsencrypt\/ssl-dhparams.pem;\n}\n\nserver {\n    if ($host = HOST.DOMAIN.NAME) {\n        return 301 https:\/\/$host$request_uri;\n    }\n    listen 80;\n    server_name HOST.DOMAIN.NAME;\n    return 404;\n}<\/code><\/pre><\/div>\n\n\n\n
In Authentik, you have to create a Provider:<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
In Authentik, create an Application:<\/p>\n\n\n\n
\"\"<\/figure>\n","protected":false},"excerpt":{"rendered":"
auth_basic is a lousy protection for your websites. Better use en SSO solution like Authentik. Here is my NGINX reverse proxy host configuration: In Authentik, you have to create a Provider: In Authentik, create an Application:<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[16],"tags":[],"class_list":["post-1292","post","type-post","status-publish","format-standard","hentry","category-reverse-proxy"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.homeserver.lu\/index.php?rest_route=\/wp\/v2\/posts\/1292","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.homeserver.lu\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.homeserver.lu\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.homeserver.lu\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.homeserver.lu\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1292"}],"version-history":[{"count":2,"href":"https:\/\/www.homeserver.lu\/index.php?rest_route=\/wp\/v2\/posts\/1292\/revisions"}],"predecessor-version":[{"id":1296,"href":"https:\/\/www.homeserver.lu\/index.php?rest_route=\/wp\/v2\/posts\/1292\/revisions\/1296"}],"wp:attachment":[{"href":"https:\/\/www.homeserver.lu\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1292"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.homeserver.lu\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1292"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.homeserver.lu\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1292"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}