authentik
authentik copied to clipboard
goauthentik
Nginx proxy managers/nginx configuration given by authentik does not work
Describe the bug
The provided configuration to put in Nginx Proxy manager and sometimes even nginx, makes nginx and nginx based configs appear as offline, yeilding a error
To Reproduce Steps to reproduce the behavior: Get the compose file for authentik, add a section for nginx proxy manager, then try authentiks proxy setup with Nginx proxy manager, (copy and paste it in Nginx advanced configuration box)
Expected behavior It should work out of the box, the authentiks configuration for Nginx Proxy manager or nginx. It should not appear offline. Nginx proxy manager should not return errors for it being incorrectly configured.
Screenshots
If applicable, add screenshots to help explain your problem.
Logs Output of docker-compose logs or kubectl logs respectively
[root@docker-98131251dcd3:/var/log/nginx]# cat error.log
2024/06/06 07:48:28 [emerg] 207#207: "map" directive is not allowed here in /data/nginx/proxy_host/3.conf:47
2024/06/06 07:48:28 [notice] 211#211: signal process started
Version and Deployment (please complete the following information):
- authentik version: [e.g. 2021.8.5] Latest
- Deployment: [e.g. docker-compose, helm] Docker compose Additional context Add any other context about the problem here. These issues have been refrenced in these github discussions #7323 and #10004 One of which I opened recently, because I was looking for a solution specific to nginx proxy manager and the awnser given to the other discussion #7323 was for bare metal nginx
Removing the first few lines helped aliviate one error but lead to many more, this would be a headache to try and troubleshoot, #7323 goes over some of the fixes that can be made but there are more issues i encountered given that this isnt bare metal nginx.
I can also confirm.
I found a working one from: https://geekscircuit.com/set-up-authentik-sso-with-nginx-proxy-manager/
Hopefully this helps you!
I'm experiencing the same sort of error except I'd get a 525 SSL handshake error. It keeps saying the SSL is invalid however I know it works since I use the same certificate to access my authentik instance on a FQDN. The tutorial mentioned above isn't helpful as I tried it 3 different times while starting over from scratch. I believe this is an actual bug.
Hey found a fix for you! Use an older advanced config to input into NPM.
I found a config that worked for my awhile ago, ill share it later, anyways this is marked as a bug in hopes that a contributer will hopefully update the documentation given in authentik for setting up NPM.
So, the issue is still there with the latest Authentik version, 2024.6.0. I used the link from @pythonius21, but I have problems with Websocket "enabled" applications. I'm unable to understand how to fix this using the standard code generated by Authentik.
i think its becouse websocket in new config ...
Removing the websocket upgrade from the new config does make it work. But then it breaks any apps that require websocket.
Has anybody figured out a fix for this yet?
i think its becouse websocket in new config ...
Removing the websocket upgrade from the new config does make it work. But then it breaks any apps that require websocket.
Has anybody figured out a fix for this yet?
Sure, just use old config and read above
Sure, just use old config and read above Old config works until you need to add websocket support for an app like codeserver.
I did find the solution here though.
It requires creating a http_top.conf file in /data/nginx/custom and then modifying the connection upgrade line in the advanced config.
I appreciate all the solutions being figured out in this issue, I might make a discussion specifically for this issue. I do want to stress, this is a bug report about the defaults not being correct, and I hope this issue isn't closed as it contains people looking for similar solutions.
Subscribing to this issue as well. I've been trying to use the Authentik's Ngnix Proxy Manager advanced tab configuration and it turns off my Proxy Host or it get a error 500. I visited https://geekscircuit.com/set-up-authentik-sso-with-nginx-proxy-manager/ and https://docs.goauthentik.io/docs/providers/proxy/server_nginx to see if the configs work. Sadly, none of them worked.
I cannot get it working with nginx proxy manager. And some the official document do need update as the authentik version used is quite old for those with OAuth support. And I followed this for Uptime-kuma https://docs.goauthentik.io/integrations/services/uptime-kuma/ but no luck there
Want to add myself to this list. Been using the older configs that worked and avoiding the new ones.
I'm also having this problem. I've created the http_top.conf in /data/nginx/custom/ and added the "proxy_set_header Connection $connection_upgrade;" line to the Nginx advanced section.
I've been using only the latest two versions and haven't been able to get this to work. I've tried all the methods suggested here, but unfortunately, none of them have resolved the issue. websocket isn't working for me.
Could you please share a working configuration that has been successful for you?
Thanks in advance,
I've been using only the latest two versions and haven't been able to get this to work. I've tried all the methods suggested here, but unfortunately, none of them have resolved the issue. websocket isn't working for me.
Could you please share a working configuration that has been successful for you?
Thanks in advance,
here's a confirmed working config for NPM that I've been using
# Increase buffer size for large headers
# This is needed only if you get 'upstream sent too big header while reading response
# header from upstream' error when trying to access an application protected by goauthentik
proxy_buffers 8 16k;
proxy_buffer_size 32k;
# Make sure not to redirect traffic to a port 4443
port_in_redirect off;
location / {
# Put your proxy_pass to your application here
proxy_pass $forward_scheme://$server:$port;
# Set any other headers your application might need
# proxy_set_header Host $host;
# proxy_set_header ...
##############################
# authentik-specific config
##############################
auth_request /outpost.goauthentik.io/auth/nginx;
error_page 401 = @goauthentik_proxy_signin;
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
# translate headers from the outposts back to the actual upstream
auth_request_set $authentik_username $upstream_http_x_authentik_username;
auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
auth_request_set $authentik_email $upstream_http_x_authentik_email;
auth_request_set $authentik_name $upstream_http_x_authentik_name;
auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
proxy_set_header X-authentik-username $authentik_username;
proxy_set_header X-authentik-groups $authentik_groups;
proxy_set_header X-authentik-email $authentik_email;
proxy_set_header X-authentik-name $authentik_name;
proxy_set_header X-authentik-uid $authentik_uid;
}
# all requests to /outpost.goauthentik.io must be accessible without authentication
location /outpost.goauthentik.io {
proxy_pass https://authentik-server:9443/outpost.goauthentik.io;
# ensure the host of this vserver matches your external URL you've configured
# in authentik
proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
add_header Set-Cookie $auth_cookie;
auth_request_set $auth_cookie $upstream_http_set_cookie;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
}
# Special location for when the /auth endpoint returns a 401,
# redirect to the /start URL which initiates SSO
location @goauthentik_proxy_signin {
internal;
add_header Set-Cookie $auth_cookie;
return 302 /outpost.goauthentik.io/start?rd=$request_uri;
# For domain level, use the below error_page to redirect to your authentik server with the full redirect path
# return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
}
Edit: I forgot to mention that you have to change https://authentik-server:9443/outpost.goauthentik.io to the domain of your authentik instance.
I've been using only the latest two versions and haven't been able to get this to work. I've tried all the methods suggested here, but unfortunately, none of them have resolved the issue. websocket isn't working for me. Could you please share a working configuration that has been successful for you? Thanks in advance,
here's a confirmed working config for NPM that I've been using
# Increase buffer size for large headers # This is needed only if you get 'upstream sent too big header while reading response # header from upstream' error when trying to access an application protected by goauthentik proxy_buffers 8 16k; proxy_buffer_size 32k; # Make sure not to redirect traffic to a port 4443 port_in_redirect off; location / { # Put your proxy_pass to your application here proxy_pass $forward_scheme://$server:$port; # Set any other headers your application might need # proxy_set_header Host $host; # proxy_set_header ... ############################## # authentik-specific config ############################## auth_request /outpost.goauthentik.io/auth/nginx; error_page 401 = @goauthentik_proxy_signin; auth_request_set $auth_cookie $upstream_http_set_cookie; add_header Set-Cookie $auth_cookie; # translate headers from the outposts back to the actual upstream auth_request_set $authentik_username $upstream_http_x_authentik_username; auth_request_set $authentik_groups $upstream_http_x_authentik_groups; auth_request_set $authentik_email $upstream_http_x_authentik_email; auth_request_set $authentik_name $upstream_http_x_authentik_name; auth_request_set $authentik_uid $upstream_http_x_authentik_uid; proxy_set_header X-authentik-username $authentik_username; proxy_set_header X-authentik-groups $authentik_groups; proxy_set_header X-authentik-email $authentik_email; proxy_set_header X-authentik-name $authentik_name; proxy_set_header X-authentik-uid $authentik_uid; } # all requests to /outpost.goauthentik.io must be accessible without authentication location /outpost.goauthentik.io { proxy_pass https://authentik-server:9443/outpost.goauthentik.io; # ensure the host of this vserver matches your external URL you've configured # in authentik proxy_set_header Host $host; proxy_set_header X-Original-URL $scheme://$http_host$request_uri; add_header Set-Cookie $auth_cookie; auth_request_set $auth_cookie $upstream_http_set_cookie; proxy_pass_request_body off; proxy_set_header Content-Length ""; } # Special location for when the /auth endpoint returns a 401, # redirect to the /start URL which initiates SSO location @goauthentik_proxy_signin { internal; add_header Set-Cookie $auth_cookie; return 302 /outpost.goauthentik.io/start?rd=$request_uri; # For domain level, use the below error_page to redirect to your authentik server with the full redirect path # return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri; }Edit: I forgot to mention that you have to change
https://authentik-server:9443/outpost.goauthentik.ioto the domain of your authentik instance.
I’m still facing the same issue—everything works perfectly except for the WebSocket. This seems unusual. Could this problem be solely related to NGINX Proxy Manager, or is there something I might be misconfiguring in Authentik?
I've been using only the latest two versions and haven't been able to get this to work. I've tried all the methods suggested here, but unfortunately, none of them have resolved the issue. websocket isn't working for me. Could you please share a working configuration that has been successful for you? Thanks in advance,
here's a confirmed working config for NPM that I've been using
# Increase buffer size for large headers # This is needed only if you get 'upstream sent too big header while reading response # header from upstream' error when trying to access an application protected by goauthentik proxy_buffers 8 16k; proxy_buffer_size 32k; # Make sure not to redirect traffic to a port 4443 port_in_redirect off; location / { # Put your proxy_pass to your application here proxy_pass $forward_scheme://$server:$port; # Set any other headers your application might need # proxy_set_header Host $host; # proxy_set_header ... ############################## # authentik-specific config ############################## auth_request /outpost.goauthentik.io/auth/nginx; error_page 401 = @goauthentik_proxy_signin; auth_request_set $auth_cookie $upstream_http_set_cookie; add_header Set-Cookie $auth_cookie; # translate headers from the outposts back to the actual upstream auth_request_set $authentik_username $upstream_http_x_authentik_username; auth_request_set $authentik_groups $upstream_http_x_authentik_groups; auth_request_set $authentik_email $upstream_http_x_authentik_email; auth_request_set $authentik_name $upstream_http_x_authentik_name; auth_request_set $authentik_uid $upstream_http_x_authentik_uid; proxy_set_header X-authentik-username $authentik_username; proxy_set_header X-authentik-groups $authentik_groups; proxy_set_header X-authentik-email $authentik_email; proxy_set_header X-authentik-name $authentik_name; proxy_set_header X-authentik-uid $authentik_uid; } # all requests to /outpost.goauthentik.io must be accessible without authentication location /outpost.goauthentik.io { proxy_pass https://authentik-server:9443/outpost.goauthentik.io; # ensure the host of this vserver matches your external URL you've configured # in authentik proxy_set_header Host $host; proxy_set_header X-Original-URL $scheme://$http_host$request_uri; add_header Set-Cookie $auth_cookie; auth_request_set $auth_cookie $upstream_http_set_cookie; proxy_pass_request_body off; proxy_set_header Content-Length ""; } # Special location for when the /auth endpoint returns a 401, # redirect to the /start URL which initiates SSO location @goauthentik_proxy_signin { internal; add_header Set-Cookie $auth_cookie; return 302 /outpost.goauthentik.io/start?rd=$request_uri; # For domain level, use the below error_page to redirect to your authentik server with the full redirect path # return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri; }Edit: I forgot to mention that you have to change
https://authentik-server:9443/outpost.goauthentik.ioto the domain of your authentik instance.I’m still facing the same issue—everything works perfectly except for the WebSocket. This seems unusual. Could this problem be solely related to NGINX Proxy Manager, or is there something I might be misconfiguring in Authentik?
Did you turn on websocket support in npm? As when I turned it on it worked with no issue. Also make sure your using single application proxy or that may break things.
I am running into the same issue. The above modification worked. But issue is if you are using crowsec bouncer version of NPM it logs the wrong internal ips:
time="2024-09-15T12:39:51-04:00" level=info msg="172.17.0.1 - [Sun, 15 Sep 2024 12:39:51 EDT] "GET /v1/decisions?ip=244.104.181.136 HTTP/1.1 200 146.180376ms "crowdsec-openresty-bouncer/v1.0.2" "" time="2024-09-15T12:40:06-04:00" level=info msg="172.17.0.1 - [Sun, 15 Sep 2024 12:40:06 EDT] "GET /v1/decisions?ip=192.168.1.161 HTTP/1.1 200 76.273285ms "crowdsec-openresty-bouncer/v1.0.2" ""
Reference: https://github.com/vineethmn/geekscomments/issues/1
I am running into the same issue. The above modification worked. But issue is if you are using crowsec bouncer version of NPM it logs the wrong internal ips:
time="2024-09-15T12:39:51-04:00" level=info msg="172.17.0.1 - [Sun, 15 Sep 2024 12:39:51 EDT] "GET /v1/decisions?ip=244.104.181.136 HTTP/1.1 200 146.180376ms "crowdsec-openresty-bouncer/v1.0.2" ""
time="2024-09-15T12:40:06-04:00" level=info msg="172.17.0.1 - [Sun, 15 Sep 2024 12:40:06 EDT] "GET /v1/decisions?ip=192.168.1.161 HTTP/1.1 200 76.273285ms "crowdsec-openresty-bouncer/v1.0.2" ""
oh that makes sense, I use the regular npm so that was never a thought. Appreciate the insight
I've been using only the latest two versions and haven't been able to get this to work. I've tried all the methods suggested here, but unfortunately, none of them have resolved the issue. websocket isn't working for me. Could you please share a working configuration that has been successful for you? Thanks in advance,
here's a confirmed working config for NPM that I've been using
# Increase buffer size for large headers # This is needed only if you get 'upstream sent too big header while reading response # header from upstream' error when trying to access an application protected by goauthentik proxy_buffers 8 16k; proxy_buffer_size 32k; # Make sure not to redirect traffic to a port 4443 port_in_redirect off; location / { # Put your proxy_pass to your application here proxy_pass $forward_scheme://$server:$port; # Set any other headers your application might need # proxy_set_header Host $host; # proxy_set_header ... ############################## # authentik-specific config ############################## auth_request /outpost.goauthentik.io/auth/nginx; error_page 401 = @goauthentik_proxy_signin; auth_request_set $auth_cookie $upstream_http_set_cookie; add_header Set-Cookie $auth_cookie; # translate headers from the outposts back to the actual upstream auth_request_set $authentik_username $upstream_http_x_authentik_username; auth_request_set $authentik_groups $upstream_http_x_authentik_groups; auth_request_set $authentik_email $upstream_http_x_authentik_email; auth_request_set $authentik_name $upstream_http_x_authentik_name; auth_request_set $authentik_uid $upstream_http_x_authentik_uid; proxy_set_header X-authentik-username $authentik_username; proxy_set_header X-authentik-groups $authentik_groups; proxy_set_header X-authentik-email $authentik_email; proxy_set_header X-authentik-name $authentik_name; proxy_set_header X-authentik-uid $authentik_uid; } # all requests to /outpost.goauthentik.io must be accessible without authentication location /outpost.goauthentik.io { proxy_pass https://authentik-server:9443/outpost.goauthentik.io; # ensure the host of this vserver matches your external URL you've configured # in authentik proxy_set_header Host $host; proxy_set_header X-Original-URL $scheme://$http_host$request_uri; add_header Set-Cookie $auth_cookie; auth_request_set $auth_cookie $upstream_http_set_cookie; proxy_pass_request_body off; proxy_set_header Content-Length ""; } # Special location for when the /auth endpoint returns a 401, # redirect to the /start URL which initiates SSO location @goauthentik_proxy_signin { internal; add_header Set-Cookie $auth_cookie; return 302 /outpost.goauthentik.io/start?rd=$request_uri; # For domain level, use the below error_page to redirect to your authentik server with the full redirect path # return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri; }Edit: I forgot to mention that you have to change
https://authentik-server:9443/outpost.goauthentik.ioto the domain of your authentik instance.
Work for me, but I need to use http or https plus IP_Address:Port, cannot use https://authentik.xxxx domain...
I've been using only the latest two versions and haven't been able to get this to work. I've tried all the methods suggested here, but unfortunately, none of them have resolved the issue. websocket isn't working for me.
Could you please share a working configuration that has been successful for you?
Thanks in advance,
here's a confirmed working config for NPM that I've been using
Increase buffer size for large headers
This is needed only if you get 'upstream sent too big header while reading response
header from upstream' error when trying to access an application protected by goauthentik
proxy_buffers 8 16k;
proxy_buffer_size 32k;
Make sure not to redirect traffic to a port 4443
port_in_redirect off;
location / {
# Put your proxy_pass to your application hereproxy_pass $forward_scheme://$server:$port;# Set any other headers your application might need# proxy_set_header Host $host;# proxy_set_header ...############################### authentik-specific config##############################auth_request /outpost.goauthentik.io/auth/nginx;error_page 401 = @goauthentik_proxy_signin;auth_request_set $auth_cookie $upstream_http_set_cookie;add_header Set-Cookie $auth_cookie;# translate headers from the outposts back to the actual upstreamauth_request_set $authentik_username $upstream_http_x_authentik_username;auth_request_set $authentik_groups $upstream_http_x_authentik_groups;auth_request_set $authentik_email $upstream_http_x_authentik_email;auth_request_set $authentik_name $upstream_http_x_authentik_name;auth_request_set $authentik_uid $upstream_http_x_authentik_uid;proxy_set_header X-authentik-username $authentik_username;proxy_set_header X-authentik-groups $authentik_groups;proxy_set_header X-authentik-email $authentik_email;proxy_set_header X-authentik-name $authentik_name;proxy_set_header X-authentik-uid $authentik_uid;}
all requests to /outpost.goauthentik.io must be accessible without authentication
location /outpost.goauthentik.io {
proxy_pass https://authentik-server:9443/outpost.goauthentik.io;# ensure the host of this vserver matches your external URL you've configured# in authentikproxy_set_header Host $host;proxy_set_header X-Original-URL $scheme://$http_host$request_uri;add_header Set-Cookie $auth_cookie;auth_request_set $auth_cookie $upstream_http_set_cookie;proxy_pass_request_body off;proxy_set_header Content-Length "";}
Special location for when the /auth endpoint returns a 401,
redirect to the /start URL which initiates SSO
location @goauthentik_proxy_signin {
internal;add_header Set-Cookie $auth_cookie;return 302 /outpost.goauthentik.io/start?rd=$request_uri;# For domain level, use the below error_page to redirect to your authentik server with the full redirect path# return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;}
Edit: I forgot to mention that you have to change
https://authentik-server:9443/outpost.goauthentik.ioto the domain of your authentik instance.Work for me, but I need to use http or https plus IP_Address:Port, cannot use https://authentik.xxxx domain...
That's probably because I'm using docker networking with the internal hostnames to make my life easier. Because authentik-server is the containers hostname
So just to say, I installed the latest 8.2 NPM recently and I had the same issue. the old configs in the advanced tab, but not the new ones. Has a dev acknowledged this as an issue?
I can confirm that the old config posted by @Nirmata-1 works for me. The concerns about websocket-enabled applications not working may be alleviated by toggling "Websockets Support" in the Details tab of your NPM proxy host, though I have not confirmed it.
I can confirm that the old config posted by @Nirmata-1 works for me. The concerns about websocket-enabled applications not working may be alleviated by toggling "Websockets Support" in the Details tab of your NPM proxy host, though I have not confirmed it.
Actually, you can hardcode the websocket support by adding the following:
proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection upgrade;
The Authentik NPM config have a map command to handle the web-socket, however the NPM is unable to handle the map on advanced config.
you need to add a http_top.conf to handle map https://github.com/goauthentik/authentik/discussions/7323#discussioncomment-9653412
Hope this can help you Thanks~
Simply adding the authentik internal IP And Removing these 2 parts works for me:
# Upgrade WebSocket if requested, otherwise use keepalive
map $http_upgrade $connection_upgrade_keepalive {
default upgrade;
'' '';
}
&&
proxy_set_header Connection $connection_upgrade_keepalive;
Working config:
# Increase buffer size for large headers
# This is needed only if you get 'upstream sent too big header while reading response
# header from upstream' error when trying to access an application protected by goauthentik
proxy_buffers 8 16k;
proxy_buffer_size 32k;
# Make sure not to redirect traffic to a port 4443
port_in_redirect off;
location / {
# Put your proxy_pass to your application here
proxy_pass $forward_scheme://$server:$port;
# Set any other headers your application might need
# proxy_set_header Host $host;
# proxy_set_header ...
# Support for websocket
# proxy_set_header Upgrade $http_upgrade;
# proxy_set_header Connection $connection_upgrade_keepalive; #<-----this is causing issues
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_http_version 1.1;
##############################
# authentik-specific config
##############################
auth_request /outpost.goauthentik.io/auth/nginx;
error_page 401 = @goauthentik_proxy_signin;
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
# translate headers from the outposts back to the actual upstream
auth_request_set $authentik_username $upstream_http_x_authentik_username;
auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
auth_request_set $authentik_email $upstream_http_x_authentik_email;
auth_request_set $authentik_name $upstream_http_x_authentik_name;
auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
proxy_set_header X-authentik-username $authentik_username;
proxy_set_header X-authentik-groups $authentik_groups;
proxy_set_header X-authentik-email $authentik_email;
proxy_set_header X-authentik-name $authentik_name;
proxy_set_header X-authentik-uid $authentik_uid;
# This section should be uncommented when the "Send HTTP Basic authentication" option
# is enabled in the proxy provider
# auth_request_set $authentik_auth $upstream_http_authorization;
# proxy_set_header Authorization $authentik_auth;
}
# all requests to /outpost.goauthentik.io must be accessible without authentication
location /outpost.goauthentik.io {
# When using the embedded outpost, use:
proxy_pass http://<authentic-ip>:<port>/outpost.goauthentik.io;
# For manual outpost deployments:
# proxy_pass http://outpost.company:9000;
# Note: ensure the Host header matches your external authentik URL:
proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
add_header Set-Cookie $auth_cookie;
auth_request_set $auth_cookie $upstream_http_set_cookie;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
}
# Special location for when the /auth endpoint returns a 401,
# redirect to the /start URL which initiates SSO
location @goauthentik_proxy_signin {
internal;
add_header Set-Cookie $auth_cookie;
return 302 /outpost.goauthentik.io/start?rd=$request_uri;
# For domain level, use the below error_page to redirect to your authentik server with the full redirect path
# return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
}
Problematic config has been removed under https://github.com/goauthentik/authentik/pull/11621 ✅ This issue should be resolved now.