authentik copied to clipboard
authentik outpost on different host
I have two servers with the following services server1: authentik, nginx-proxy-manager, app1 server2: nginx-proxy-manager, authentik-outpost, app2
the servers are reachable like that: server1: server2:
So I can access authentik on server1 with
I want to use the authentik on server1 to authenticate the login to the app2 on server2. I tried to deploy a authentik proxy to server2 with the token from authentik service on server1. That container is running fine.
version: "3.5"
external: true
name: services_default
container_name: authentik-outpost
# Optionally specify which networks the container should be
# might be needed to reach the core authentik server
# networks:
# - foo
# - 9000:9000
# - 9443:9443
# Starting with 2021.9, you can optionally set this too
# when authentik_host for internal communication doesn't match the public URL
- services_default
Now I create a provider in authentik on server1 like this: type: Proxy External host: Internal host: http://app2:port
And then assign that provider to an app and to the outpost..
The container authentik-outpost on server2 is in the same network (services_default) as the app2 on server2, so they can reach each other!
On server2: But if I then change nginx-proxy-manager to forward the traffic on to the container "authentik-outpost" I just get 502 Bad Gateway if I try to access:
Am I missing something?!
Please help me :)
Cheers Stephan
The “internal host” is local to that server. Use the public URL if the outpost is on a different server
how would I do that? internal host: ""? but that public URL directs to the authentik-outpost container on server2, I need to forward the traffic to the specific container on server2 (app2)
or did I misunderstand you?
correct me if I am wrong, but I think I need to use "Forward auth (single app)" instead of "Proxy" in the provider settings.
External host: "" nginx on server2: forward to app2:port
And then I need to use the nginx config. I am not sure how I should adjust this line:
to the authentik-outpost container on server2? If yes then the nginx entry is listed as "offline"
# Increase buffer size for large headers
# This is needed only if you get 'upstream sent too big header while reading response
# header from upstream' error when trying to access an application protected by goauthentik
proxy_buffers 8 16k;
proxy_buffer_size 32k;
# Make sure not to redirect traffic to a port 4443
port_in_redirect off;
location / {
# Put your proxy_pass to your application here
proxy_pass $forward_scheme://$server:$port;
# Set any other headers your application might need
# proxy_set_header Host $host;
# proxy_set_header ...
# authentik-specific config
auth_request /;
error_page 401 = @goauthentik_proxy_signin;
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
# translate headers from the outposts back to the actual upstream
auth_request_set $authentik_username $upstream_http_x_authentik_username;
auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
auth_request_set $authentik_email $upstream_http_x_authentik_email;
auth_request_set $authentik_name $upstream_http_x_authentik_name;
auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
proxy_set_header X-authentik-username $authentik_username;
proxy_set_header X-authentik-groups $authentik_groups;
proxy_set_header X-authentik-email $authentik_email;
proxy_set_header X-authentik-name $authentik_name;
proxy_set_header X-authentik-uid $authentik_uid;
# all requests to / must be accessible without authentication
location / {
proxy_pass http://authentik-outpost:9000/;
# ensure the host of this vserver matches your external URL you've configured
# in authentik
proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
add_header Set-Cookie $auth_cookie;
auth_request_set $auth_cookie $upstream_http_set_cookie;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
# Special location for when the /auth endpoint returns a 401,
# redirect to the /start URL which initiates SSO
location @goauthentik_proxy_signin {
add_header Set-Cookie $auth_cookie;
return 302 /$request_uri;
# For domain level, use the below error_page to redirect to your authentik server with the full redirect path
# return 302$scheme://$http_host$request_uri;
I have same issue, did you fixed it?
nope still waiting for an answer :)
@BeryJu is this known issue or can be fixed by users? Also talked with @cooptonian in discord he has same issue.
@stephanschorer can you enter local in outpost? Or you have 404?
Fixed by another way
@masterwishx so you fixed it by creating a multi tenant?
could you maybe explain what you did?
I read it briefly and changed the following settings:
Authentik instance on server1 changed the provider for app2 to 'transparent proxy' and entered and for the internal address the local ip/port of app2 on the server2
Then changed the npm entry on to forward its traffic to the authentik-outpost:9000 without any advanced config
But I still get an 502 Bad Gateway
@masterwishx so you fixed it by creating a multi tenant?
could you maybe explain what you did?
I read it briefly and changed the following settings:
Authentik instance on server1 changed the provider for app2 to 'transparent proxy' and entered and for the internal address the local ip/port of app2 on the server2
Then changed the npm entry on to forward its traffic to the authentik-outpost:9000 without any advanced config
But I still get an 502 Bad Gateway
Strange, I have no issue but I have one account in cloudflare with two domains. It was a little confusing, but it's like you discribed. with cloudflare tunnel cert and with cert
Can you see your outpost connected in authentik?
yes the outpost is online.. normally a 502 bad gateway occurs if the proxy cannot find the service behind which means my main authentik server cannot find the target container service on server2 but I dunno how that works in the background in authentik 😐
yes the outpost is online.. normally a 502 bad gateway occurs if the proxy cannot find the service behind which means my main authentik server cannot find the target container service on server2 but I dunno how that works in the background in authentik 😐
Maybe related to certificates? Are you using domains in cloudflare?
nah I dont think cause I dont even get a cert error and its just one domain and no the domain is not at cloudflare
nah I dont think cause I dont even get a cert error and its just one domain and no the domain is not at cloudflare
Oh so should not be a problem