Description
Describe your question
I created a provider using the wizard.
- Under Application Details:
Name: Mailu
Slug: mailu - Under Provider Type, I chose Forward Auth (Single Application)
- Under Provider Configuration:
Name: Mailu
Authorization flow: default-provider-authorization-explicit-consent (Authorize Application)
External host: https://app.domain.tld
Example for the Authentik domain https://sso.domain.tld.
The problem I encountered is that if I follow the example from Authentik at https://docs.goauthentik.io/docs/add-secure-apps/providers/proxy/server_caddy , I always get an error. Here is an example of the error configuration:
app.domain.tld {
# directive execution order is only as stated if enclosed with route.
route {
# always forward outpost path to actual outpost
reverse_proxy /outpost.goauthentik.io/* https://sso.domain.tld {
header_up Host {http.reverse_proxy.upstream.hostport}
}
# forward authentication to outpost
forward_auth http://authentik:9000 {
uri /outpost.goauthentik.io/auth/caddy
# capitalization of the headers is important, otherwise they will be empty
copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
# optional, in this config trust all private ranges, should probably be set to the outposts IP
trusted_proxies private_ranges
}
# actual site configuration below, for example
reverse_proxy 100.111.126.34:8080
}
}
And here is an example of the configuration that I edited and succeeded in logging in:
app.domain.tld {
# always forward outpost path to actual outpost
reverse_proxy /outpost.goauthentik.io/* https://sso.domain.tld {
header_up Host {http.reverse_proxy.upstream.hostport}
}
# forward authentication to outpost
forward_auth http://authentik-server:9000 {
uri /outpost.goauthentik.io/auth/caddy
# capitalization of the headers is important, otherwise they will be empty
copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
# optional, in this config trust all private ranges, should probably be set to the outposts IP
trusted_proxies private_ranges
}
# actual site configuration below, for example
reverse_proxy 100.111.126.34:8080
}
I deleted the route and everything ran normally. But I'm not sure if there will be any security issues or not after deleting that route.
Relevant info
Maybe this is relevant. I set up authentik with caddy docker with the following config:
sso.domain.tld {
reverse_proxy authentik-server:9000
header {
Strict-Transport-Security "max-age=63072000"
}
}
Screenshots
Here's a screenshot when the error occurred.
Version and Deployment (please complete the following information):
- authentik version: ghcr.io/goauthentik/server:2024.10.5
- Deployment: docker-compose
Additional context
Is there a setup that is missing or is there additional information that I need to add? And for additional information, please let me know how to obtain it.