r/Authentik

•

1 yr. ago

Unable to access embedded outpost

I'm currently trying to setup application authentication for Nginx Proxy Manager. The configuration works, but anytime I try to hit /outpost.goauthentik.io/ping, authentik returns a 404, and I believe it's causing the proxy to fail. I have authentik deployed via the supplied docker compose through portainer as included.

Oauth2 authentication works fine, just the embedded outpost isn't available

Compose

Outpost config

This is also assigned to a docker integration for the local docker socket.

r_bluehost

•

Promoted

YSK you can design a website without learning how to code 🤖. Our AI can do it for you.

Learn More

bluehost.com

Thumbnail image: YSK you can design a website without learning how to code 🤖. Our AI can do it for you.

Sort by:

Top (Default)

Open comment sort options

UnrealisticOcelot

•

1y ago

• Edited 1y ago

Did you ever resolve this? I've been banging my head against the keyboard trying to resolve what I believe is the same issue. This looks like the problem: https://github.com/goauthentik/authentik/issues/8956 and I don't see any resolutions.

EDIT: After much frustration I realized I didn't have my ingress-nginx marked as the default ingress class. Curious if there's a way to specify the ingress class name on the outpost, but I didn't see anything in my few minutes of looking. Once I made nginx the default it works fine.

pcs3rd

•

1y ago

Hmmm, I think I ended up getting this working by passing http://172.18.0.1:9000/outpost.goauthentik.io.
I haven't had to look at this in a few, but I'm using nginx proxy manager, and had to target the internal IP over http to get anything from the embedded outpost.

# Increase buffer size for large headers
# This is needed only if you get 'upstream sent too big header while reading response
# header from upstream' error when trying to access an application protected by goauthentik
proxy_buffers 8 16k;
proxy_buffer_size 32k;

# Make sure not to redirect traffic to a port 4443
port_in_redirect off;

location / {
    # Put your proxy_pass to your application here
    proxy_pass $forward_scheme://$server:$port;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
    proxy_set_header Upgrade $http_upgrade;
    proxy_http_version 1.1;
    proxy_set_header Connection "upgrade";
    ##############################
    # authentik-specific config
    ##############################
    auth_request     /outpost.goauthentik.io/auth/nginx;
    error_page       401 = @goauthentik_proxy_signin;
    auth_request_set $auth_cookie $upstream_http_set_cookie;
    add_header       Set-Cookie $auth_cookie;

    # translate headers from the outposts back to the actual upstream
    auth_request_set $authentik_username $upstream_http_x_authentik_username;
    auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
    auth_request_set $authentik_email $upstream_http_x_authentik_email;
    auth_request_set $authentik_name $upstream_http_x_authentik_name;
    auth_request_set $authentik_uid $upstream_http_x_authentik_uid;

    proxy_set_header X-authentik-username $authentik_username;
    proxy_set_header X-authentik-groups $authentik_groups;
    proxy_set_header X-authentik-email $authentik_email;
    proxy_set_header X-authentik-name $authentik_name;
    proxy_set_header X-authentik-uid $authentik_uid;
}

# all requests to /outpost.goauthentik.io must be accessible without authentication
location /outpost.goauthentik.io {
    proxy_pass              http://172.18.0.1:9000/outpost.goauthentik.io;
    # ensure the host of this vserver matches your external URL you've configured
    # in authentik
    proxy_set_header        Host $host;
    proxy_set_header        X-Original-URL $scheme://$http_host$request_uri;
    add_header              Set-Cookie $auth_cookie;
    auth_request_set        $auth_cookie $upstream_http_set_cookie;
    proxy_pass_request_body off;
    proxy_set_header        Content-Length "";
}

# Special location for when the /auth endpoint returns a 401,
# redirect to the /start URL which initiates SSO
location @goauthentik_proxy_signin {
    internal;
    add_header Set-Cookie $auth_cookie;
    return 302 /outpost.goauthentik.io/start?rd=$request_uri;
    # For domain level, use the below error_page to redirect to your authentik server with the full redirect path
    # return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
}```

More replies

[deleted]

•

1y ago

Comment deleted by user

pcs3rd

•

1y ago

I hit it over the internal http port I think. I'll have to double check.

Unable to access embedded outpost

Comments Section

I dont know if its just me but does anyone else keep getting a connection error?

Unable to connect to server (problem)

Can't connect to internet

Cannot connect to sever

Server is not responding error

Help, no input power!

"Cannot Connect to Server"

Installing error

Error login

Server continuity concerns?

Open Contact Issues

System off error, no power

Unable to Access Admin Console

Server issue

Unable to see installed apps

Unable to access Ledger Live Desktop

Unable to access Cisco Switch via Managment interface

Unable to install LAN driver

Unable to install LAN drivers

Unable to remotely access win 11 with openSSH server

Has this always been a thing? dont remember not being able to place small upgrade to existing small stations, but ever since the last update, I just cant place anything without completely demolishing the entire thing and rebuilding it from the ground up. Shouldnt have any mods causing issues either.

Unhandled exception in script

Network Error

One server, two issues

Can't connect to server

Top Posts