A place to share, discuss, discover, assist with, gain assistance for, and critique self-hosted alternatives to our favorite web apps, web services, and online tools.
Authentik + Cloudflare + Nginx = 500 error
Hi everyone,
I am struggling to create proxy between my apps and Anthentik.
I was able to make Authentik work perfectly with Immich (Oauth2 Provider) and nextcloud (SAML Provider) but I can not make it work with Proxy Provider.
I am on Unraid using Nginx Proxy Manager.
Nginx Proxy Manager, Authentik and my apps are on the same custom network on Unraid.
All of them are accessible from outside my network using cloudflare.
I want to make my app "Homepage" get secured with Authentik SSO. So I want to use the proxy provider feature of authentik.
I can access without any problem to my app "Homepage" using https://home.domain.com without Authentik code in the advanced tab of my proxy in Nginx.
My app is correctly configured inside Authentik.
But when I add the code required in the advanced tab to make it work with authentik, I get the error 500.
Here is the advanced tab code of my app https://home.domain.com :
proxy_buffers 8 16k;
proxy_buffer_size 32k;
location / {
# Put your proxy_pass to your application here
proxy_pass $forward_scheme://$server:$port;
# authentik-specific config
auth_request /outpost.goauthentik.io/auth/nginx;
error_page 401 = @goauthentik_proxy_signin;
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
# translate headers from the outposts back to the actual upstream
auth_request_set $authentik_username $upstream_http_x_authentik_username;
auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
auth_request_set $authentik_email $upstream_http_x_authentik_email;
auth_request_set $authentik_name $upstream_http_x_authentik_name;
auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
proxy_set_header X-authentik-username $authentik_username;
proxy_set_header X-authentik-groups $authentik_groups;
proxy_set_header X-authentik-email $authentik_email;
proxy_set_header X-authentik-name $authentik_name;
proxy_set_header X-authentik-uid $authentik_uid;
# If behind reverse proxy, forwards the correct IP, assumes you're using Cloudflare. Adjust IP for your Docker network.
set_real_ip_from 172.18.0.0/16; #make sure this IP range matches your network setup
real_ip_header CF-Connecting-IP;
real_ip_recursive on;
}
# all requests to /outpost.goauthentik.io must be accessible without authentication
location /outpost.goauthentik.io {
proxy_pass http://192.168.1.XX:9000/outpost.goauthentik.io;
# ensure the host of this server matches your external URL you've configured
# in authentik
proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
add_header Set-Cookie $auth_cookie;
auth_request_set $auth_cookie $upstream_http_set_cookie;
# required for POST requests to work
proxy_pass_request_body off;
proxy_set_header Content-Length "";
}
# Special location for when the /auth endpoint returns a 401,
# redirect to the /start URL which initiates SSO
location @goauthentik_proxy_signin {
internal;
add_header Set-Cookie $auth_cookie;
return 302 /outpost.goauthentik.io/start?rd=$request_uri;
# For domain level, use the below error_page to redirect to your authentik server with the full redirect path
# return 302 https://auth.mydomain.fr/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
}I tried several times to modify this code, also took code from this github's latests posts https://github.com/vineethmn/geekscomments/issues/1
Thanks in advance for your help,
Just wanted to drop a post in case someone else runs into this problem, this fixed it for me:
In Authentik:
Go to Applications -> Outposts and edit the 'authentik Embedded Outpost'.
Edit the following, adapt to your own domain. (It should point to the external domain that you've proxied Authentik to.)
authentik_host: https://auth.domain.com
authentik_host_browser: "https://auth.domain.com"
In NPM:
Edit the proxy host of the application you want to reverse-proxy. Under Advanced, enter the snippet for NPM that you can find here: https://goauthentik.io/docs/providers/proxy/server_nginx (make sure to use the one for NPM and not Nginx).
Edit the following in the snippet, adapt to your own server. (It should point to the internal IP or hostname of the server that's running Authentik, and the port that Authentik is assigned. I'm using hostname and HTTPS protocol and port, make sure to change protocol and port if you're using HTTP.)
proxy_pass https://HOSTNAME:PORT/outpost.goauthentik.io;
And this I why I love reddit. Thank you my friend!
Thank you! The newest config template for npm on the link above doesn't quite work directly with npm 2.11.2 but editing out the map and keep alive portion, plus what you mentioned seemed to be the trick!
Not all heroes wear capes! thanks mate!
When I do this, the proxy host in NPM becomes offline immediately. Any idea why? You only change the proxy pass line on line 51 of the example from the authentik site, right? Not the one on line 18 as well?
You. Are. Amazing!
Months later and this is still helping folks!
Hello, If I can ask there, I'm struggling with same problem. Using NPM + Cloudflare + Authentik. In some services I'm getting all good (after going to service ip, i'm redirected to authentik and then to service). But now I'm trying to get another service with same NGINX Advanced Configuration code like first working app, and getting 500 Internal Error (openresty). Whenever I'm changing to some other codes it comes Offline in NPM and getting SSL Handshake Error. I'm using Let's Encrypt SSL Cert in NPM with DNS Challange from Cloudflare.
Can you help me with that? Is there any other (newer) template to NPM to get it working?
Have you tried r/Nginx and r/CloudFlare? And Authentik has a Discord server: https://goauthentik.io/discord and Github discussion and issues page: https://github.com/goauthentik/authentik/discussions
I posted on Authentik Github and discord. Gonna try on r/Nginx and r/CloudFlare if I get nothing
I just ran into the exact same problem, did you ever find a solution?