Skip to main content Authentik + Cloudflare + Nginx = 500 error : r/selfhosted
r/selfhosted icon
Go to selfhosted
•

Authentik + Cloudflare + Nginx = 500 error

Need Help

Hi everyone,

I am struggling to create proxy between my apps and Anthentik.

I was able to make Authentik work perfectly with Immich (Oauth2 Provider) and nextcloud (SAML Provider) but I can not make it work with Proxy Provider.

I am on Unraid using Nginx Proxy Manager.

r/selfhosted - Nginx Proxy Manager
Nginx Proxy Manager

Nginx Proxy Manager, Authentik and my apps are on the same custom network on Unraid.

r/selfhosted - Apps are in the same network called "blancnet"
Apps are in the same network called "blancnet"

All of them are accessible from outside my network using cloudflare.

I want to make my app "Homepage" get secured with Authentik SSO. So I want to use the proxy provider feature of authentik.

r/selfhosted - My Cloudflare DNS Setup
My Cloudflare DNS Setup

I can access without any problem to my app "Homepage" using https://home.domain.com without Authentik code in the advanced tab of my proxy in Nginx.

My app is correctly configured inside Authentik.

r/selfhosted - Outposts tabs in Authentik for my app Homepage
Outposts tabs in Authentik for my app Homepage

r/selfhosted - My app Homepage proxy provider settings
My app Homepage proxy provider settings

r/selfhosted - My apps configured in Authentik
My apps configured in Authentik

r/selfhosted - My Homepage app configuration in Nginx which needs to be proxied by authentik
My Homepage app configuration in Nginx which needs to be proxied by authentik

But when I add the code required in the advanced tab to make it work with authentik, I get the error 500.

r/selfhosted - When I access to https://home.domain.com WITH the proxy code in my app homepage nginx advanced tab
When I access to https://home.domain.com WITH the proxy code in my app homepage nginx advanced tab

Here is the advanced tab code of my app https://home.domain.com : 

proxy_buffers 8 16k;
proxy_buffer_size 32k;

location / {
    # Put your proxy_pass to your application here
    proxy_pass          $forward_scheme://$server:$port;

    # authentik-specific config
    auth_request        /outpost.goauthentik.io/auth/nginx;
    error_page          401 = @goauthentik_proxy_signin;
    auth_request_set $auth_cookie $upstream_http_set_cookie;
    add_header Set-Cookie $auth_cookie;

    # translate headers from the outposts back to the actual upstream
    auth_request_set $authentik_username $upstream_http_x_authentik_username;
    auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
    auth_request_set $authentik_email $upstream_http_x_authentik_email;
    auth_request_set $authentik_name $upstream_http_x_authentik_name;
    auth_request_set $authentik_uid $upstream_http_x_authentik_uid;

    proxy_set_header X-authentik-username $authentik_username;
    proxy_set_header X-authentik-groups $authentik_groups;
    proxy_set_header X-authentik-email $authentik_email;
    proxy_set_header X-authentik-name $authentik_name;
    proxy_set_header X-authentik-uid $authentik_uid;

# If behind reverse proxy, forwards the correct IP, assumes you're using Cloudflare. Adjust IP for your Docker network.
set_real_ip_from 172.18.0.0/16; #make sure this IP range matches your network setup
real_ip_header CF-Connecting-IP;
real_ip_recursive on;
}

# all requests to /outpost.goauthentik.io must be accessible without authentication
location /outpost.goauthentik.io {
    proxy_pass          http://192.168.1.XX:9000/outpost.goauthentik.io;
    # ensure the host of this server matches your external URL you've configured
    # in authentik
    proxy_set_header    Host $host;
    proxy_set_header    X-Original-URL $scheme://$http_host$request_uri;
    add_header          Set-Cookie $auth_cookie;
    auth_request_set    $auth_cookie $upstream_http_set_cookie;

    # required for POST requests to work
    proxy_pass_request_body off;
    proxy_set_header Content-Length "";
}

# Special location for when the /auth endpoint returns a 401,
# redirect to the /start URL which initiates SSO
location @goauthentik_proxy_signin {
    internal;
    add_header Set-Cookie $auth_cookie;
    return 302 /outpost.goauthentik.io/start?rd=$request_uri;
    # For domain level, use the below error_page to redirect to your authentik server with the full redirect path
    # return 302 https://auth.mydomain.fr/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
}

I tried several times to modify this code, also took code from this github's latests posts https://github.com/vineethmn/geekscomments/issues/1

Thanks in advance for your help,

•

I never fixed it. I switched back to Authelia.

•

Shame, my previous config did work but after having to switch to a new npmplus container i no longer get it working...

Thanks for the reply!

•

do you know the version of your previous npm container? Basically as mentioned somewhere else the config is out of date for the authentik global YAML.

•

Sadly I do not, I had problems with the NPM container and had to remove both container and config files, though the NPM version around february + Authentik 24.2 (and 24.4) did work previously.

More replies More replies More replies