Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Error not found when I set up forward_auth (single application) with Caddy #12930

Open
Marcus1Pierce opened this issue Feb 4, 2025 · 1 comment
Open

Error not found when I set up forward_auth (single application) with Caddy #12930

Marcus1Pierce opened this issue Feb 4, 2025 · 1 comment
Labels
question Further information is requested

Comments

@Marcus1Pierce
Copy link
Contributor

Describe your question
I created a provider using the wizard.

  • Under Application Details:
    Name: Mailu
    Slug: mailu
  • Under Provider Type, I chose Forward Auth (Single Application)
  • Under Provider Configuration:
    Name: Mailu
    Authorization flow: default-provider-authorization-explicit-consent (Authorize Application)
    External host: https://app.domain.tld

Example for the Authentik domain https://sso.domain.tld.
The problem I encountered is that if I follow the example from Authentik at https://docs.goauthentik.io/docs/add-secure-apps/providers/proxy/server_caddy , I always get an error. Here is an example of the error configuration:

app.domain.tld {
    # directive execution order is only as stated if enclosed with route.
    route {
        # always forward outpost path to actual outpost
        reverse_proxy /outpost.goauthentik.io/* https://sso.domain.tld {
            header_up Host {http.reverse_proxy.upstream.hostport}
        }

        # forward authentication to outpost
        forward_auth http://authentik:9000 {
            uri /outpost.goauthentik.io/auth/caddy

            # capitalization of the headers is important, otherwise they will be empty
            copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version

            # optional, in this config trust all private ranges, should probably be set to the outposts IP
            trusted_proxies private_ranges
        }

        # actual site configuration below, for example
        reverse_proxy 100.111.126.34:8080
    }
}

And here is an example of the configuration that I edited and succeeded in logging in:

app.domain.tld {
        # always forward outpost path to actual outpost
        reverse_proxy /outpost.goauthentik.io/* https://sso.domain.tld {
            header_up Host {http.reverse_proxy.upstream.hostport}
        }

        # forward authentication to outpost
        forward_auth http://authentik-server:9000 {
            uri /outpost.goauthentik.io/auth/caddy

            # capitalization of the headers is important, otherwise they will be empty
            copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version

            # optional, in this config trust all private ranges, should probably be set to the outposts IP
            trusted_proxies private_ranges
        }

        # actual site configuration below, for example
        reverse_proxy 100.111.126.34:8080
}

I deleted the route and everything ran normally. But I'm not sure if there will be any security issues or not after deleting that route.

Relevant info
Maybe this is relevant. I set up authentik with caddy docker with the following config:

sso.domain.tld {
        reverse_proxy authentik-server:9000

        header {
                Strict-Transport-Security "max-age=63072000"
        }
}

Screenshots
Here's a screenshot when the error occurred.
Image

Version and Deployment (please complete the following information):

  • authentik version: ghcr.io/goauthentik/server:2024.10.5
  • Deployment: docker-compose

Additional context
Is there a setup that is missing or is there additional information that I need to add? And for additional information, please let me know how to obtain it.
@Marcus1Pierce Marcus1Pierce added the question Further information is requested label Feb 4, 2025
@Marcus1Pierce
Copy link
Contributor Author

Forgot to mention, here the config that I successfully login with forward_auth without removing route

app.domain.tld {
    # directive execution order is only as stated if enclosed with route.
    route {
        # always forward outpost path to actual outpost
        reverse_proxy /outpost.goauthentik.io/* http://authentik:9000 {
            header_up Host {http.reverse_proxy.upstream.hostport}
        }

        # forward authentication to outpost
        forward_auth http://authentik:9000 {
            uri /outpost.goauthentik.io/auth/caddy

            # capitalization of the headers is important, otherwise they will be empty
            copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version

            # optional, in this config trust all private ranges, should probably be set to the outposts IP
            trusted_proxies private_ranges
        }

        # actual site configuration below, for example
        reverse_proxy 100.111.126.34:8080
    }
}

Switching the reverse proxy target from https://sso.domain.tld to http://authentik:9000 resolves the issue and allows the website to be accessed normally.

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Marcus1Pierce