.env File

If this is a fresh authentik install run the following commands to generate a password (in the directory of your compose file):

# You can also use openssl instead: `openssl rand -base64 36`
sudo apt-get install -y pwgen
# Because of a PostgreSQL limitation, only passwords up to 99 chars are supported
# See https://www.postgresql.org/message-id/09512C4F-8CB9-4021-B455-EF4C4F0D55A0@amazon.com
echo "PG_PASS=$(pwgen -s 40 1)" >> .env
echo "AUTHENTIK_SECRET_KEY=$(pwgen -s 50 1)" >> .env
# Skip if you don't want to enable error reporting
echo "AUTHENTIK_ERROR_REPORTING__ENABLED=true" >> .env

This will create the .env file and fill it with some passwords. In addition, you can add many other variables to the .env file. See here: https://goauthentik.io/docs/installation/docker-compose

By default, authentik listens on port 9000 for HTTP and 9443 for HTTPS. To change this, you can set the following variables in .env:

AUTHENTIK_PORT_HTTP=9000
AUTHENTIK_PORT_HTTPS=9443

Docker Compose File

Below is our tweaked version of the official Docker Compose template provided by Authentik. We made several changes including giving a standardized name to all containers.

If you wish to use the default, you can find it here: https://goauthentik.io/docs/installation/docker-compose

---
version: '3.4'

services:
  postgresql:
    image: postgres:12-alpine
    restart: unless-stopped
    container_name: authentik-postgres
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 5s
    volumes:
      - database:/var/lib/postgresql/data
    environment:
      - POSTGRES_PASSWORD=${PG_PASS}
      - POSTGRES_USER=${PG_USER:-authentik}
      - POSTGRES_DB=${PG_DB:-authentik}
    env_file:
      - .env
    networks:
      - proxy
  redis:
    image: redis:alpine
    restart: unless-stopped
    container_name: authentik-redis
    healthcheck:
      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 3s
    networks:
      - proxy
  server:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.7.2}
    restart: unless-stopped
    container_name: authentik-server
    command: server
    environment:
      AUTHENTIK_REDIS__HOST: authentik-redis
      AUTHENTIK_POSTGRESQL__HOST: authentik-postgres
      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
    volumes:
      - ./media:/media
      - ./custom-templates:/templates
      - geoip:/geoip
    env_file:
      - .env
    ports:
      - "0.0.0.0:${AUTHENTIK_PORT_HTTP:-9000}:9000"
      - "0.0.0.0:${AUTHENTIK_PORT_HTTPS:-9443}:9443"
    networks:
      - proxy
    labels:
      traefik.enable: true
      traefik.http.routers.authentik.entryPoints: https
      traefik.http.routers.authentik.rule: Host(`auth.domain.com`) || HostRegexp(`{subdomain:[A-Za-z0-9](?:[A-Za-z0-9\-]{0,61}[A-Za-z0-9])?}.domain.com`) && PathPrefix(`/outpost.goauthentik.io/`)
  worker:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.7.2}
    restart: unless-stopped
    container_name: authentik-worker
    command: worker
    environment:
      AUTHENTIK_REDIS__HOST: authentik-redis
      AUTHENTIK_POSTGRESQL__HOST: authentik-postgres
      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
    user: root
    volumes:
      - ./media:/media
      - ./certs:/certs
      - /var/run/docker.sock:/var/run/docker.sock
      - ./custom-templates:/templates
      - geoip:/geoip
    env_file:
      - .env
    networks:
      - proxy
  geoipupdate:
    image: "maxmindinc/geoipupdate:latest"
    container_name: authentik-geoip
    volumes:
      - "geoip:/usr/share/GeoIP"
    environment:
      GEOIPUPDATE_EDITION_IDS: "GeoLite2-City"
      GEOIPUPDATE_FREQUENCY: "8"
    env_file:
      - .env
    networks:
      - proxy

volumes:
  database:
    driver: local
  geoip:
    driver: local

networks:
  proxy:
    driver: bridge
    external: true

Remember, once the system is up and running you need to access a specific link to set up the default 'akadmin' account.

To start the initial setup, navigate to https://<your server>/if/flow/initial-setup/. There you will be prompted to set a password for the akadmin user.

If you plan on using Traefik, you need these labels in your Traefik Docker compose file:

    labels:
      traefik.enable: true
      traefik.http.routers.api.rule: Host(`traefik.domain.com`)
      traefik.http.routers.api.entryPoints: https
      traefik.http.routers.api.service: api@internal
      traefik.http.routers.api.middlewares: auth@file

Adding Authentication to Containers

If using Traefik and Authentik, you need to tell each container to route via authentik.

traefik.http.routers.<appname>.middlewares: auth@file

Traefik Config

Before protecting your sites/applications with Authentik using its Forward Auth protection (Similar to how Authelia works) there are changes to your Traefik dynamic config file (fileConfig.yml) which are needed.

The below snippet should be added under the middlewares section.

http:
  middlewares:
    authentik:
      forwardauth:
        address: http://authentik-server:9000/outpost.goauthentik.io/auth/traefik
        trustForwardHeader: true
        authResponseHeaders:
          - X-authentik-username
          - X-authentik-groups
          - X-authentik-email
          - X-authentik-name
          - X-authentik-uid
          - X-authentik-jwt
          - X-authentik-meta-jwks
          - X-authentik-meta-outpost
          - X-authentik-meta-provider
          - X-authentik-meta-app
          - X-authentik-meta-version

Authentik Container Labels

In addition to the standard container labels that are used to set up a container with Traefik there is one additional label that is needed to support Forward Auth.

Label:

traefik.http.routers.authentik.rule

Value:

Host(`auth.domain.com`) || HostRegexp(`{subdomain:[a-z0-9]+}.domain.com`) && PathPrefix(`/outpost.goauthentik.io/`)

Replace auth.yourdomain.TLD with the subdomain/domain you wish to use with Authentik and HostRegexp({subdomain:[a-z0-9]+}.yourdomain.TLD with only your domain

This rule does 2 things:

1. Sets the standard subdomain where you will be able to access your Authentik login page

2. Creates a regex host rule which will redirect any subdomain URL which ends with /outpost.goauthentik.io/to Authenik auth page. This is key or forward auth will not function as expected.

Here's what the full list of labels on your Authentik server container will look like:

    labels:
      traefik.enable: true
      traefik.http.routers.authentik.entryPoints: https
      traefik.http.routers.authentik.rule: Host(`auth.domain.com`) || HostRegexp(`{subdomain:[a-z0-9]+}.ibrahome.com`) && PathPrefix(`/outpost.goauthentik.io/`)

Authentik Config

Head into your Authentik GUI which should be accessible at authentik.yourdomain.tld or whatever subdomain you configured in the previous steps

1. In the top-right corner, select Admin Interface

2. Once in the admin interface, Select Applications --> Applications from the menu on the right

3. Create a new Application by selecting Create at the top of the page

4. On the Create Application window which opens enter in the Application Name (This will be used as the display name on the Authentik User Interface) and Slug (this is used when referencing the application within some Authentik flow authentication flows/other configs. It will not be used for forward auth)

Select Create Provider to create a new provider and select Proxy Provider on the page which opens

Hit next and select Forward Auth (Single Application) then fill in the New Provider page with the information for the application you are looking to protect.

There are 2 different Authorization flows that can be selected for a provider Explicit or Implicit.

• Explicit will ask the user after logging in if they want to continue to the application

• Implicit will automatically redirect the user to the application after authenticating with Authentik

On this page, you can set up bypass rules as well by using the Unauthenticated Paths section. This can be used to bypass forward authentication for Mobile apps which may not support it

Refer to the Authelia bypass rules for some examples. The syntax may differ slightly between the two applications. Here's a list of the most common ones:

^/api/.*
^/api2/.*
^/identity/.*
^/triggers/.*
^/meshagents.*
^/meshsettings.*
^/agent.*
^/control.*
^/meshrelay.*
^/ui.*

Once you are happy with the provider configuration, hit create. This should bring you back to the Create Application screen, select the newly created provider from the Provider dropdown.

Optionally, add in the Launch URL. This tells authentik where to navigate when selecting the application from the user interface. if not set it will use the URL specified in the Provider.

Create the application and then navigate to the Outposts page under the Application menu

On the Outpost page, Edit the authentik Embedded Outpost. and select the application you just configured from the list (note, when setting up additional applications with forward auth you will need to select all the applications you are protecting this this list

Additionally edit the authentik_host: line and replace the URL with the subdomain.yourdomain.tld you use to access authentik externally

Click Update and the forward authentications setup for the Application is complete. You can now open a private/incognito browser and test the setup to ensure it is working correctly.

We believe in community spirit. As such, the guide for Authentik + NPM has already been written by one of our community members on Reddit, /u/itsmevins. They have kindly given us permission to use it. Instead of rewriting it, here's the direct link to support the author:

We believe in community spirit. As such, the guide for Authentik + NPM has already been written by one of our community members on Reddit, /u/itsmevins. They have kindly given us permission to use it. Instead of rewriting it, here's the direct link to support the author:

If you plan on using Traefik, you need these labels in your Traefik Docker compose file:

    labels:
      traefik.enable: true
      traefik.http.routers.api.rule: Host(`traefik.domain.com`)
      traefik.http.routers.api.entryPoints: https
      traefik.http.routers.api.service: api@internal
      traefik.http.routers.api.middlewares: auth@file

Adding Authentication to Containers

If using Traefik and Authentik, you need to tell each container to route via authentik.

traefik.http.routers.<appname>.middlewares: auth@file

After getting Authentik installed and set up in traefik or npm at a fqdn of https://auth.whatever.com (or whatever flavor you choose) you can follow these steps. These steps will be only for NPM as i have not used traefik but its a relatively simple set up which should be able to point folks in the right direction regarding traefik.

Step 1 assumption is that you have NPM set up and can happily reach authentik externally

Step 2 - in Authentik - Create your APP (in this example we're going to use PROWLARR at a domain of prowlarr.domain.com

In the create app entry - fill the fields out for your respective app - (in this case PROWLARR) - then click CREATE PROVIDER

In the Create provider screen - ensure that you choose PROXY - this is the major difference between the original video and this process. External host will obviously be prowlarr.domain.com and internal will be your local network IP. I generally choose implicit for the Auth Flow because there are less clicks.

Then hit FINISH

This will take you back to your new Application page - ensure that you choose the provider that you just created in the provider drop down.

Next you'll go to outposts

Choose the embedded outpost and then CTRL/CMD click you new app so that it is highlighted - if this is your first time setting up the outpost - then make sure that you update the authentik_host config to point to your auth.domain.com

now we are done in authentik - next steps are in NPM (traefik instructions possibly coming down the line)

In NPM create a new virtual host and fill it out thusly

Ensure you select HTTPS - point the IP at your authentik host - choose the port you set up when you installed authentik. cache and block common are optional but i believe websockets are required

Next click the SSL tab and 'do the needful'

and boom - provided you have set up your DNS - go to NPM - click you virt host (do it in a incognito window or log out of authentik first) and prowlarr.domain.com will redirect you to authentik which will force you to auth, and then direct you to prowlarr

Traefik Config

Before protecting your sites/applications with Authentik using its Forward Auth protection (Similar to how Authelia works) there are changes to your Traefik dynamic config file (fileConfig.yml) which are needed.

The below snippet should be added under the middlewares section.

http:
  middlewares:
    authentik:
      forwardauth:
        address: http://authentik-server:9000/outpost.goauthentik.io/auth/traefik
        trustForwardHeader: true
        authResponseHeaders:
          - X-authentik-username
          - X-authentik-groups
          - X-authentik-email
          - X-authentik-name
          - X-authentik-uid
          - X-authentik-jwt
          - X-authentik-meta-jwks
          - X-authentik-meta-outpost
          - X-authentik-meta-provider
          - X-authentik-meta-app
          - X-authentik-meta-version

Authentik Container Labels

In addition to the standard container labels that are used to set up a container with Traefik, there is one additional label that is needed to support Forward Auth.

Label:

traefik.http.routers.authentik.rule

Value:

Host(`auth.domain.com`) || HostRegexp(`{subdomain:[a-z0-9]+}.domain.com`) && PathPrefix(`/outpost.goauthentik.io/`)

Replace auth.yourdomain.TLD with the subdomain/domain you wish to use with Authentik and HostRegexp({subdomain:[a-z0-9]+}.yourdomain.TLD with only your domain

This rule does 2 things:

1. Sets the standard subdomain where you will be able to access your Authentik login page

2. Creates a regex host rule which will redirect any subdomain URL which ends with /outpost.goauthentik.io/to Authenik auth page. This is key or forward auth will not function as expected.

Here's what the full list of labels on your Authentik server container will look like:

    labels:
      traefik.enable: true
      traefik.http.routers.authentik.entryPoints: https
      traefik.http.routers.authentik.rule: Host(`auth.domain.com`) || HostRegexp(`{subdomain:[a-z0-9]+}.ibrahome.com`) && PathPrefix(`/outpost.goauthentik.io/`)

Authentik Config

Head into your Authentik GUI which should be accessible at authentik.yourdomain.tld or whatever subdomain you configured in the previous steps

1. In the top-right corner, select Admin Interface

2. Once in the admin interface, Select Applications --> Applications from the menu on the right

3. Create a new Application by selecting Create at the top of the page

4. On the Create Application window which opens enter in the Application Name (This will be used as the display name on the Authentik User Interface) and Slug (this is used when referencing the application within some Authentik flow authentication flows/other configs. It will not be used for forward auth)

Select Create Provider to create a new provider and select Proxy Provider on the page which opens

Hit next and select Forward Auth (Single Application) then fill in the New Provider page with the information for the application you are looking to protect.

There are 2 different Authorization flows that can be selected for a provider Explicit or Implicit.

• Explicit will ask the user after logging in if they want to continue to the application

• Implicit will automatically redirect the user to the application after authenticating with Authentik

On this page, you can set up bypass rules as well by using the Unauthenticated Paths section. This can be used to bypass forward authentication for Mobile apps which may not support it

Refer to the Authelia bypass rules for some examples. The syntax may differ slightly between the two applications. Here's a list of the most common ones:

^/api/.*
^/api2/.*
^/identity/.*
^/triggers/.*
^/meshagents.*
^/meshsettings.*
^/agent.*
^/control.*
^/meshrelay.*
^/ui.*

Once you are happy with the provider configuration, hit create. This should bring you back to the Create Application screen, select the newly created provider from the Provider dropdown.

Optionally, add in the Launch URL. This tells authentik where to navigate when selecting the application from the user interface. if not set it will use the URL specified in the Provider.

Create the application and then navigate to the Outposts page under the Application menu

On the Outpost page, Edit the authentik Embedded Outpost. and select the application you just configured from the list (note, when setting up additional applications with forward auth you will need to select all the applications you are protecting this this list

Additionally edit the authentik_host: line and replace the URL with the subdomain.yourdomain.tld you use to access authentik externally

Click Update and the forward authentications setup for the Application is complete. You can now open a private/incognito browser and test the setup to ensure it is working correctly.

This config is placed on the proxy you want to protect. In NPM, select a Host > Edit > Advanced and paste the below.

# Increase buffer size for large headers
# This is needed only if you get 'upstream sent too big header while reading response
# header from upstream' error when trying to access an application protected by goauthentik
proxy_buffers 8 16k;
proxy_buffer_size 32k;

location / {
    # Put your proxy_pass to your application here
    proxy_pass          $forward_scheme://$server:$port;

    # authentik-specific config
    auth_request        /outpost.goauthentik.io/auth/nginx;
    error_page          401 = @goauthentik_proxy_signin;
    auth_request_set $auth_cookie $upstream_http_set_cookie;
    add_header Set-Cookie $auth_cookie;

    # translate headers from the outposts back to the actual upstream
    auth_request_set $authentik_username $upstream_http_x_authentik_username;
    auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
    auth_request_set $authentik_email $upstream_http_x_authentik_email;
    auth_request_set $authentik_name $upstream_http_x_authentik_name;
    auth_request_set $authentik_uid $upstream_http_x_authentik_uid;

    proxy_set_header X-authentik-username $authentik_username;
    proxy_set_header X-authentik-groups $authentik_groups;
    proxy_set_header X-authentik-email $authentik_email;
    proxy_set_header X-authentik-name $authentik_name;
    proxy_set_header X-authentik-uid $authentik_uid;
}

# all requests to /outpost.goauthentik.io must be accessible without authentication
location /outpost.goauthentik.io {
    proxy_pass          http://authentik-server/outpost.goauthentik.io;
    # ensure the host of this vserver matches your external URL you've configured
    # in authentik
    proxy_set_header    Host $host;
    proxy_set_header    X-Original-URL $scheme://$http_host$request_uri;
    add_header          Set-Cookie $auth_cookie;
    auth_request_set    $auth_cookie $upstream_http_set_cookie;

    # required for POST requests to work
    proxy_pass_request_body off;
    proxy_set_header Content-Length "";
}

# Special location for when the /auth endpoint returns a 401,
# redirect to the /start URL which initiates SSO
location @goauthentik_proxy_signin {
    internal;
    add_header Set-Cookie $auth_cookie;
    return 302 /outpost.goauthentik.io/start?rd=$request_uri;
    # For domain level, use the below error_page to redirect to your authentik server with the full redirect path
    # return 302 https://auth.ibrahome.com/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
}

The video above will show you the initial installation and setup.

The containers you need are the following:

Remember, once the system is up and running you need to access a specific link to set up the default 'akadmin' account.

To start the initial setup, navigate to https://<your server>/if/flow/initial-setup/. There you will be prompted to set a password for the akadmin user.

This config is placed on the proxy you want to protect. In NPM, select a Host > Edit > Advanced and paste the below.

Note

This guide has been split into two sections - Docker Compose & Unraid.

If you are using Docker Compose, go here:

If you are using Unraid, go here:

Special Thanks

• Authentik developer for their input and guidance.

• Our Discord community and our Admins DiscDuck and Hawksy for their input and documentation.

Final Words

We hope you enjoyed this guide. It was conceptualized, written, and implemented by our Admin Sycotix.

Support Us

Our work sometimes takes months to research and develop. If you want to help support us please consider:

Thank you for being part of our community!