Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
You must confirm all subdomains and domains are correct. i.e. the auth.domain.com is the FQDN for your Authentik UI.
If this is a fresh authentik install run the following commands to generate a password (in the directory of your compose file):
This will create the .env file and fill it with some passwords. In addition, you can add many other variables to the .env file. See here: https://goauthentik.io/docs/installation/docker-compose
By default, authentik listens on port 9000 for HTTP and 9443 for HTTPS. To change this, you can set the following variables in .env
:
After running the commands at the top of this page, additional lines will be added to your ENV for secret keys and passwords
Below is our tweaked version of the official Docker Compose template provided by Authentik. We made several changes including giving a standardized name to all containers.
If you wish to use the default, you can find it here: https://goauthentik.io/docs/installation/docker-compose
Warning - using a compose file that is outside of our guide means we are unable to guarantee a successful deployment for you.
Remember, once the system is up and running you need to access a specific link to set up the default 'akadmin' account.
To start the initial setup, navigate to https://<your server>/if/flow/initial-setup/
. There you will be prompted to set a password for the akadmin user.
This guide will take you through setting up Forward Auth on Docker Compose for a single application using Authentik and Traefik.
Before protecting your sites/applications with Authentik using its Forward Auth protection (Similar to how Authelia works) there are changes to your Traefik dynamic config file (fileConfig.yml) which are needed.
The below snippet should be added under the middlewares
section.
PLEASE NOTE
If you already have the http and middlewares section in your dynamic config you only need to add the authentik portion
In addition to the standard container labels that are used to set up a container with Traefik there is one additional label that is needed to support Forward Auth.
NOTE
This label is placed in your compose file for Authentik, under the Authentik Server, only.
Label:
Value:
Replace auth.yourdomain.TLD
with the subdomain/domain you wish to use with Authentik and HostRegexp({subdomain:[a-z0-9]+}.yourdomain.TLD
with only your domain
DO NOT PUT YOUR SUBDOMAIN IN PLACE OF:{subdomain:[a-z0-9]+})
This rule does 2 things:
Sets the standard subdomain where you will be able to access your Authentik login page
Creates a regex host rule which will redirect any subdomain URL which ends with /outpost.goauthentik.io/
to Authenik auth page. This is key or forward auth will not function as expected.
Here's what the full list of labels on your Authentik server container will look like:
Head into your Authentik GUI which should be accessible at authentik.yourdomain.tld or whatever subdomain you configured in the previous steps
In the top-right corner, select Admin Interface
Once in the admin interface, Select Applications --> Applications from the menu on the right
Create a new Application by selecting Create at the top of the page
On the Create Application window which opens enter in the Application Name (This will be used as the display name on the Authentik User Interface) and Slug (this is used when referencing the application within some Authentik flow authentication flows/other configs. It will not be used for forward auth)
Select Create Provider to create a new provider and select Proxy Provider on the page which opens
Hit next and select Forward Auth (Single Application) then fill in the New Provider page with the information for the application you are looking to protect.
There are 2 different Authorization flows that can be selected for a provider Explicit or Implicit.
Explicit will ask the user after logging in if they want to continue to the application
Implicit will automatically redirect the user to the application after authenticating with Authentik
On this page, you can set up bypass rules as well by using the Unauthenticated Paths section. This can be used to bypass forward authentication for Mobile apps which may not support it
Refer to the Authelia bypass rules for some examples. The syntax may differ slightly between the two applications. Here's a list of the most common ones:
Use at your own discretion. Using these paths unauthenticated may help with API-related queries passing through (such as Radarr, Sonarr, etc.) however, you may not need all of the below.
Once you are happy with the provider configuration, hit create. This should bring you back to the Create Application screen, select the newly created provider from the Provider dropdown.
Optionally, add in the Launch URL. This tells authentik where to navigate when selecting the application from the user interface. if not set it will use the URL specified in the Provider.
Create the application and then navigate to the Outposts page under the Application menu
On the Outpost page, Edit the authentik Embedded Outpost. and select the application you just configured from the list (note, when setting up additional applications with forward auth you will need to select all the applications you are protecting this this list
Additionally edit the authentik_host:
line and replace the URL with the subdomain.yourdomain.tld you use to access authentik externally
Click Update and the forward authentications setup for the Application is complete. You can now open a private/incognito browser and test the setup to ensure it is working correctly.
Here's an example of what your Traefik dynamic file should look like
Confirm that the name of your Authentik container or IP is correct!
This config is placed on the proxy you want to protect. In NPM, select a Host > Edit > Advanced and paste the below.
You must update the URL for proxy pass to either your local address/container name or the FQDN for your Authentik setup.
If you plan on using Traefik, you need these labels in your Traefik Docker compose file:
If using Traefik and Authentik, you need to tell each container to route via authentik.
Replace <appname> with the name of the app you are applying the label to.
Replace the 'auth' in auth@file with the name of the middleware you gave to Authentik in Traefik config files.
We believe in community spirit. As such, the guide for Authentik + NPM has already been written by one of our community members on Reddit, /u/itsmevins. They have kindly given us permission to use it. Instead of rewriting it, here's the direct link to support the author: