Hey everybody,
1. The problem I’m having:
I`m trying to setup authentik with forward auth according to the manuals of authentik Manual. But unfortuntly i am redirected to the local https URL of my authentik server.
2. Error messages and/or full log output:
curl -vL myurl
<removed DNS stuff>
* Connection #0 to host <<myurl>> left intact
* Clear auth, redirects to port from 80 to 443
* Issue another request to this URL: '<<myurl>>'
* Host <<myurl>>:443 was resolved.
* IPv6: 2606:4700:3037::6815:484f, 2606:4700:3030::ac43:b188
* IPv4: 104.21.72.79, 172.67.177.136
* Trying [2606:4700:3037::6815:484f]:443...
* Connected to <<myurl>>(2606:4700:3037::6815:484f) port 443
* schannel: disabled automatic use of client certificate
* ALPN: curl offers http/1.1
* ALPN: server accepted http/1.1
* using HTTP/1.x
> GET / HTTP/1.1
> Host: <<myurl>>
> User-Agent: curl/8.9.1
> Accept: */*
>
* Request completely sent off
* schannel: remote party requests renegotiation
* schannel: renegotiating SSL/TLS connection
* schannel: SSL/TLS connection renegotiated
< HTTP/1.1 302 Found
< Date: Wed, 11 Dec 2024 09:36:09 GMT
< Content-Type: text/html; charset=utf-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< alt-svc: h3=":443"; ma=86400
< location: https://10.0.0.120:9444/application/o/authorize/?client_id=S41I9BDkE3liCCKoqd10m9tpZMnLsUQeASPqOVLs&redirect_uri=https%3A%2F%2F<<myurl>>%2Foutpost.goauthentik.io%2Fcallback%3FX-authentik-auth-callback%3Dtrue&response_type=code&scope=email+ak_proxy+groups+profile+openid&state=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnb2F1dGhlbnRpay5pby9vdXRwb3N0L1M0MUk5QkRrRTNsaUNDS29xZDEwbTl0cFpNbkxzVVFlQVNQcU9WTHMiLCJzaWQiOiIzVU9MM1E3TlhON1FMVVhOVEdRUDJDQ1FTWExSRVJNWlYyNDJTSUhaVTQyV0lKQlZZN1dRIiwic3RhdGUiOiJPTHJhZ0JYb1gyWDl4V21yQklpRndHdjhyLWFPQTVUY242dm9BYmlIUjJJIiwicmVkaXJlY3QiOiJodHRwczovL2dweC5mYW0td3Vlc3QuZGUvIn0.Pl3jZfACdtgEtQ2QO8anjgOiPw7b1wj9g6__UHuLGcI
< Set-Cookie: authentik_proxy_S41I9BDk=3UOL3Q7NXN7QLUXNTGQP2CCQSXLRERMZV242SIHZU42WIJBVY7WQ; Path=/; Expires=Thu, 12 Dec 2024 09:36:10 GMT; Max-Age=86401; HttpOnly; Secure; SameSite=Lax
< vary: Accept-Encoding
< CF-Cache-Status: DYNAMIC
< Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AxnTSREt%2BwbiXNCNQ4Yk1aGEkvmiAGuWFuO5TJtovVuI7nUU0eNUgwidnZ6934POgVw8uSnjpqqUYFlBfHwGoPqzReRPvFczF%2FRXre5K%2BKuV2zTFsViwtle9kc2GJludGhuZhDPf75fL%2BTVgbINX"}],"group":"cf-nel","max_age":604800}
< NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
< Server: cloudflare
< CF-RAY: 8f047d1948760404-FRA
< server-timing: cfL4;desc="?proto=TCP&rtt=12517&min_rtt=12433&rtt_var=4831&sent=5&recv=6&lost=0&retrans=0&sent_bytes=3131&recv_bytes=478&delivery_rate=289746&cwnd=252&unsent_bytes=0&cid=0264eb2226bb7044&ts=79&x=0"
* Ignoring the response-body
<
* Connection #1 to host <<myurl>> left intact
* Clear auth, redirects to port from 443 to 9444
* Issue another request to this URL: 'https://10.0.0.120:9444/application/o/authorize/?client_id=S41I9BDkE3liCCKoqd10m9tpZMnLsUQeASPqOVLs&redirect_uri=https%3A%2F%2F<<myurl>>%2Foutpost.goauthentik.io%2Fcallback%3FX-authentik-auth-callback%3Dtrue&response_type=code&scope=email+ak_proxy+groups+profile+openid&state=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnb2F1dGhlbnRpay5pby9vdXRwb3N0L1M0MUk5QkRrRTNsaUNDS29xZDEwbTl0cFpNbkxzVVFlQVNQcU9WTHMiLCJzaWQiOiIzVU9MM1E3TlhON1FMVVhOVEdRUDJDQ1FTWExSRVJNWlYyNDJTSUhaVTQyV0lKQlZZN1dRIiwic3RhdGUiOiJPTHJhZ0JYb1gyWDl4V21yQklpRndHdjhyLWFPQTVUY242dm9BYmlIUjJJIiwicmVkaXJlY3QiOiJodHRwczovL2dweC5mYW0td3Vlc3QuZGUvIn0.Pl3jZfACdtgEtQ2QO8anjgOiPw7b1wj9g6__UHuLGcI'
* Trying 10.0.0.120:9444...
3. Caddy version:
Im curretly running version 2.8.4
4. How I installed and ran Caddy:
caddy is installed with apt on Ubuntu 22.04 while authentik is running in a container
d. My complete Caddy config:
(authenticate) {
# always forward outpost path to actual outpost
reverse_proxy /outpost.goauthentik.io/* http://127.0.0.1:9000
# forward authentication to outpost
forward_auth http://127.0.0.1:9000 {
uri /outpost.goauthentik.io/auth/caddy
# capitalization of the headers is important, otherwise they will be empty
copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta>
# optional, in this config trust all private ranges, should probably be set to the outposts IP
trusted_proxies private_ranges
}
}
<<myurl>> {
import authenticate
reverse_proxy 127.0.0.1:8098
}
<<authurl>> {
reverse_proxy 127.0.0.1:9000
}
All URLs are using Cloudflare proxied DNS
5. Links to relevant resources:
For the authetik setup i used this tutorial https://www.youtube.com/watch?v=ywQVe9ikcVI&t=104s
Thanks in advance!