Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

configuration for nginx proxy manager makes host offline #11453

Closed
leon1995 opened this issue Sep 20, 2024 · 16 comments
Closed

configuration for nginx proxy manager makes host offline #11453

leon1995 opened this issue Sep 20, 2024 · 16 comments
Labels
bug Something isn't working

Comments

@leon1995
Copy link

Describe the bug
After I pasted the nginx (proxy manager) configuration into nginx proxy manager the status has gone offline

To Reproduce
Steps to reproduce the behavior:

  1. Go to Providers
  2. Click on your provider
  3. Scroll down to setup
  4. copy configuration and paste it into nginx proxy manager
  5. change proxy_pass http://authentik.company:9000/outpost.goauthentik.io; to match your authentik installation e.g. https://sso.mydomain.tld/outpust.goauthentik.io
  6. After saving configuration the status of the proxy host has gone offline

Expected behavior
That the proxy host stays online and I can protect it with authentik's sso

Version and Deployment (please complete the following information):

  • authentik version: 2024.8.1
  • Deployment: docker compose

Additional context
this is the (unedited) config that makes the proxy host offline

# Upgrade WebSocket if requested, otherwise use keepalive
map $http_upgrade $connection_upgrade_keepalive {
    default upgrade;
    ''      '';
}

# Increase buffer size for large headers
# This is needed only if you get 'upstream sent too big header while reading response
# header from upstream' error when trying to access an application protected by goauthentik
proxy_buffers 8 16k;
proxy_buffer_size 32k;

# Make sure not to redirect traffic to a port 4443
port_in_redirect off;

location / {
    # Put your proxy_pass to your application here
    proxy_pass          $forward_scheme://$server:$port;
    # Set any other headers your application might need
    # proxy_set_header Host $host;
    # proxy_set_header ...
    # Support for websocket
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade_keepalive;

    ##############################
    # authentik-specific config
    ##############################
    auth_request     /outpost.goauthentik.io/auth/nginx;
    error_page       401 = @goauthentik_proxy_signin;
    auth_request_set $auth_cookie $upstream_http_set_cookie;
    add_header       Set-Cookie $auth_cookie;

    # translate headers from the outposts back to the actual upstream
    auth_request_set $authentik_username $upstream_http_x_authentik_username;
    auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
    auth_request_set $authentik_email $upstream_http_x_authentik_email;
    auth_request_set $authentik_name $upstream_http_x_authentik_name;
    auth_request_set $authentik_uid $upstream_http_x_authentik_uid;

    proxy_set_header X-authentik-username $authentik_username;
    proxy_set_header X-authentik-groups $authentik_groups;
    proxy_set_header X-authentik-email $authentik_email;
    proxy_set_header X-authentik-name $authentik_name;
    proxy_set_header X-authentik-uid $authentik_uid;

    # This section should be uncommented when the "Send HTTP Basic authentication" option
    # is enabled in the proxy provider
    # auth_request_set $authentik_auth $upstream_http_authorization;
    # proxy_set_header Authorization $authentik_auth;
}

# all requests to /outpost.goauthentik.io must be accessible without authentication
location /outpost.goauthentik.io {
    # When using the embedded outpost, use:
    proxy_pass              http://authentik.company:9000/outpost.goauthentik.io;
    # For manual outpost deployments:
    # proxy_pass              http://outpost.company:9000;

    # Note: ensure the Host header matches your external authentik URL:
    proxy_set_header        Host $host;

    proxy_set_header        X-Original-URL $scheme://$http_host$request_uri;
    add_header              Set-Cookie $auth_cookie;
    auth_request_set        $auth_cookie $upstream_http_set_cookie;
    proxy_pass_request_body off;
    proxy_set_header        Content-Length "";
}

# Special location for when the /auth endpoint returns a 401,
# redirect to the /start URL which initiates SSO
location @goauthentik_proxy_signin {
    internal;
    add_header Set-Cookie $auth_cookie;
    return 302 /outpost.goauthentik.io/start?rd=$request_uri;
    # For domain level, use the below error_page to redirect to your authentik server with the full redirect path
    # return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
}
@leon1995 leon1995 added the bug Something isn't working label Sep 20, 2024
@tjhorner
Copy link

I ran into this as well, and I think it's an issue on NPM's side since any custom location seems to break it. Related issues:

@tjhorner
Copy link

Also it seems this issue is a duplicate of #10010

@CrazyWolf13
Copy link

Hi

I had a lot of trouble with that as well, eventually I found this config, which seems to work for me.

# Increase buffer size for large headers
# This is needed only if you get 'upstream sent too big header while reading response
# header from upstream' error when trying to access an application protected by goauthentik
proxy_buffers 8 16k;
proxy_buffer_size 32k;

location / {
    # Put your proxy_pass to your application here
    proxy_pass          $forward_scheme://$server:$port;
    # #########################################
    # CUSTOM - START Websocket behind authenticated proxy
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $host;
    # END Websockets FIX
    # #########################################

    # authentik-specific config
    auth_request        /outpost.goauthentik.io/auth/nginx;
    error_page          401 = @goauthentik_proxy_signin;
    auth_request_set $auth_cookie $upstream_http_set_cookie;
    add_header Set-Cookie $auth_cookie;

    # translate headers from the outposts back to the actual upstream
    auth_request_set $authentik_username $upstream_http_x_authentik_username;
    auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
    auth_request_set $authentik_email $upstream_http_x_authentik_email;
    auth_request_set $authentik_name $upstream_http_x_authentik_name;
    auth_request_set $authentik_uid $upstream_http_x_authentik_uid;

    proxy_set_header X-authentik-username $authentik_username;
    proxy_set_header X-authentik-groups $authentik_groups;
    proxy_set_header X-authentik-email $authentik_email;
    proxy_set_header X-authentik-name $authentik_name;
    proxy_set_header X-authentik-uid $authentik_uid;
}

# all requests to /outpost.goauthentik.io must be accessible without authentication
location /outpost.goauthentik.io {
    # ################################
    #  CHANGE IP TO AUTHENTIK IP here.
    proxy_pass          http://10.10.20.213:9000/outpost.goauthentik.io;
    # ################################
    # ensure the host of this vserver matches your external URL you've configured
    # in authentik
    proxy_set_header    Host $host;
    proxy_set_header    X-Original-URL $scheme://$http_host$request_uri;
    add_header          Set-Cookie $auth_cookie;
    auth_request_set    $auth_cookie $upstream_http_set_cookie;

    # required for POST requests to work
    proxy_pass_request_body off;
    proxy_set_header Content-Length "";
}

# Special location for when the /auth endpoint returns a 401,
# redirect to the /start URL which initiates SSO
location @goauthentik_proxy_signin {
    internal;
    add_header Set-Cookie $auth_cookie;
    return 302 /outpost.goauthentik.io/start?rd=$request_uri;
    # For domain level, use the below error_page to redirect to your authentik server with the full redirect path
    # return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
}

@Seekinsj
Copy link

CrazyWolf13
That fixed it for me, can you tell me what you did to fix the issue?

I copy and pasted that into my custom Nginx Configuration, and of course I changed the proxy pass to match my authentik instance.

But I would like to know what actually changed so I have a better idea what I am doing.

Thank you

@CrazyWolf13
Copy link

@Seekinsj Awesome!

To be honest, I don't know, I had the same issue, started diggin and found a random blog from some homelabber writing on this exact issue and posting that code, I copied it and it worked for me too.

@CrazyWolf13
Copy link

https://www.diffchecker.com/9ouR3ucD/

Maybe this help :)

@leon1995
Copy link
Author

leon1995 commented Sep 26, 2024
edited
Loading

@CrazyWolf13 this did not fix it for me. What version are you using?
EDIT: My host is still shown as offline

@CrazyWolf13
Copy link

@leon1995 are you sure you changed the IP to the correct IP of authentik? in my snippet?

And when removing all custom code the host shows online?

Are you running latest nginxproxymanager?

@leon1995
Copy link
Author

what do you mean with custom code? when I not add the authentik proxy stuff then the host is online.
I just changed the ip to my authentik ip. I also tried to use my authentik domain sso.mydomain.tld.
I am running npmplus

@leon1995
Copy link
Author

leon1995 commented Sep 30, 2024
edited
Loading

Hi

I had a lot of trouble with that as well, eventually I found this config, which seems to work for me.

# Increase buffer size for large headers
# This is needed only if you get 'upstream sent too big header while reading response
# header from upstream' error when trying to access an application protected by goauthentik
proxy_buffers 8 16k;
proxy_buffer_size 32k;

location / {
    # Put your proxy_pass to your application here
    proxy_pass          $forward_scheme://$server:$port;
    # #########################################
    # CUSTOM - START Websocket behind authenticated proxy
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $host;
    # END Websockets FIX
    # #########################################

    # authentik-specific config
    auth_request        /outpost.goauthentik.io/auth/nginx;
    error_page          401 = @goauthentik_proxy_signin;
    auth_request_set $auth_cookie $upstream_http_set_cookie;
    add_header Set-Cookie $auth_cookie;

    # translate headers from the outposts back to the actual upstream
    auth_request_set $authentik_username $upstream_http_x_authentik_username;
    auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
    auth_request_set $authentik_email $upstream_http_x_authentik_email;
    auth_request_set $authentik_name $upstream_http_x_authentik_name;
    auth_request_set $authentik_uid $upstream_http_x_authentik_uid;

    proxy_set_header X-authentik-username $authentik_username;
    proxy_set_header X-authentik-groups $authentik_groups;
    proxy_set_header X-authentik-email $authentik_email;
    proxy_set_header X-authentik-name $authentik_name;
    proxy_set_header X-authentik-uid $authentik_uid;
}

# all requests to /outpost.goauthentik.io must be accessible without authentication
location /outpost.goauthentik.io {
    # ################################
    #  CHANGE IP TO AUTHENTIK IP here.
    proxy_pass          http://10.10.20.213:9000/outpost.goauthentik.io;
    # ################################
    # ensure the host of this vserver matches your external URL you've configured
    # in authentik
    proxy_set_header    Host $host;
    proxy_set_header    X-Original-URL $scheme://$http_host$request_uri;
    add_header          Set-Cookie $auth_cookie;
    auth_request_set    $auth_cookie $upstream_http_set_cookie;

    # required for POST requests to work
    proxy_pass_request_body off;
    proxy_set_header Content-Length "";
}

# Special location for when the /auth endpoint returns a 401,
# redirect to the /start URL which initiates SSO
location @goauthentik_proxy_signin {
    internal;
    add_header Set-Cookie $auth_cookie;
    return 302 /outpost.goauthentik.io/start?rd=$request_uri;
    # For domain level, use the below error_page to redirect to your authentik server with the full redirect path
    # return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
}

when using the normal npm the host does not go offline. I changed the
proxy_pass http://10.10.20.213:9000/outpost.goauthentik.io; line to
proxy_pass https://authentikurl/outpost.goauthentik.io;
but I get a 500 error and the following logs in npm

2024/09/30 10:53:13 [crit] 459#459: *721 SSL_do_handshake() failed (SSL: error:0A000458:SSL routines::tlsv1 unrecognized name:SSL alert number 112) while SSL handshaking to upstream, client: redacted_client_ip, server: redacted_server_domain, request: "GET / HTTP/2.0", subrequest: "/outpost.goauthentik.io/auth/nginx", upstream: "https://redacted_ip_of_npm:443/outpost.goauthentik.io/auth/nginx", host: "redacted_server_domain"
2024/09/30 10:53:13 [error] 459#459: *721 auth request unexpected status: 502 while sending to client, client: redacted_client_ip, server: redacted_server_domain, request: "GET / HTTP/2.0", host: "redacted_server_domain"
2024/09/30 10:56:14 [crit] 484#484: *800 SSL_do_handshake() failed (SSL: error:0A000458:SSL routines::tlsv1 unrecognized name:SSL alert number 112) while SSL handshaking to upstream, client: redacted_client_ip, server: redacted_server_domain, request: "GET / HTTP/2.0", subrequest: "/outpost.goauthentik.io/auth/nginx", upstream: "https://redacted_ip_of_npm:443/outpost.goauthentik.io/auth/nginx", host: "redacted_server_domain"
2024/09/30 10:56:14 [error] 484#484: *800 auth request unexpected status: 502 while sending to client, client: redacted_client_ip, server: redacted_server_domain, request: "GET / HTTP/2.0", host: "redacted_server_domain"
2024/09/30 10:56:14 [crit] 484#484: *800 SSL_do_handshake() failed (SSL: error:0A000458:SSL routines::tlsv1 unrecognized name:SSL alert number 112) while SSL handshaking to upstream, client: redacted_client_ip, server: redacted_server_domain, request: "GET /favicon.ico HTTP/2.0", subrequest: "/outpost.goauthentik.io/auth/nginx", upstream: "https://redacted_ip_of_npm:443/outpost.goauthentik.io/auth/nginx", host: "redacted_server_domain", referrer: "https://redacted_server_domain/"
2024/09/30 10:56:14 [error] 484#484: *800 auth request unexpected status: 502 while sending to client, client: redacted_client_ip, server: redacted_server_domain, request: "GET /favicon.ico HTTP/2.0", host: "redacted_server_domain", referrer: "https://redacted_server_domain/"

when I use the https://authentikip:9000 instead of the https://authentikurl then I get the following error

2024/09/30 11:06:43 [error] 509#509: *1049 auth request unexpected status: 404 while sending to client, client: redacted_client_ip, server: redacted_server_domain, request: "GET / HTTP/2.0", host: "redacted_server_domain"

@CrazyWolf13
Copy link

Seems like a problem with SSL certs, are you using self signed ?

@leon1995
Copy link
Author

Lets encrypt, yes

@leon1995
Copy link
Author

leon1995 commented Oct 3, 2024

Anyone an idea? :/

@MahmoudAlyuDeen MahmoudAlyuDeen mentioned this issue Oct 6, 2024
Merged
2 tasks
@leon1995
Copy link
Author

leon1995 commented Oct 8, 2024

I tried adding

location /outpost.goauthentik.io {
    proxy_ssl_server_name on;   <----

but another issues comes up

2024/10/08 13:47:27 [error] 1800#1800: *157600 peer closed connection in SSL handshake while SSL handshaking to upstream, client: 172.18.0.1, server: mydomain.tld, request: "GET /outpost.goauthentik.io/auth/nginx HTTP/1.1", upstream: "https://<ip-of-reverse-proxy>:443/outpost.goauthentik.io/auth/nginx", host: "mydomain.tld"
2024/10/08 13:47:27 [error] 1800#1800: *156812 auth request unexpected status: 502 while sending to client, client: 10.10.20.2, server: mydomain.tld, request: "GET / HTTP/2.0", host: "mydomain.tld"

@Anexgohan
Copy link

Solution:
#10010 (comment)

@leon1995
Copy link
Author

leon1995 commented Oct 8, 2024

@Anexgohan thanks. its working!

@leon1995 leon1995 closed this as completed Oct 8, 2024
BeryJu added a commit that referenced this issue Oct 16, 2024
@MahmoudAlyuDeen @BeryJu
website/docs: Fix websocket default config for nginx proxy manager (#…
f531dd9 
…11621)

* Comment out problematic config at _nginx_proxy_manager.md

Resolves:
- #10010
- #7323
- #11453
- https://www.reddit.com/r/Authentik/comments/1c5sf6l/authentik_with_nginx_proxy_manager_not_possible/

Signed-off-by: Mahmoud AlyuDeen <[email protected]>

* Add working websocket configuration for nginx-proxy-manager.

Signed-off-by: Mahmoud AlyuDeen <[email protected]>

* remove commented out settings

Signed-off-by: Jens Langhammer <[email protected]>

---------

Signed-off-by: Mahmoud AlyuDeen <[email protected]>
Signed-off-by: Jens Langhammer <[email protected]>
Co-authored-by: Jens Langhammer <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@tjhorner @leon1995 @Anexgohan @CrazyWolf13 @Seekinsj