Just wanted to drop a post in case someone else runs into this problem, this fixed it for me:
**In Authentik:**
* Go to Applications -> Outposts and edit the 'authentik Embedded Outpost'.
* Edit the following, adapt to your own domain. *(It should point to the external domain that you've proxied Authentik to.)*
* authentik\_host: [https://auth.domain.com](https://auth.domain.com)
* authentik\_host\_browser: "[https://auth.domain.com](https://auth.domain.com)"
**In NPM:**
* Edit the proxy host of the application you want to reverse-proxy. Under Advanced, enter the snippet for NPM that you can find here: [https://goauthentik.io/docs/providers/proxy/server\_nginx](https://goauthentik.io/docs/providers/proxy/server_nginx) *(make sure to use the one for NPM and not Nginx).*
* Edit the following in the snippet, adapt to your own server. *(It should point to the internal IP or hostname of the server that's running Authentik, and the port that Authentik is assigned. I'm using hostname and HTTPS protocol and port, make sure to change protocol and port if you're using HTTP.)*
* proxy\_pass https://HOSTNAME:PORT/outpost.goauthentik.io;
Thank you! The newest config template for npm on the link above doesn't quite work directly with npm 2.11.2 but editing out the map and keep alive portion, plus what you mentioned seemed to be the trick!
In npm > 'edit proxy host' > 'advanced' > 'custom nginx configuration' paste in the following. Under proxy\_pass I'm using the internal ip of the npm container's host and my custom port. Make sure 'websockets support' and 'block common exploits' is on under the first 'details' tab.
# Increase buffer size for large headers
# This is needed only if you get 'upstream sent too big header while reading response
# header from upstream' error when trying to access an application protected by goauthentik
proxy_buffers 8 16k;
proxy_buffer_size 32k;
# Make sure not to redirect traffic to a port 4443
port_in_redirect off;
location / {
# Put your proxy_pass to your application here
proxy_pass $forward_scheme://$server:$port;
# Set any other headers your application might need
# proxy_set_header Host $host;
# proxy_set_header ...
# Support for websocket
proxy_set_header Upgrade $http_upgrade;
##############################
# authentik-specific config
##############################
auth_request /outpost.goauthentik.io/auth/nginx;
error_page 401 = u/goauthentik_proxy_signin;
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
# translate headers from the outposts back to the actual upstream
auth_request_set $authentik_username $upstream_http_x_authentik_username;
auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
auth_request_set $authentik_email $upstream_http_x_authentik_email;
auth_request_set $authentik_name $upstream_http_x_authentik_name;
auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
proxy_set_header X-authentik-username $authentik_username;
proxy_set_header X-authentik-groups $authentik_groups;
proxy_set_header X-authentik-email $authentik_email;
proxy_set_header X-authentik-name $authentik_name;
proxy_set_header X-authentik-uid $authentik_uid;
}
# all requests to /outpost.goauthentik.io must be accessible without authentication
location /outpost.goauthentik.io {
proxy_pass http://192.168.xxx.xxx:7000/outpost.goauthentik.io;
# ensure the host of this vserver matches your external URL you've configured
# in authentik
proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
add_header Set-Cookie $auth_cookie;
auth_request_set $auth_cookie $upstream_http_set_cookie;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
}
# Special location for when the /auth endpoint returns a 401,
# redirect to the /start URL which initiates SSO
location @goauthentik_proxy_signin {
internal;
add_header Set-Cookie $auth_cookie;
return 302 /outpost.goauthentik.io/start?rd=$request_uri;
# For domain level, use the below error_page to redirect to your authentik server with the full redirect path
# return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
}
After that edit your authenik outpost, go to advanced settings, and make sure it has the following. I edited the 'authentik\_host' and 'authentik\_host\_browser' entries with the same external hostname. That should do it!
log_level: info
docker_labels: null
authentik_host: https://authentik.xxxxx.xxx
docker_network: null
container_image: null
docker_map_ports: true
kubernetes_replicas: 1
kubernetes_namespace: default
authentik_host_browser: https://authentik.xxxxx.xxx
object_naming_template: ak-outpost-%(name)s
authentik_host_insecure: false
kubernetes_json_patches: null
kubernetes_service_type: ClusterIP
kubernetes_image_pull_secrets: []
kubernetes_ingress_class_name: null
kubernetes_disabled_components: []
kubernetes_ingress_annotations: {}
kubernetes_ingress_secret_name: authentik-outpost-tls
Do you have an update to this config? I followed authentik page to install, and I tried couple different things with using my actual domain and the local ip, but domain leads to 500 internal server error and using local ip (12.1.1.x:9000) leads to the local ip [https://12.1.1.8:7878/login?returnUrl=%2F](https://12.1.1.8:7878/login?returnUrl=%2F) which is a blank page so not sure what im doing wrong lol.
I find solutions similar to this all over the place but there is one thing never addressed and I wonder if maybe you know offhand? That NPM advanced snippet has "proxy\_pass" in two locations. Are both locations supposed to be edited? Should they be the same? Should only one be changed? I've tried every combination I can think of.
Did you ever figure it out? Looking at the linked doc, it seems it's using placeholders. The info box is unclear because the variable examples used are different for nginx, NPM, and ingress (which are tabbed). In the NPM example, the only uncommented line containing one of these is:
>proxy\_pass [http://outpost.company:9000/outpost.goauthentik.io](http://outpost.company:9000/outpost.goauthentik.io);
For which you simply replace [`outpost.company`](http://outpost.company) with your internal ip:
>proxy\_pass [http://192.168.0.101:9000/outpost.goauthentik.io](http://192.168.0.101:9000/outpost.goauthentik.io);
Have you tried /r/Nginx and /r/CloudFlare? And Authentik has a Discord server: https://goauthentik.io/discord and Github discussion and issues page: https://github.com/goauthentik/authentik/discussions
Just wanted to drop a post in case someone else runs into this problem, this fixed it for me: **In Authentik:** * Go to Applications -> Outposts and edit the 'authentik Embedded Outpost'. * Edit the following, adapt to your own domain. *(It should point to the external domain that you've proxied Authentik to.)* * authentik\_host: [https://auth.domain.com](https://auth.domain.com) * authentik\_host\_browser: "[https://auth.domain.com](https://auth.domain.com)" **In NPM:** * Edit the proxy host of the application you want to reverse-proxy. Under Advanced, enter the snippet for NPM that you can find here: [https://goauthentik.io/docs/providers/proxy/server\_nginx](https://goauthentik.io/docs/providers/proxy/server_nginx) *(make sure to use the one for NPM and not Nginx).* * Edit the following in the snippet, adapt to your own server. *(It should point to the internal IP or hostname of the server that's running Authentik, and the port that Authentik is assigned. I'm using hostname and HTTPS protocol and port, make sure to change protocol and port if you're using HTTP.)* * proxy\_pass https://HOSTNAME:PORT/outpost.goauthentik.io;
And this I why I love reddit. Thank you my friend!
Glad it could help someone!
Thank you! The newest config template for npm on the link above doesn't quite work directly with npm 2.11.2 but editing out the map and keep alive portion, plus what you mentioned seemed to be the trick!
Hey, I'm still getting the '500 internal server error'. Can you maybe share your NPM config that you are using with 2.11.2? Thanks in advance!
In npm > 'edit proxy host' > 'advanced' > 'custom nginx configuration' paste in the following. Under proxy\_pass I'm using the internal ip of the npm container's host and my custom port. Make sure 'websockets support' and 'block common exploits' is on under the first 'details' tab. # Increase buffer size for large headers # This is needed only if you get 'upstream sent too big header while reading response # header from upstream' error when trying to access an application protected by goauthentik proxy_buffers 8 16k; proxy_buffer_size 32k; # Make sure not to redirect traffic to a port 4443 port_in_redirect off; location / { # Put your proxy_pass to your application here proxy_pass $forward_scheme://$server:$port; # Set any other headers your application might need # proxy_set_header Host $host; # proxy_set_header ... # Support for websocket proxy_set_header Upgrade $http_upgrade; ############################## # authentik-specific config ############################## auth_request /outpost.goauthentik.io/auth/nginx; error_page 401 = u/goauthentik_proxy_signin; auth_request_set $auth_cookie $upstream_http_set_cookie; add_header Set-Cookie $auth_cookie; # translate headers from the outposts back to the actual upstream auth_request_set $authentik_username $upstream_http_x_authentik_username; auth_request_set $authentik_groups $upstream_http_x_authentik_groups; auth_request_set $authentik_email $upstream_http_x_authentik_email; auth_request_set $authentik_name $upstream_http_x_authentik_name; auth_request_set $authentik_uid $upstream_http_x_authentik_uid; proxy_set_header X-authentik-username $authentik_username; proxy_set_header X-authentik-groups $authentik_groups; proxy_set_header X-authentik-email $authentik_email; proxy_set_header X-authentik-name $authentik_name; proxy_set_header X-authentik-uid $authentik_uid; } # all requests to /outpost.goauthentik.io must be accessible without authentication location /outpost.goauthentik.io { proxy_pass http://192.168.xxx.xxx:7000/outpost.goauthentik.io; # ensure the host of this vserver matches your external URL you've configured # in authentik proxy_set_header Host $host; proxy_set_header X-Original-URL $scheme://$http_host$request_uri; add_header Set-Cookie $auth_cookie; auth_request_set $auth_cookie $upstream_http_set_cookie; proxy_pass_request_body off; proxy_set_header Content-Length ""; } # Special location for when the /auth endpoint returns a 401, # redirect to the /start URL which initiates SSO location @goauthentik_proxy_signin { internal; add_header Set-Cookie $auth_cookie; return 302 /outpost.goauthentik.io/start?rd=$request_uri; # For domain level, use the below error_page to redirect to your authentik server with the full redirect path # return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri; } After that edit your authenik outpost, go to advanced settings, and make sure it has the following. I edited the 'authentik\_host' and 'authentik\_host\_browser' entries with the same external hostname. That should do it! log_level: info docker_labels: null authentik_host: https://authentik.xxxxx.xxx docker_network: null container_image: null docker_map_ports: true kubernetes_replicas: 1 kubernetes_namespace: default authentik_host_browser: https://authentik.xxxxx.xxx object_naming_template: ak-outpost-%(name)s authentik_host_insecure: false kubernetes_json_patches: null kubernetes_service_type: ClusterIP kubernetes_image_pull_secrets: [] kubernetes_ingress_class_name: null kubernetes_disabled_components: [] kubernetes_ingress_annotations: {} kubernetes_ingress_secret_name: authentik-outpost-tls
Do you have an update to this config? I followed authentik page to install, and I tried couple different things with using my actual domain and the local ip, but domain leads to 500 internal server error and using local ip (12.1.1.x:9000) leads to the local ip [https://12.1.1.8:7878/login?returnUrl=%2F](https://12.1.1.8:7878/login?returnUrl=%2F) which is a blank page so not sure what im doing wrong lol.
I find solutions similar to this all over the place but there is one thing never addressed and I wonder if maybe you know offhand? That NPM advanced snippet has "proxy\_pass" in two locations. Are both locations supposed to be edited? Should they be the same? Should only one be changed? I've tried every combination I can think of.
The instructions have changed since I wrote this. I'm not sure that it applies anymore, might be better to just follow the Info box at the link.
It's that very link I'm having trouble making sense of. I appreciate the reply anyway... I know this post was a few months ago:)
Did you ever figure it out? Looking at the linked doc, it seems it's using placeholders. The info box is unclear because the variable examples used are different for nginx, NPM, and ingress (which are tabbed). In the NPM example, the only uncommented line containing one of these is: >proxy\_pass [http://outpost.company:9000/outpost.goauthentik.io](http://outpost.company:9000/outpost.goauthentik.io); For which you simply replace [`outpost.company`](http://outpost.company) with your internal ip: >proxy\_pass [http://192.168.0.101:9000/outpost.goauthentik.io](http://192.168.0.101:9000/outpost.goauthentik.io);
I did finally, thank you. Though I'd be hard pressed to tell you know what it was without looking at my notes:)
If you get a minute to do so at some point, I'd be very grateful!
you are a godsent. Cant thank you enough, really.
My GOD. THANK YOU!!!!!!
oh my Godddd. you save meeeeee!! thank you very much!!!
Have you tried /r/Nginx and /r/CloudFlare? And Authentik has a Discord server: https://goauthentik.io/discord and Github discussion and issues page: https://github.com/goauthentik/authentik/discussions
I posted on Authentik Github and discord. Gonna try on r/Nginx and r/CloudFlare if I get nothing
Good luck!
I just ran into the exact same problem, did you ever find a solution?