add basic nginx single domain forward auth

BeryJu · BeryJu · commit 4815c85dd8fd · 2022-11-01T11:38:26.000+01:00
diff --git a/Makefile b/Makefile
@@ -1,6 +1,4 @@
-.PHONY: local
-
-local: local/docker-compose.yml
+compose-local: local/docker-compose.yml
 	cd local && docker compose up -d
 	./local/wait.sh
 
diff --git a/README.md b/README.md
@@ -8,26 +8,9 @@
 
 # authentik testing setups
 
-Kubernetes manifests to quickly test different cluster setups with authentik.
+authentik docker-compose and kubernetes setups for forward auth in various configurations
 
-## Run
+## Run (docker-compose)
 
-### `make all`:
+`make compose-local` will setup a local docker-compose authentik install.
 
-Apply common resources, in the following order:
-
-- FluxCD: used to deploy helmcharts via CRDs
-- authentik: Install authentik with PostgreSQL and Redis
-- whoami: A simple application to test with
-
-### `make nginx`:
-
-Common resources + nginx ingress controller
-
-### `make traefik`:
-
-Common resources + traefik ingress controller
-
-### `make remove`:
-
-Remove all resources.
diff --git a/compose-nginx-forward_single/docker-compose.yaml b/compose-nginx-forward_single/docker-compose.yaml
@@ -0,0 +1,27 @@
+version: '3.7'
+
+networks:
+  authentik_default:
+    name: local_default
+
+services:
+  nginx:
+    image: docker.io/library/nginx:1.23
+    volumes:
+      - ./nginx.conf:/etc/nginx/conf.d/default.conf
+    networks:
+      - authentik_default
+    ports:
+      - 80:80
+      - 443:443
+  whoami:
+    image: docker.io/containous/whoami
+    networks:
+      - authentik_default
+  authentik-proxy:
+    image: ghcr.io/goauthentik/proxy:latest
+    env_file:
+      - ../.env
+    restart: unless-stopped
+    networks:
+      - authentik_default
diff --git a/compose-nginx-forward_single/main.tf b/compose-nginx-forward_single/main.tf
@@ -8,3 +8,47 @@ terraform {
 
 provider "authentik" {
 }
+
+data "authentik_flow" "default-authorization-flow" {
+  slug = "default-provider-authorization-implicit-consent"
+}
+
+resource "authentik_provider_proxy" "provider" {
+  name               = "whoami"
+  internal_host      = ""
+  external_host      = "http://localhost.dev.goauthentik.io"
+  mode               = "forward_single"
+  authorization_flow = data.authentik_flow.default-authorization-flow.id
+  token_validity     = "days=30"
+}
+
+resource "authentik_application" "app" {
+  name              = "whoami"
+  slug              = "whoami"
+  protocol_provider = authentik_provider_proxy.provider.id
+}
+
+resource "authentik_outpost" "docker" {
+  name = "docker"
+  protocol_providers = [
+    authentik_provider_proxy.provider.id,
+  ]
+  config = jsonencode({
+    authentik_host                 = "http://local-server-1:9000"
+    authentik_host_browser         = ""
+    authentik_host_insecure        = false
+    container_image                = null
+    docker_labels                  = null
+    docker_map_ports               = false
+    docker_network                 = "local_default"
+    kubernetes_disabled_components = []
+    kubernetes_image_pull_secrets  = []
+    kubernetes_ingress_annotations = {}
+    kubernetes_ingress_secret_name = "authentik-outpost-tls"
+    kubernetes_namespace           = "default"
+    kubernetes_replicas            = 1
+    kubernetes_service_type        = "ClusterIP"
+    log_level                      = "trace"
+    object_naming_template         = "ak-outpost-%(name)s"
+  })
+}
diff --git a/compose-nginx-forward_single/nginx.conf b/compose-nginx-forward_single/nginx.conf
@@ -0,0 +1,59 @@
+server {
+    listen 80;
+    server_name _;
+
+    # Increase buffer size for large headers
+    # This is needed only if you get 'upstream sent too big header while reading response
+    # header from upstream' error when trying to access an application protected by goauthentik
+    proxy_buffers 8 16k;
+    proxy_buffer_size 32k;
+
+    location / {
+        proxy_pass http://whoami;
+        proxy_set_header    Host $host;
+
+        ##############################
+        # authentik-specific config
+        ##############################
+        auth_request /outpost.goauthentik.io/auth/nginx;
+        error_page 401 = @goauthentik_proxy_signin;
+        auth_request_set $auth_cookie $upstream_http_set_cookie;
+        add_header Set-Cookie $auth_cookie;
+
+        # translate headers from the outposts back to the actual upstream
+        auth_request_set $authentik_username $upstream_http_x_authentik_username;
+        auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
+        auth_request_set $authentik_email $upstream_http_x_authentik_email;
+        auth_request_set $authentik_name $upstream_http_x_authentik_name;
+        auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
+
+        proxy_set_header X-authentik-username $authentik_username;
+        proxy_set_header X-authentik-groups $authentik_groups;
+        proxy_set_header X-authentik-email $authentik_email;
+        proxy_set_header X-authentik-name $authentik_name;
+        proxy_set_header X-authentik-uid $authentik_uid;
+    }
+
+    # all requests to /outpost.goauthentik.io must be accessible without authentication
+    location /outpost.goauthentik.io {
+        proxy_pass          http://authentik-proxy:9000/outpost.goauthentik.io;
+        # ensure the host of this vserver matches your external URL you've configured
+        # in authentik
+        proxy_set_header    Host $host;
+        proxy_set_header    X-Original-URL $scheme://$http_host$request_uri;
+        add_header          Set-Cookie $auth_cookie;
+        auth_request_set    $auth_cookie $upstream_http_set_cookie;
+        proxy_pass_request_body off;
+        proxy_set_header Content-Length "";
+    }
+
+    # Special location for when the /auth endpoint returns a 401,
+    # redirect to the /start URL which initiates SSO
+    location @goauthentik_proxy_signin {
+        internal;
+        add_header Set-Cookie $auth_cookie;
+        return 302 /outpost.goauthentik.io/start?rd=$request_uri;
+        # For domain level, use the below error_page to redirect to your authentik server with the full redirect path
+        # return 302 https://localhost/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
+    }
+}
diff --git a/compose-traefik-forward_single/docker-compose.yaml b/compose-traefik-forward_single/docker-compose.yaml
@@ -6,7 +6,7 @@ networks:
 
 services:
   traefik:
-    image: docker.io/library/traefik
+    image: docker.io/library/traefik:v2.9
     networks:
       - authentik_default
     command:
diff --git a/compose-traefik-forward_single/main.tf b/compose-traefik-forward_single/main.tf
@@ -1,7 +1,7 @@
 terraform {
   required_providers {
     authentik = {
-      source  = "goauthentik/authentik"
+      source = "goauthentik/authentik"
     }
   }
 }
diff --git a/local/wait.sh b/local/wait.sh
@@ -1,2 +1,2 @@
 #!/bin/bash
-timeout 600 bash -c 'while [[ "$(curl -s -o /dev/null -w ''%{http_code}'' localhost:9000/api/v3/root/config/)" != "200" ]]; do sleep 5; done' || false
+timeout 600 bash -c 'while [[ "$(curl -s -o /dev/null -w ''%{http_code}'' http://localhost:9000/api/v3/root/config/)" != "200" ]]; do sleep 5; done' || false

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`terraform {`
`2`	`2`	`required_providers {`
`3`	`3`	`authentik = {`
`4`		`- source = "goauthentik/authentik"`
	`4`	`+ source = "goauthentik/authentik"`
`5`	`5`	`}`
`6`	`6`	`}`
`7`	`7`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,2 @@`
`1`	`1`	`#!/bin/bash`
`2`		`-timeout 600 bash -c 'while [[ "$(curl -s -o /dev/null -w ''%{http_code}'' localhost:9000/api/v3/root/config/)" != "200" ]]; do sleep 5; done' \|\| false`
	`2`	`+timeout 600 bash -c 'while [[ "$(curl -s -o /dev/null -w ''%{http_code}'' http://localhost:9000/api/v3/root/config/)" != "200" ]]; do sleep 5; done' \|\| false`