Great stuff! Love the wizard too. Excited to see them making things easier. I have a lot of my homelab setup for Authentik now, and just keep adding to it. It's become something I look for in my open source apps. Almost have to have an SSO option where I can use Authentik.
Thanks, I appreciate it. I pinged their technical writer to see if they maybe have plans to do the same or similar for their Flows and Stages... ...not sure if it is in development, however, if Authentik eventually creates a similar wizard to the flows and stages...that would also make it more streamlined/easier Example: Flow Creation Wizard > enter your info and type of flow you want > click next > asks you to choose a stage to setup for that flow > setup your stage > click next and it binds your stage to the flow created (policies can be customized later outside the wizard/or in the wizard (not sure which make more sense). Maybe the wizard is used to create a functional base first...then policies, if needed, later.
thanks for the easy to follow tutorial, it worked like a charm. i saw you had implented 2fa for authentik, i watched your video on that and got mine configured as well, so double thanks man!
Thank you very much for your video, they are superb, especially because you always point to the original documentation where we can go into details just in case something will be different (e.g. new app version with different features). You have a new subscriber :)
Very clear video! However, pasting the generated advanced configuration for nginx proxy manager makes the host go to Offline. So it seems that the generated snippet contains some things that throws off NPM for me. Found it: Authentik gives a map statement at the top of the config, which can't be added under advanced because this needs to be within an http block.
Yup, in the discord I just posted a simple workaround of pasting snippet from previous/older version of authentik, or copy and paste from one of you're already working services if upgraded to the latest authentik.
Very nice video ! I was looking for something like this with Immich :) Just wondering - what about security ? Would you add fail2ban or something or you think Authentik + Cloudflare proxy is a safe enough setup ?
Thank you! I think Authentik and Cloudflare proxy _should_ be safe enough. It's nice that Cloudflare offers so many security features where you have bot fight and country blocking...etc. Also, Authentik has IP reputation to stop or at least slow down any brute force login attempts. You can incorporate fail2ban also if you'd like for added security. I do, and have it set up with Cloudflare API/Token where blocked IPs are automatically added as ban rules at the DNS level at Cloudflare...
...actually, here you go, this is the video I followed by @DBTech along with his documentation on his site. ua-cam.com/video/Ha8NIAOsNvo/v-deo.htmlsi=-QBh4rcsK15HZy2I
Which version has the application wizard? I'm on the newest stable 2023.10.7 and that does not seem to have it. Oh, and a tutorial on how to use Active Directory groups as a source for authentication to applications would be very interesting
I tried this with radar and sonarr and keep getting a ssl handshake error 525. I’ve tried everything combination of ip/host and still shows offline. If I remove the code it immediately goes online so it’s something in the code, but no idea what. Immich went perfectly though!
...are you in the discord? If not, I mentioned that the later versions of authentik changed the code for nginx reverse proxy manager where your app will go immediately offline if not setup prior to the update. The workaround that I have found is to copy the snippet of code from an older version of authentik OR if you already have an app up and running, copy that code from NPM and just adjust your proxy_pass as needed for whatever app you're trying to set up...
This is amazing! Thank you for making this video, going to try and get this working again today. For the Forward Auth setup is it possible to have authentik send basic http auth headers for the application its protecting? My application uses basic http authentication itself and I was trying to follow the docs for adding the login details to an authentik group and assigning that group to my user, but I’m still prompted for the basic Auth on my application.
Yes, it is possible. I just tested it with an app that has basic auth (pop-up) -as well as an app that has no authentication at all but my reverse proxy provides its http basic auth and both work- [I used forward auth (single-application)]... Just remember to either put the username and password as attributes of the user OR a group that the user is a member of and also put those attributes in the http authentication section of your provider.
Hi, yes, authentik's container port is 9000 and 9443...I mention in the video that it is my custom port... If you have conflicting port numbers, either authentik's ports will need to change or whatever application's ports has those same port numbers.
I seem to be getting a 500 Internal Server Error when using forward proxy. I am trying to set it up with Homepage, I've tried just about everything I can think of, no matter what, I just get the 500 internal server error. Any help would be very much appreciated.
...I don't run Homepage, however, I just spun it up from its docker compose file, verified I can access it directly with IP:Port. Then I proceeded to add a proxy host to my reverse proxy manager (NPM) for homepage , as well as added a CNAME to my DNS records and verified I can access it with the the DNS URL address. Next, I created an application and used transparent proxy in authentik with external host address as the DNS URL address and internal address pointing to the IP:Port of Homepage and 'Internal host SSL Validation' disabled. Next, I added Homepage to my embedded Outpost list of applications. I went back to NPM and changed the proxy host from Homepage's IP:Port to my authentik's embedded Outpost. Homepage loads fine after authenticating...no 500 Internal Error. Next, I tested it with forward auth (single application) by going to the recently created Homepage provider in authentik and editing it. I changed from transparent proxy to forward auth (single application), clicked update. Then, clicked on the provider itself and clicked on my reverse proxy tab (NPM) to copy the snippet of code. Went to NPM to edit the proxy host for Homepage by changing the IP address and port back to Homepage's then clickiing on the advanced tab and pasting the snippet of code I just copied. I adjusted the proxy_pass in the code to point to my embedded outpost and saved. Tested loading in a different browser/incognito and again Homepage loaded after authenticating with authentik... So I didn't have any 500 Internal Error issues...
...a login if you sign up and do the cloud thing for all those extra features... I am self-hosting and just need the most basic monitoring, so I have basic auth through my reverse proxy and this is what I pass in authentik...
Cant seem to login to the mobile app getting API error for android have tried the following unauthenticated paths ^/api/.* ^/api2/.* ^/identity/.* ^/triggers/.* ^/meshagents.* ^/meshsettings.* ^/agent.* ^/control.* ^/meshrelay.* ^/ui.*
...double checked you are doing this for the respective provider? Not sure if it will help, but also maybe try escaping the '/' with '\/'...IF not that, just try adding $ to the end of each of those lines, for example: ^/identity/.*$
Was trying to set up immich , installed inmich , configured nginx can login fine. Walked through authentik but I keep getting the following error when I click the oauth button on immich login page. Error in OAuth discovery: Error: unable to verify the first certificate (Immich Server Error)
...did you choose client type confidential as well as choose a signing key certificate? Either one you you've created or one of the built-in self-signed ones?
@@cooptonian Yea, that was the first thing I thought of. Tried my wildcard cert that I normally use along with the authentic self signed cert. Gonna walk through it again this morning with some fresh eyes.
@@cooptonian Well came into work this morning, brought up a fresh machine and boom - it worked. I suppose tired eyes and browser cache / DNS cache maybe was my downfall last night. But it works now. Thanks for the video , keep them coming, you are probably the best source for decoding the vague authentik docs 😉
Thanks! And yeah, that has happened to me before, that is why in all my videos I mention opening up an incognito window/tab to avoid any cached/historied results...
Great stuff! Love the wizard too. Excited to see them making things easier. I have a lot of my homelab setup for Authentik now, and just keep adding to it. It's become something I look for in my open source apps. Almost have to have an SSO option where I can use Authentik.
Thanks, I appreciate it. I pinged their technical writer to see if they maybe have plans to do the same or similar for their Flows and Stages...
...not sure if it is in development, however, if Authentik eventually creates a similar wizard to the flows and stages...that would also make it more streamlined/easier
Example:
Flow Creation Wizard > enter your info and type of flow you want > click next > asks you to choose a stage to setup for that flow > setup your stage > click next and it binds your stage to the flow created (policies can be customized later outside the wizard/or in the wizard (not sure which make more sense). Maybe the wizard is used to create a functional base first...then policies, if needed, later.
thanks for the easy to follow tutorial, it worked like a charm.
i saw you had implented 2fa for authentik, i watched your video on that and got mine configured as well, so double thanks man!
You're welcome!
Thank you very much for your video, they are superb, especially because you always point to the original documentation where we can go into details just in case something will be different (e.g. new app version with different features). You have a new subscriber :)
Glad you like them!
Very clear video! However, pasting the generated advanced configuration for nginx proxy manager makes the host go to Offline. So it seems that the generated snippet contains some things that throws off NPM for me.
Found it: Authentik gives a map statement at the top of the config, which can't be added under advanced because this needs to be within an http block.
Yup, in the discord I just posted a simple workaround of pasting snippet from previous/older version of authentik, or copy and paste from one of you're already working services if upgraded to the latest authentik.
@@cooptonian Thank you so much for your comment, I was able to get my forward auth working because of this!
you're welcome!
Very nice video ! I was looking for something like this with Immich :) Just wondering - what about security ? Would you add fail2ban or something or you think Authentik + Cloudflare proxy is a safe enough setup ?
Thank you! I think Authentik and Cloudflare proxy _should_ be safe enough. It's nice that Cloudflare offers so many security features where you have bot fight and country blocking...etc. Also, Authentik has IP reputation to stop or at least slow down any brute force login attempts. You can incorporate fail2ban also if you'd like for added security. I do, and have it set up with Cloudflare API/Token where blocked IPs are automatically added as ban rules at the DNS level at Cloudflare...
Do you have any video about it ? Would be another mandatory thing for me to watch :)@@cooptonian
No I don't...maybe, maybe I'll make one about it tonight...
...actually, here you go, this is the video I followed by @DBTech along with his documentation on his site. ua-cam.com/video/Ha8NIAOsNvo/v-deo.htmlsi=-QBh4rcsK15HZy2I
Which version has the application wizard?
I'm on the newest stable 2023.10.7 and that does not seem to have it.
Oh, and a tutorial on how to use Active Directory groups as a source for authentication to applications would be very interesting
...it's in their Beta/Dev branch but I was told their next stable release will have this
goauthentik.io/docs/installation/beta
@@cooptonian Ahh, that makes sense
I tried this with radar and sonarr and keep getting a ssl handshake error 525. I’ve tried everything combination of ip/host and still shows offline. If I remove the code it immediately goes online so it’s something in the code, but no idea what. Immich went perfectly though!
...are you in the discord? If not, I mentioned that the later versions of authentik changed the code for nginx reverse proxy manager where your app will go immediately offline if not setup prior to the update. The workaround that I have found is to copy the snippet of code from an older version of authentik OR if you already have an app up and running, copy that code from NPM and just adjust your proxy_pass as needed for whatever app you're trying to set up...
This is amazing! Thank you for making this video, going to try and get this working again today. For the Forward Auth setup is it possible to have authentik send basic http auth headers for the application its protecting? My application uses basic http authentication itself and I was trying to follow the docs for adding the login details to an authentik group and assigning that group to my user, but I’m still prompted for the basic Auth on my application.
Yes, it is possible. I just tested it with an app that has basic auth (pop-up) -as well as an app that has no authentication at all but my reverse proxy provides its http basic auth and both work- [I used forward auth (single-application)]... Just remember to either put the username and password as attributes of the user OR a group that the user is a member of and also put those attributes in the http authentication section of your provider.
...try this video: ua-cam.com/video/S-CIGno0cdw/v-deo.html
Hello, i do not really understand where the port "10443" used at 12:35... Is this the authentik container port? I thought it was 9000
Hi, yes, authentik's container port is 9000 and 9443...I mention in the video that it is my custom port... If you have conflicting port numbers, either authentik's ports will need to change or whatever application's ports has those same port numbers.
I seem to be getting a 500 Internal Server Error when using forward proxy. I am trying to set it up with Homepage, I've tried just about everything I can think of, no matter what, I just get the 500 internal server error. Any help would be very much appreciated.
...I don't run Homepage, however, I just spun it up from its docker compose file, verified I can access it directly with IP:Port. Then I proceeded to add a proxy host to my reverse proxy manager (NPM) for homepage , as well as added a CNAME to my DNS records and verified I can access it with the the DNS URL address. Next, I created an application and used transparent proxy in authentik with external host address as the DNS URL address and internal address pointing to the IP:Port of Homepage and 'Internal host SSL Validation' disabled. Next, I added Homepage to my embedded Outpost list of applications. I went back to NPM and changed the proxy host from Homepage's IP:Port to my authentik's embedded Outpost. Homepage loads fine after authenticating...no 500 Internal Error.
Next, I tested it with forward auth (single application) by going to the recently created Homepage provider in authentik and editing it. I changed from transparent proxy to forward auth (single application), clicked update. Then, clicked on the provider itself and clicked on my reverse proxy tab (NPM) to copy the snippet of code. Went to NPM to edit the proxy host for Homepage by changing the IP address and port back to Homepage's then clickiing on the advanced tab and pasting the snippet of code I just copied. I adjusted the proxy_pass in the code to point to my embedded outpost and saved. Tested loading in a different browser/incognito and again Homepage loaded after authenticating with authentik... So I didn't have any 500 Internal Error issues...
so does netdata have a login and its passing credentials somehow? I've been trying to pass credentials without any success.
...a login if you sign up and do the cloud thing for all those extra features... I am self-hosting and just need the most basic monitoring, so I have basic auth through my reverse proxy and this is what I pass in authentik...
Cant seem to login to the mobile app getting API error for android have tried the following unauthenticated paths ^/api/.*
^/api2/.*
^/identity/.*
^/triggers/.*
^/meshagents.*
^/meshsettings.*
^/agent.*
^/control.*
^/meshrelay.*
^/ui.*
...double checked you are doing this for the respective provider? Not sure if it will help, but also maybe try escaping the '/' with '\/'...IF not that, just try adding $ to the end of each of those lines, for example: ^/identity/.*$
Was trying to set up immich , installed inmich , configured nginx can login fine. Walked through authentik but I keep getting the following error when I click the oauth button on immich login page. Error in OAuth discovery: Error: unable to verify the first certificate
(Immich Server Error)
...did you choose client type confidential as well as choose a signing key certificate? Either one you you've created or one of the built-in self-signed ones?
@@cooptonian Yea, that was the first thing I thought of. Tried my wildcard cert that I normally use along with the authentic self signed cert. Gonna walk through it again this morning with some fresh eyes.
@@cooptonian Well came into work this morning, brought up a fresh machine and boom - it worked. I suppose tired eyes and browser cache / DNS cache maybe was my downfall last night. But it works now. Thanks for the video , keep them coming, you are probably the best source for decoding the vague authentik docs 😉
Thanks! And yeah, that has happened to me before, that is why in all my videos I mention opening up an incognito window/tab to avoid any cached/historied results...