Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bad gateway on configured Proxied app #13271

Open
javierspn opened this issue Feb 26, 2025 · 0 comments
Open

Bad gateway on configured Proxied app #13271

javierspn opened this issue Feb 26, 2025 · 0 comments
Labels
bug Something isn't working

Comments

@javierspn
Copy link

javierspn commented Feb 26, 2025
edited
Loading

Describe the bug
I have the following setup:

  1. Nginx proxy manager
  2. Authentik server in the same docker network (default ports 9000 and 9443)
  3. Nginx exposes the authentik container as a proxy host with http://authentik:9000 internally and as https://auth.example.com with a valid letsencrypt certificate.
  4. An app and provider wiyh the following configuration (the app is anothr container in the same docker network with no authentication, it is a very simple web app called it-tools):
  • App: Name: ittools / slug: ittools / provider: ittools
  • Provider: Name: ittools / Authorization flow: default-provider-authorization-implicit-consent (Authorize Application) / External host: https://ittools.example.com/
  • Outpost: default local docker connection

This is my docker configuration:

services:

  authentikpostgres:

    container_name: "${POSTGRES_CONTAINER_NAME}"
    image: ${POSTGRES_CONTAINER_IMAGE}

    environment:
      TZ: ${TZ}
      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
      POSTGRES_USER: ${POSTGRES_USER}
      POSTGRES_DB: ${POSTGRES_DB}

    networks:
      - proxied

    restart: ${POLICY_RESTART}

    healthcheck:
      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 5s

    volumes:
      - ${POSTGRES_CONTAINER_VOLUME}

    logging:

      driver: ${LOG_TYPE}
      options:
        max-size: ${LOG_SIZE}
        max-file: ${LOG_FILES}

  authentikredis:

    container_name: "${REDIS_CONTAINER_NAME}"
    image: ${REDIS_CONTAINER_IMAGE}

    command: --save 60 1 --loglevel warning

    environment:
      TZ: ${TZ}

    networks:
      - proxied

    restart: ${POLICY_RESTART}

    healthcheck:
      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 3s

    volumes:
      - ${REDIS_CONTAINER_VOLUME}

    logging:

      driver: ${LOG_TYPE}
      options:
        max-size: ${LOG_SIZE}
        max-file: ${LOG_FILES}

  authentikserver:

    container_name: "${AUTHENTIK_CONTAINER_NAME}"
    image: ${AUTHENTIK_CONTAINER_IMAGE}

    command: server

    environment:
      TZ: ${TZ}
      AUTHENTIK_REDIS__HOST: ${REDIS_CONTAINER_NAME}
      AUTHENTIK_POSTGRESQL__HOST: ${POSTGRES_CONTAINER_NAME}
      AUTHENTIK_POSTGRESQL__USER: ${POSTGRES_USER}
      AUTHENTIK_POSTGRESQL__NAME: ${POSTGRES_DB}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${POSTGRES_PASSWORD}
      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}

    networks:
      - proxied

    restart: ${POLICY_RESTART}

    volumes:
      - ${AUTHENTIK_SERVER_MEDIA_VOLUME}
      - ${AUTHENTIK_SERVER_TEMPLATES_VOLUME}

    depends_on:
      authentikpostgres:
        condition: service_healthy
      authentikredis:
        condition: service_healthy

    logging:

      driver: ${LOG_TYPE}
      options:
        max-size: ${LOG_SIZE}
        max-file: ${LOG_FILES}

  authentikworker:

    container_name: "${AUTHENTIK_WORKER_CONTAINER_NAME}"
    image: ${AUTHENTIK_CONTAINER_IMAGE}

    command: worker

    user: root

    environment:
      TZ: ${TZ}
      AUTHENTIK_REDIS__HOST: ${REDIS_CONTAINER_NAME}
      AUTHENTIK_POSTGRESQL__HOST: ${POSTGRES_CONTAINER_NAME}
      AUTHENTIK_POSTGRESQL__USER: ${POSTGRES_USER}
      AUTHENTIK_POSTGRESQL__NAME: ${POSTGRES_DB}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${POSTGRES_PASSWORD}
      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}

    networks:
      - proxied

    restart: ${POLICY_RESTART}

    volumes:
      - ${AUTHENTIK_DOCKER_SOCK_VOLUME}
      - ${AUTHENTIK_SERVER_MEDIA_VOLUME}
      - ${AUTHENTIK_WORKER_CERTS_VOLUME}
      - ${AUTHENTIK_SERVER_TEMPLATES_VOLUME}

    depends_on:
      authentikpostgres:
        condition: service_healthy
      authentikredis:
        condition: service_healthy

    logging:

      driver: ${LOG_TYPE}
      options:
        max-size: ${LOG_SIZE}
        max-file: ${LOG_FILES}

volumes:
  database:
    driver: local
  redis:
    driver: local

networks:
  proxied:
    name: proxied

I have exposed both ports for authentikserver too in the compose file to try it out:

    ports:
    - ${AUTHENTIK_PORT_HTTP} (9000)
    - ${AUTHENTIK_PORT_HTTPS} (9443)

The best I got was for the app to redirect on the public web to authentikserver:9000 as the outpost (which obviously fails).

this is the configuration of nginx proxy manager:

Image

Image

And this is the advanced config, the only change is the actual supposedly working outpost:

# Increase buffer size for large headers
# This is needed only if you get 'upstream sent too big header while reading response
# header from upstream' error when trying to access an application protected by goauthentik
proxy_buffers 8 16k;
proxy_buffer_size 32k;

# Make sure not to redirect traffic to a port 4443
port_in_redirect off;

location / {
    # Put your proxy_pass to your application here
    proxy_pass          $forward_scheme://$server:$port;
    # Set any other headers your application might need
    # proxy_set_header Host $host;
    # proxy_set_header ...

    ##############################
    # authentik-specific config
    ##############################
    auth_request     /outpost.goauthentik.io/auth/nginx;
    error_page       401 = @goauthentik_proxy_signin;
    auth_request_set $auth_cookie $upstream_http_set_cookie;
    add_header       Set-Cookie $auth_cookie;

    # translate headers from the outposts back to the actual upstream
    auth_request_set $authentik_username $upstream_http_x_authentik_username;
    auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
    auth_request_set $authentik_entitlements $upstream_http_x_authentik_entitlements;
    auth_request_set $authentik_email $upstream_http_x_authentik_email;
    auth_request_set $authentik_name $upstream_http_x_authentik_name;
    auth_request_set $authentik_uid $upstream_http_x_authentik_uid;

    proxy_set_header X-authentik-username $authentik_username;
    proxy_set_header X-authentik-groups $authentik_groups;
    proxy_set_header X-authentik-entitlements $authentik_entitlements;
    proxy_set_header X-authentik-email $authentik_email;
    proxy_set_header X-authentik-name $authentik_name;
    proxy_set_header X-authentik-uid $authentik_uid;

    # This section should be uncommented when the "Send HTTP Basic authentication" option
    # is enabled in the proxy provider
    # auth_request_set $authentik_auth $upstream_http_authorization;
    # proxy_set_header Authorization $authentik_auth;
}

# all requests to /outpost.goauthentik.io must be accessible without authentication
location /outpost.goauthentik.io {
    # When using the embedded outpost, use:
    proxy_pass              https://auth.xxxx.com/outpost.goauthentik.io;
    # For manual outpost deployments:
    # proxy_pass              http://outpost.company:9000;

    # Note: ensure the Host header matches your external authentik URL:
    proxy_set_header        Host $host;

    proxy_set_header        X-Original-URL $scheme://$http_host$request_uri;
    add_header              Set-Cookie $auth_cookie;
    auth_request_set        $auth_cookie $upstream_http_set_cookie;
    proxy_pass_request_body off;
    proxy_set_header        Content-Length "";
}

# Special location for when the /auth endpoint returns a 401,
# redirect to the /start URL which initiates SSO
location @goauthentik_proxy_signin {
    internal;
    add_header Set-Cookie $auth_cookie;
    return 302 /outpost.goauthentik.io/start?rd=$request_uri;
    # For domain level, use the below error_page to redirect to your authentik server with the full redirect path
    # return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
}

Screenshots
Nginx proxy manager authentik:

Image

There is a valid letsencrypt certificate.

Whenever I connect to the app, 500 Internal Server error is displayed.
To Reproduce
As above.

Expected behavior
To work XD

Logs
Output of docker-compose logs or kubectl logs respectively

Version and Deployment (please complete the following information):

  • authentik version: 2024.12.3
  • Deployment: docker-compose

Additional context
Add any other context about the problem here.
@javierspn javierspn added the bug Something isn't working label Feb 26, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@javierspn