docs: document outpost router + priority gotcha for forward-auth
The Traefik example was missing the veola-outpost router (PathPrefix /outpost.goauthentik.io/ -> authentik service) and the header-strip middleware, so a fresh deploy following it would 404 on Sign out. Add both, plus a prominent note: the outpost router must outrank the catch-all Host(...) router. Traefik's default priority is rule length, so Authentik's docs value of priority:15 silently loses once the hostname rule exceeds 15 chars (e.g. veola.parodia.dev = 25), letting the catch-all swallow /outpost.goauthentik.io/sign_out into Veola's 404. Use a high explicit priority (100).
This commit is contained in:
@@ -47,19 +47,58 @@ http:
|
|||||||
- X-authentik-email
|
- X-authentik-email
|
||||||
- X-authentik-name
|
- X-authentik-name
|
||||||
- X-authentik-groups
|
- X-authentik-groups
|
||||||
|
# Strip client-supplied identity headers on ingress so only the outpost
|
||||||
|
# can set them (runs before `authentik` on the protected router).
|
||||||
|
authentik-strip:
|
||||||
|
headers:
|
||||||
|
customRequestHeaders:
|
||||||
|
X-authentik-username: ""
|
||||||
|
X-authentik-email: ""
|
||||||
|
X-authentik-name: ""
|
||||||
|
X-authentik-groups: ""
|
||||||
|
X-authentik-uid: ""
|
||||||
|
|
||||||
routers:
|
routers:
|
||||||
veola:
|
veola:
|
||||||
rule: "Host(`veola.example.com`)"
|
rule: "Host(`veola.example.com`)"
|
||||||
service: veola
|
service: veola
|
||||||
middlewares:
|
middlewares:
|
||||||
|
- authentik-strip
|
||||||
- authentik
|
- authentik
|
||||||
tls:
|
tls:
|
||||||
certResolver: letsencrypt
|
certResolver: letsencrypt
|
||||||
|
|
||||||
|
# The outpost's own endpoints (callback, start, sign_out) must go straight
|
||||||
|
# to Authentik, NOT through the forwardAuth-protected `veola` router. This
|
||||||
|
# router has NO auth middleware and points at the authentik service.
|
||||||
|
veola-outpost:
|
||||||
|
rule: "Host(`veola.example.com`) && PathPrefix(`/outpost.goauthentik.io/`)"
|
||||||
|
priority: 100
|
||||||
|
service: authentik
|
||||||
|
tls:
|
||||||
|
certResolver: letsencrypt
|
||||||
|
|
||||||
|
services:
|
||||||
|
authentik:
|
||||||
|
loadBalancer:
|
||||||
|
servers:
|
||||||
|
- url: "http://authentik-server:9000/"
|
||||||
```
|
```
|
||||||
|
|
||||||
Traefik must strip any client-supplied `X-Authentik-*` and `X-Forwarded-*`
|
**Router priority — important.** Both routers match the Veola host, so the more
|
||||||
headers on ingress so only the outpost can set them.
|
specific `veola-outpost` must win. Traefik's *default* priority is the rule
|
||||||
|
length, so the catch-all `veola` router (`Host(...)`) gets a priority equal to
|
||||||
|
its length (e.g. `Host(`veola.parodia.dev`)` = 25). Authentik's docs example
|
||||||
|
sets the outpost router to `priority: 15`, which **silently loses** whenever the
|
||||||
|
hostname rule is longer than 15 chars — the catch-all then swallows
|
||||||
|
`/outpost.goauthentik.io/*` and hands it to Veola, which 404s. Symptom: clicking
|
||||||
|
**Sign out** lands on `/outpost.goauthentik.io/sign_out` with a plain
|
||||||
|
`404 page not found`. Fix: give `veola-outpost` a high explicit priority (e.g.
|
||||||
|
`100`) so it always beats the catch-all.
|
||||||
|
|
||||||
|
(Login still works even when the outpost router loses, because the outpost
|
||||||
|
intercepts `callback`/`start` during the forwardAuth `/auth/traefik` round-trip;
|
||||||
|
`sign_out` is the one path that genuinely needs the dedicated router.)
|
||||||
|
|
||||||
## Break-glass
|
## Break-glass
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user