ฝัง
- เผยแพร่เมื่อ 28 ก.ค. 2024
- authentik is an open-source Identity Provider focused on flexibility and versatility. We showed you the installation, and now we'll show you how to use Traefik and NGINX Proxy Manager with Authentik to secure your applications.
Related Links:
Docs: docs.ibracorp.io/authentik/
Geek Circuit: geekscircuit.com/set-up-authe...
Authentik #1: • Authentik: How to Inst...
Traefik: • Discover Traefik v2.6+...
NGINX Proxy Manager: • NGINX Proxy Manager: H...
🔔 Subscribe for more tech tips and tutorials: @IBRACORP
👍 Like this video if you find it helpful, and tell us in the comments what other tutorials you'd like to see.
🚀 Timestamps:
0:00 Intro
2:29 Authentik Features
4:32 Authentik with Traefik
8:15 Authentik with NGINX Proxy Manager
10:25 Protecting Apps with Authentik
16:44 Authentik Settings
18:50 Final Thoughts
📌 Follow us on social media for the latest updates:
Website: ibracorp.io/
Discord: / discord
Reddit: / ibracorp
Twitter: / ibracorp_io
Facebook: / ibracorp
💖 Support Us:
Your support helps us to keep producing high-quality tech tutorials and content. If you've found value in our videos, consider supporting us in the following ways:
PayPal: www.paypal.com/donate/?hosted...
Shop: shop.ibracorp.io/
Subscribe and share our videos with friends and colleagues.
Every bit of support makes a huge difference and enables us to continue delivering content that helps you make the most of the latest technology!
For business enquiries, please email support@ibracorp.io
#authentik #auth #identity #authorization #selfhosted #nginx #authelia - วิทยาศาสตร์และเทคโนโลยี
What do you guys think of authentik? Let us know in the comments below!
➡Subscribe on our website if you want to support us: ibracorp.io
➡Join us on Discord: discord.gg/VWAG7rZ
Please don't forget to like and subscribe to help us help you! 👍
loved it until i accidentally deleted a flow that prevents me from logging in. cannot get back in even if i delete all the contains and their corresponding appdata folders and start over. the if/admin pages doesnt exist anymore
Great work! Would love to see how you start using OIDC though. Like having Jellyfin, Calibre-web, and Authentik using the same credentials provided by LDAP to have true single sign-on.
I love that your covering Authentik more!
We do, too 😎
Great video, love the approach used with the subdomain traefik rule.. much cleaner than what I was using. Thanks for sharing!
Glad you enjoyed it and thanks for watching ruckus 🌟
Thank You for including my guide (Geek's Circuit) as well ;)
Thank you for sharing it mate 🙂
Thanks for the demo and info, have a great day
nice i am not the only one who didn't spot the change password the first time. at one point i suspected we needed to create the invite system first in order to do so. but that was not the case. thx for highlighting it
Amazing video, this is what I have been waiting for to secure by setup. If I may make a suggestion for people like me watching from a mobile device, please zoom in on those sections where you are going over the configuration and files. Otherwise the text is hard to make out. Again great video. 👍
Hello, is there a guide how to add TOTP to selfhosted app from Nginx Proxy Manager?
Astonishing work guys!
Just a question cause I'm just starting to configure an authentication method.
And I was planning (already started) to use : Authelia.
Now, I just saw this video 😀
What do you think?
Authelia or Authentik?
Thanks a lot for you wonderful work!!
Great content, thanks!!!
Thanks IbraTeam - I was waiting for this for looong time :)
Thanks for waiting! 🙏
This is awesome. Keep up the good work. Can you guys do a walkthrough for graylog for Unraid?
We will!
I can't seem to point NPM to itself. (502 bad gateway) If I remove SSL I'm greeted by the NPM slash screen, not the web UI. Am I missing something?
thank you , wait this video long time , very useful !
You're welcome thanks for watching 🙂
Having a hard time finding the list of unauthenticated paths in the docs. Can anyone point me in the right direction?
Wow great video :) Nice work and was really helpful.
Maybe could cover later on how to limit access per user ?
Great suggestion thank you Yannick. Thanks for watching
Found your video's on nginx proxy manager super helpful to start out! Would you like to do an in-depth comparison regarding nginx proxy manager vs cloudflare zero trust tunnel? I'm think of switching to the latter, but not sure if i should..
Great tutorial if you don't mind i will like to request 2 more videos one is nextcloud full in detail and second is Grafana
I had it working for the sonarr but it was getting late so I reverted back to not using Authentik until I could really test it. Now when I add the script back to NGINX advanced tab, I get error 500 regardless if I'm using the private IP or domain for Authentik. I have no idea what's wrong. Still trouble shooting it.
8-13 - I figured out the issue. Provider needs to be set to ForwardAuth (single application) not proxy. There is a mismatch between this video and the documentation on your site so I was a bit confused. Proxy seems to make Authentik act as the reverse proxy.
Are you able to go more in-depth on how to configure Authentik, and traefik together in unraid?
Anyway you can show or provide instructions for HAproxy on Pfsense for that redirect URL part for the reverse proxy?
Looks interesting. Can you use SWAG with it?
Amazing video, but I still cant manage to make it work yet, it gives me "event":"no app for hostname" in logs. Would you consider making a video explaining how to integrate CrowdSec in this setup?
How does the user details get passed to the backend app after authentik has done its job ?
I would like to congratulate you on your excellent work, I really like your videos.
I would like to ask if possible if you could record a video explaining how to run nginx-proxy-manager together with traefik inside portainer, honestly this is an extreme headache for me and I really need to learn, I believe this is the question of several followers. Thanks in advance.
Great Video,
Just a question is there a way on Authentik to block Vaultwardens admin page but bypass the main app? Similar to your authelia method
I just followed your video to setup authelia and swag along with cloudflared, wonder what is the difference?and if there is a preferred method.
Authelia is still a great authentication/authorization tool. Authentik at current can do that plus some other features such as OIDC and more.
Swag can also be used however was not covered in this guide. Cloudflared can remain and still provides you a safe, tunneled connection.
Some other have noted their use cases for both Authelia and Authentik so its really dependant on your tastes and needs.
Does anyone know how to get email setup in Authentik using UNRAID?
Thanks for videos, followed your videos on setting up authentik. But I can’t seem to get it to work. I click on the app and takes me to my normal app webpage, not showing my authentik page? I’m using Traefik. I only thing I’ve noticed that I haven’t got “local docker connection “ in the integration part (15:10) which mine is blank?
How to set in Authentik that it just redirects by a certain subdomain without MFA or anything else?
Unfortunately I can not find anything :(
Could you cover the integration with Organizr? Thank you, keep up with the good work!
Hi Filippo, definitely! Thank you for watching
Hi, what would happen if i use authentik for example on the Immich Docker or nextcloud and i use the apps on my iphone, how does this work for that? or does it not work?
Don’t know if you’ll see this. But how would the traefik route work with services that has built-in login screen like jellyfin? From their docs you’re supposed to use the LDAP feature together with the jellyfin LDAP plugin, but this applies if you run authentik by itself
Thanks for another great video! Unfortunately I have a problem with Autentik, I can't change the backgrounds. When I edit a flow and want to upload the background, there is always an error. Via SSH I get the message "access denied" when I try to rename a file.
Is there a trick here that I don't know or am I missing something?
Hi Valentino, haven't actually done it yet here but will be covered in upcoming episodes. Let us know if you figure it out!
Hi, great video. I have a question though. Unlike Authelia, Authentik wont sign out of every service when you sign out of the dashboard/panel and you still can access all your apps unless your cookies expire or you manually delete them. Is there a way to change that? Like something to invalidate the cookies once you log out of the authentik dashboard.
Thanks in advance
Did you find a solution to this?
I just went back to Authelia. This is too big a security risk. If it was just myself I’d know, but to offer other people logins, who knows where they would log into to have services that can’t be logged out of.
you can have the MFA be required after so many hours/days etc
Hey! Thanks for the video! Love your vids - and was suprised to see what you looked like in your latest one - not what I expected haha. Anyways, I am having trouble with getting this all working. I think the problem is down to the integration which shows 'no integration active'. I have searched the web far and wide and checked comments on YT (some people having the same issue, but no resolution) but I can not figure out how to fix this. Everything else works as expected in setting up the application etc.. but when I go to the correct domain after setting everything else up I get a 500 error - assuming this is down to the integration issue? Any advice you (or anybody) can provide on this would be greatly appreciated :)
Having the same issue and I noticed he has a docker integration. Did you ever figure this out?
@@Fluxzone90 I fixed the docker integration issue by adding -u root to the worker - but still errors :)
Are you guys gonna do a guide on using Authentik for SSO and MFA?
Yes 🙂
If I already have setup Authelia does Authentic offer other more features i might need?
If you use the virtual machine for free ipa user management instead of adding users via the file in authelia, this can be handled by authentik's web UI, eliminating the need for an extra VM. That's why I switched, at least.
Great video! Got one problem thou, cant get Outpost Integration to work. Have the right data in template but nothing appears in authentik. Tried to add manually in Authentik with "/var/run/docker.sock" and ticked Local but it goes Unhealthy State. Anyone with this problem? Followed these two videos to the letter :)
i have this same problem and still havent figured it out yet
@@DaPlayboy82 Let med know if you figure it out :)
Same boat here as well.... any updates?
@@waddoo1234 not yet:(
@@waddoo1234 in the extra parameters section in unraid i added this to get it working. --user nobody:$(stat -c '%g' /var/run/docker.sock)
This video comes just a bit too late for me since I have recently setup my Authentik server already. I do have a question for you @ibracorp, at the login screen I see your logo next to the username. I had already figured out how to change the logo and wallpaper of the different flows, but I was amazed to see that also that little user logo can be changed. Could you perhaps tell me/us how to do that? I can't find anything to change the user avatar anywhere.
Hi Jimz! Sorry we couldn't get to you on time then 😎
Of course, the avatar is actually being pulled from Gravatar. So it uses the email address of the account you're signed into and pulling it from Gravatar automatically (as long as emails match)
@@IBRACORP Np I watched the video regardless (your videos are great). Hm gravatar you say? So I would need to open an account on that website for that to work?
@@IBRACORP Thanks a lot! This worked like a charm. Like I said, amazing videos!
Thanks for the video. Been waiting for this since I saw the first one. Have to say the authentik doco’s on their site are not helpful even to me (sys admin by day)
I’ve now got my forward auth with swag running and Plex source, and SSO for nextcloud.
What I’m desperate to find out how to do is to pass basic credentials to services (like they list for sonarr) but more for SAB and Overseer (I have some local users) also a bit annoying that it seems to hate organizr s for login. Found it confusing to try and work out enforcement of 2FA (got there in the end)
What’s next in the series? Can you look at using the basic credentials? Can you recommend a group or discord to join for help as guides are extremely limited.
Hi Daniel,
Thank you for watching! Glad you enjoyed it.
Future videos will entails using SSO and SAML/OIDC to give you single sign on to apps that support it. ( I believe that's you're asking for, too)
As for a group, you can join the official Authentik discord and you can also join our Discord as we have many members who use it and may be able to help you.
Here's our link: discord.gg/VWAG7rZ
Yes but also the HTTP basic auth for passing through basic passwords to things like photo prism or overseer/Ombi. I want to be able to use authentik to secure overseer for both local users and Plex users
i was at the 8 minutes mark then i got engrossed in the potential masterpiece i could make and started dancing and bobbinb my head
So were we 😎
Great video as always but I am getting an unhealthy local docker connection in outpost integrations.
Same here, let me know if you find the solution :) I´ll let you know if i find one.
I second this. Same problem.
Love you vids but sorry you didn't spend nearly enough time talking about the config part in npm which is by far the most complicated of this setup.
When I go to set this up it isn't auto creating the "outpost integration" I can't seem to figure out how to connect to Unraids docker setup/how to setup outpost integration? Nothing was populated on it's own on my end as your video showed?
Did you watch our first video?
@@IBRACORP yes. I am past that now though. Now stuck on the 500 error. Some folks saying enter IP for proxy pass when pasting into NPM but that isn’t working either. Authentik appears to be fine; just need to sort out 500 error once logging in and attempting to be forwarded to service.
@@IBRACORP You don't go over it in the first video or this one. By default, at least for me after following part 1 of your guide, that field is empty with nothing to select in the dropdown
Thanks for the feedback Jackos.. honestly not sure why that is. Haven't had to set it up manually so not sure if it's possibly done in the compose file
I am also struggling with the 500 error.
Outpost integrations are not present for me, in your video you have a Docker integration.
Outpost I have selected the application as in your video but it seems that without the Outpost integrations, the Docker container can not be retrieved (have configured NPM as described in the video).
Can we get a guide for SWAG? Why was SWAG left out?
seriously
Because we don't use SWAG and did not have enough time. Can always revisit
getting internal error 500? Any idea how to solve it?
Do you not discuss local docker connection
NPM sorted. However, I can't get Authentik to forward to an app without receiving a 500 page error. Everything works using Authentik as a proxy.
I have the same problem, did you figure it out
@@dirtyracks For proxy_pass I used internalIP: port of Authentik and added
port_in_redirect off;
Above the location block in NPM Config.
@@Gatorman3385 there are 2 location block, one for the application and one for authentik. whitch one?
@@itdraak7531 The first one, near the top.
@@Gatorman3385 now by logging into my code server (error: WebSocket close with status code 1006) and nextcloud goes to my ip address instead of my domain
I was able to avoid the :4443 error by adding
port_in_redirect off;
Above the location block in NPM Config.
No dice in doing that in my config, any tips?
proxy_buffers 8 16k;
proxy_buffer_size 32k;
port_in_redirect off;
@@waddoo1234 Can you describe what you're seeing?
Unauthenticated api part isn't needed, just have the containers on the same docker network and they can communicate over that, no reason to go through authentik.
Hi Chris! Great points. Although one situation where this won't work is between two sites. For example, we have a website in the cloud that calls home to Sonarr, it would be challenged by Authentik as it comes in via http/s.
Most should be fine with what you wrote though.
@@IBRACORP that makes sense. Theoretically you could vpn them and use docker swarm with an overlay network, but I've never tried that so I don't know how practical that would be. Swarm is probably overkill and a vpn might be enough.
VPN is definitely a viable option! Swarm I'm not sure about personally so can't answer that but yeah a VPN definitely is a valid option and of course is probably most secure. In which case would we even need Authentik 👀
Thanks for watching Chris!
Also doesn't seem to work for apps that phone home like home assistant app.
That's where you need unauthenticated paths
I wish authentik had FIDO2 WEBAUTH support :( otherwise i would have switched over from authelia!
Authentic seems so much less hastle than authelia !
Is there an easier alt choice for this? I mean Authentik or authelia is great option, but I'd like to have a simpler app, with less dependence( don't need redis or mariadb).
Why only 10 seconds for explaining Unraid setup?
Because I felt like it
@@IBRACORP lol. Good one
I honstly like your Videos! Only the white screen is a bit painful for my eyes XD
Same for us believe me!
Authentik or Authelia?
soft soft by Image-Line Software
Authentik or authelia?
Still love Authelia! Does everything we need and lightweight. Authentik can offer more if that's what you need
Here bc of Poke
Poke?
The only thing keeping me from going all in on Authentik is the lack of a Crowdsec collection & bouncer, as we currently have for Authelia.
Pretty sure crowdsec and bouncer go through traefik/nginx not authentik? Could be wrong though
Worked thank you alot! you're the best bro liked
Thank you for watching!
I would like to congratulate you on your excellent work, I really like your videos.
I would like to ask if possible if you could record a video explaining how to run nginx-proxy-manager together with traefik inside portainer, honestly this is an extreme headache for me and I really need to learn, I believe this is the question of several followers. Thanks in advance.
Why would you want to do that? They both use 80/443, there would be conflicts and errors all over