fix(demo-gymburgdorf): route cross-host ForwardAuth via dedicated outpost FQDN
Storage Traefik calling the public auth.gymb.* FQDN hit Authentik's ASGI handler, which 404s the /outpost.goauthentik.io/auth/traefik path. Add a dedicated outpost.auth.int.gymb.* FQDN outside authentik_domains so the request falls through to the embedded outpost, pinned to the application host via traefik_extra_hosts to stay on the LAN. - authentik: add authentik_outpost_domains; allow users group on drawio proxy so the Nextcloud drawio iframe works for non-admins - garage: point webui ForwardAuth at the new outpost FQDN - homarr: use public OIDC issuer to match the iss claim, enable auto-login, pin auth FQDN to LAN via extra_hosts - opnform: intercept / and /login for SSO, keep break-glass bypass - drawio: align comments with admins+users allow-list
This commit is contained in:
Simon Bärlocher
parent
2ba0c07cd3
commit
2206b809e7
6 changed files with 59 additions and 14 deletions
|
|
@ -15,12 +15,16 @@ garage_webui_enabled: true
|
|||
# Gate the WebUI behind authentik (admins-only, via policy-binding on the
|
||||
# authentik proxy app). Replaces the htpasswd Basic-Auth — AUTH_USER_PASS
|
||||
# is dropped from the compose env when this is true. The forwardauth URL
|
||||
# resolves to the application-host traefik (network alias
|
||||
# `auth.gymb.souveredu.ch` -> authentik-server-1 in the proxy network on
|
||||
# the application host), but THIS host (storage) is in a different LAN,
|
||||
# so traefik here reaches it via the public name through the DMZ proxy.
|
||||
# uses a dedicated outpost-only FQDN that's deliberately outside
|
||||
# authentik_domains so Authentik routes it to the embedded outpost (not
|
||||
# ASGI). The public auth.gymb.* FQDN would 404 here — Authentik routes
|
||||
# any Host matching an auth-domain to ASGI which doesn't serve the outpost
|
||||
# path. The outpost itself then matches the protected app via
|
||||
# X-Forwarded-Host (Traefik forwards it via trustForwardHeader=true).
|
||||
# The FQDN is pinned to the application host via traefik_extra_hosts so
|
||||
# the request stays in the LAN.
|
||||
garage_webui_authentik_forward_auth: true
|
||||
garage_webui_authentik_forward_auth_url: "https://auth.gymb.souveredu.ch/outpost.goauthentik.io/auth/traefik"
|
||||
garage_webui_authentik_forward_auth_url: "https://outpost.auth.int.gymb.souveredu.ch/outpost.goauthentik.io/auth/traefik"
|
||||
# Kept for completeness — only used when authentik ForwardAuth is off.
|
||||
garage_webui_username: "admin"
|
||||
garage_webui_password: "{{ _garage.webui_password | default('disabled') }}"
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue