Accessing Proxmox VE using Authentik openID, and NGINX Proxy Manager

[mgrimace]

Hello, I have Authentik setup to login using openID to my Proxmox VE (using the official Authentik guide). It will work directly, for example if select the Authentik realm during login.

However, I have not been able to add NGINX proxy manager (NPM) as my reverse proxy like I have for my other apps to force visitors to use Authentik. Typically, I use the advanced config section, and paste in the default config provided by Authentik.

However, in this case, when I add the default advanced config file, it creates a 500 error. I'm not sure if that's because the 'usual' advanced config points to an outpost, where the openID isn't using an outpost like my other apps (though I'm new to Authentik and this is all muddled for me).

I found some that others have had success using the following config, but it's still not working for me:

# Increase buffer size for large headers
# This is needed only if you get 'upstream sent too big header while reading response
# header from upstream' error when trying to access an application protected by goauthentik
proxy_buffers 8 16k;
proxy_buffer_size 32k;

# Make sure not to redirect traffic to a port 4443
port_in_redirect off;

location / {
    # Put your proxy_pass to your application here
    proxy_pass          $forward_scheme://$server:$port;
    # Set any other headers your application might need
    # proxy_set_header Host $host;
    # proxy_set_header ...
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_http_version 1.1;

    ##############################
    # authentik-specific config
    ##############################
    auth_request     /outpost.goauthentik.io/auth/nginx;
    error_page       401 = @goauthentik_proxy_signin;
    auth_request_set $auth_cookie $upstream_http_set_cookie;
    add_header       Set-Cookie $auth_cookie;

    # translate headers from the outposts back to the actual upstream
    auth_request_set $authentik_username $upstream_http_x_authentik_username;
    auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
    auth_request_set $authentik_email $upstream_http_x_authentik_email;
    auth_request_set $authentik_name $upstream_http_x_authentik_name;
    auth_request_set $authentik_uid $upstream_http_x_authentik_uid;

    proxy_set_header X-authentik-username $authentik_username;
    proxy_set_header X-authentik-groups $authentik_groups;
    proxy_set_header X-authentik-email $authentik_email;
    proxy_set_header X-authentik-name $authentik_name;
    proxy_set_header X-authentik-uid $authentik_uid;
}

# all requests to /outpost.goauthentik.io must be accessible without authentication
location /outpost.goauthentik.io {
    proxy_pass              http://IP:9000/outpost.goauthentik.io;
    # ensure the host of this vserver matches your external URL you've configured
    # in authentik
    proxy_set_header        Host $host;
    proxy_set_header        X-Original-URL $scheme://$http_host$request_uri;
    add_header              Set-Cookie $auth_cookie;
    auth_request_set        $auth_cookie $upstream_http_set_cookie;
    proxy_pass_request_body off;
    proxy_set_header        Content-Length "";
}

# Special location for when the /auth endpoint returns a 401,
# redirect to the /start URL which initiates SSO
location @goauthentik_proxy_signin {
    internal;
    add_header Set-Cookie $auth_cookie;
    return 302 /outpost.goauthentik.io/start?rd=$request_uri;
    # For domain level, use the below error_page to redirect to your authentik server with the full redirect path
    # return 302 https://auth.anexcore.com/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
}

Does anyone have any advice or suggestions for how to get Proxmox VE working with Authentik's openID and NPM?

[mgrimace]

As a potential solution, would it make sense to have a forwardauth provider and app for proxmox VE and an openID provider? As in, two apps in Authentik?

[mgrimace]

To follow-up:

As far as I can tell I have Authentik working with NPM to access the Proxmox VE using both OpenID and Forward Authentication. My desired outcome is to put Proxmox VE behind Authentik (forwardauth), and also have a convenient openID login (OpenID). This makes it almost a single-sign-on experience with Authentik.

1. Setup ForwardAuth as 'usual' using advanced config provided in the metadata for NPM, and adding the following:

    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_http_version 1.1;

3. Setup OpenID per the Authentik guide linked, though I omitted (did not include) the port number where it says to in the guide since I mapped the port in NPM to proxmox.mydomain.com already.

Noting as a result there are two apps, two providers, and one outpost in Authentik now for Proxmox, but it seems to work as expected. I'm not sure if there's a 'smarter' way to do this or to somehow combine both providers into one app.