this post was submitted on 10 Dec 2024
15 points (94.1% liked)

Selfhosted

40734 readers
354 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

*** For anyone stumbling on this post, and is as newbie as I am right now, forward auth doesn't work with FireflyIII.

I thought that forward auth was the same as a proxy, but in this case, it is the proxy that provides the x-authentik tags.

So for Firefly, set up Authentik as a proxy provider and not a forward auth.

I haven't figured out the rest yet, but at least, x-authentik-email is in my header now.

Good luck ***

Hello,

I am trying to setup Authentik to do a forward auth for Firefly3, using caddy. I am trying to learn External authentication so my knowledge is limited.

My setup is as follows.

By looking at the Firefly doc Firefly doc, I need to set AUTHENTICATION_GUARD=remote_user_guard AUTHENTICATION_GUARD_HEADER=HTTP_X_AUTHENTIK_EMAIL in my .env file. I used the base .env file provided by Firefly and modified only these two lines

Then, in my Authentik, I made a forward auth for a single application for firefly. This part seem to work because the redirection is made. The external host is my Firefly ip address.

Then from the example provided in the Authentik provider, I created my caddy file on the Firefly container to redirect port 80 to my custom port 9080.

:80 {
        # directive execution order is only as stated if enclosed with route.
        route {
                # always forward outpost path to actual outpost
                reverse_proxy /outpost.goauthentik.io/* http://10.0.1.7:9080/

                # forward authentication to outpost
                forward_auth http://10.0.1.7:9080/ {
                        uri /outpost.goauthentik.io/auth/caddy

                        # capitalization of the headers is important, otherwise they will be empty
                        copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Me>

                        # optional, in this config trust all private ranges, should probably be set to the outposts IP
                        trusted_proxies private_ranges
                }

        }
}

EDIT : The IP address of Firefly is 10.0.1.8

When I try to go on my Firefly app, the Authentik redirection is made and it tries to connect to the Firefly webpage,but I either get unable to connect when I try the https, or Looks like there’s a problem with this site when I try to connect with http.

I see that the connection is refused in both case.

I made sure that my email on my account on firefly matches the email from the Authentik user.

I tried googling my problem to no avail and the Firefly documentation is pretty scarce.

Any help would be welcome.

top 2 comments
sorted by: hot top controversial new old
[–] [email protected] 2 points 2 weeks ago* (last edited 2 weeks ago) (1 children)

We need networking info to be able to tell what is happening here. If you didn't change the "outpost_ip" placeholder, that's your problem.

Best to not use hostnames. Use the actual IP address.

[–] [email protected] 1 points 2 weeks ago

I edited the post. Since it's all local it's fine to show the IP. It's just a reflex to hide my ips.

I use IP directly as I don't have a local domain configured properly.

The outpost ip in my configuration file is the same provided in the outpost on Authentik.

I am trying to get it to work still, but I am pretty sure that the issue is between Authentik and Firefly.

I don't see any of the headers (x-authentik-email more specifically) specified in the caddy file when Authentik is sending the request to Firefly. The only header I see is x-authentik-auth-callback.

I am not sure how I can specify which headers are sent in Authentik.