Nginx websocket

[martijndierckx]

Describe your question/
I use the Passtrough proxy template provided by Authentik in Nginx Proxy Manger to make sure some of my apps are shielded by Authentik login. Works like a charm.
However, those apps also run a websocket. Which doesn't work in combination with the template.
In order to get it working, I have to add the following snippet:

location /socket.io {
    proxy_pass          $forward_scheme://$server:$port;
}

This makes the websocket publicly available, without Authentik auth. Not OK, but hard to guess ... So OK for now.
I would however want that websocket being protected as well.

Any ideas on how to update the Nginx config template for this?

Relevant infos
Apps encountering this problem: EVCC, Uptime Kuma

Version and Deployment (please complete the following information):

• authentik version: 2022.09
• Deployment: docker-compose, portainer

[kmanwar89]

+1 on this issue: I have an application (GoAccess, which provides a real-time dashboard for NGINX access logs) which requires WebSockets to provide the real-time updates. If I have the host behind Authentik, this websocket connectivity breaks.

My advanced configuration for Authentik is attached.

authentik_config_kmanwar89.txt

[kmanwar89]

Hey @martijndierckx - I just wanted to share that I fixed my issue. Referencing the authentik docs, I tried a few combinations of additional headers. What finally worked for me was just a single line under my location / {} stanza, shown below:

location / {
    # Put your proxy_pass to your application here
    proxy_pass          $forward_scheme://$server:$port;
    # Set any other headers your application might need
    # proxy_set_header Host $host;
    # proxy_set_header ...
     proxy_set_header Upgrade $http_upgrade; <---------ADD HERE TO FIX GOACCESS

Once I added this, my websocket connectivity restored AND I can use Authentik.

I have read that Uptime Kuma breaks with Authentik, so I can try that next and report back. But I can report with confidence that this fix works with Nginx Proxy Manager (NPM), Authentik & GoAccess. The notes I made above were added as part of the Authentik config within NPM on the advanced tab of the proxy host.

[gibrich]

Same issue here with UptimeKuma and Authentik. Didn't help to just add "proxy_set_header Upgrade $http_upgrade;" either.

This is what my config looks like now:

# Increase buffer size for large headers
# This is needed only if you get 'upstream sent too big header while reading response
# header from upstream' error when trying to access an application protected by goauthentik
proxy_buffers 8 16k;
proxy_buffer_size 32k;

# Make sure not to redirect traffic to a port 4443
port_in_redirect off;

location / {
    # Put your proxy_pass to your application here
    proxy_pass          $forward_scheme://$server:$port;
    # Set any other headers your application might need
    # proxy_set_header Host $host;
    proxy_set_header Upgrade $http_upgrade;

    ##############################
    # authentik-specific config
    ##############################
    auth_request     /outpost.goauthentik.io/auth/nginx;
    error_page       401 = @goauthentik_proxy_signin;
    auth_request_set $auth_cookie $upstream_http_set_cookie;
    add_header       Set-Cookie $auth_cookie;

    # translate headers from the outposts back to the actual upstream
    auth_request_set $authentik_username $upstream_http_x_authentik_username;
    auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
    auth_request_set $authentik_email $upstream_http_x_authentik_email;
    auth_request_set $authentik_name $upstream_http_x_authentik_name;
    auth_request_set $authentik_uid $upstream_http_x_authentik_uid;

    proxy_set_header X-authentik-username $authentik_username;
    proxy_set_header X-authentik-groups $authentik_groups;
    proxy_set_header X-authentik-email $authentik_email;
    proxy_set_header X-authentik-name $authentik_name;
    proxy_set_header X-authentik-uid $authentik_uid;
}

# all requests to /outpost.goauthentik.io must be accessible without authentication
location /outpost.goauthentik.io {
    proxy_pass              http://192.168.1.124:9000/outpost.goauthentik.io;
    # ensure the host of this vserver matches your external URL you've configured
    # in authentik
    proxy_set_header        Host $host;
    proxy_set_header        X-Original-URL $scheme://$http_host$request_uri;
    add_header              Set-Cookie $auth_cookie;
    auth_request_set        $auth_cookie $upstream_http_set_cookie;
    proxy_pass_request_body off;
    proxy_set_header        Content-Length "";
}

# Special location for when the /auth endpoint returns a 401,
# redirect to the /start URL which initiates SSO
location @goauthentik_proxy_signin {
    internal;
    add_header Set-Cookie $auth_cookie;
    return 302 /outpost.goauthentik.io/start?rd=$request_uri;
    # For domain level, use the below error_page to redirect to your authentik server with the full redirect path
    # return 302 https://192.168.1.124:9000/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
}

[gibrich]

Just solved it! :)
Needed to add this too:

proxy_set_header Connection "upgrade";

So this is what my config looks like now:

# Increase buffer size for large headers
# This is needed only if you get 'upstream sent too big header while reading response
# header from upstream' error when trying to access an application protected by goauthentik
proxy_buffers 8 16k;
proxy_buffer_size 32k;

# Make sure not to redirect traffic to a port 4443
port_in_redirect off;

location / {
    # Put your proxy_pass to your application here
    proxy_pass          $forward_scheme://$server:$port;
    # Set any other headers your application might need
    proxy_set_header Host $host;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";

    ##############################
    # authentik-specific config
    ##############################
    auth_request     /outpost.goauthentik.io/auth/nginx;
    error_page       401 = @goauthentik_proxy_signin;
    auth_request_set $auth_cookie $upstream_http_set_cookie;
    add_header       Set-Cookie $auth_cookie;

    # translate headers from the outposts back to the actual upstream
    auth_request_set $authentik_username $upstream_http_x_authentik_username;
    auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
    auth_request_set $authentik_email $upstream_http_x_authentik_email;
    auth_request_set $authentik_name $upstream_http_x_authentik_name;
    auth_request_set $authentik_uid $upstream_http_x_authentik_uid;

    proxy_set_header X-authentik-username $authentik_username;
    proxy_set_header X-authentik-groups $authentik_groups;
    proxy_set_header X-authentik-email $authentik_email;
    proxy_set_header X-authentik-name $authentik_name;
    proxy_set_header X-authentik-uid $authentik_uid;
}

# all requests to /outpost.goauthentik.io must be accessible without authentication
location /outpost.goauthentik.io {
    proxy_pass              http://192.168.1.124:9000/outpost.goauthentik.io;
    # ensure the host of this vserver matches your external URL you've configured
    # in authentik
    proxy_set_header        Host $host;
    proxy_set_header        X-Original-URL $scheme://$http_host$request_uri;
    add_header              Set-Cookie $auth_cookie;
    auth_request_set        $auth_cookie $upstream_http_set_cookie;
    proxy_pass_request_body off;
    proxy_set_header        Content-Length "";
}

# Special location for when the /auth endpoint returns a 401,
# redirect to the /start URL which initiates SSO
location @goauthentik_proxy_signin {
    internal;
    add_header Set-Cookie $auth_cookie;
    return 302 /outpost.goauthentik.io/start?rd=$request_uri;
    # For domain level, use the below error_page to redirect to your authentik server with the full redirect path
    # return 302 https://192.168.1.124:9000/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
}

[kmanwar89]

Just solved it! :) Needed to add this too:

proxy_set_header Connection "upgrade";

So this is what my config looks like now:

# Increase buffer size for large headers
# This is needed only if you get 'upstream sent too big header while reading response
# header from upstream' error when trying to access an application protected by goauthentik
proxy_buffers 8 16k;
proxy_buffer_size 32k;

# Make sure not to redirect traffic to a port 4443
port_in_redirect off;

location / {
    # Put your proxy_pass to your application here
    proxy_pass          $forward_scheme://$server:$port;
    # Set any other headers your application might need
    proxy_set_header Host $host;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";

    ##############################
    # authentik-specific config
    ##############################
    auth_request     /outpost.goauthentik.io/auth/nginx;
    error_page       401 = @goauthentik_proxy_signin;
    auth_request_set $auth_cookie $upstream_http_set_cookie;
    add_header       Set-Cookie $auth_cookie;

    # translate headers from the outposts back to the actual upstream
    auth_request_set $authentik_username $upstream_http_x_authentik_username;
    auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
    auth_request_set $authentik_email $upstream_http_x_authentik_email;
    auth_request_set $authentik_name $upstream_http_x_authentik_name;
    auth_request_set $authentik_uid $upstream_http_x_authentik_uid;

    proxy_set_header X-authentik-username $authentik_username;
    proxy_set_header X-authentik-groups $authentik_groups;
    proxy_set_header X-authentik-email $authentik_email;
    proxy_set_header X-authentik-name $authentik_name;
    proxy_set_header X-authentik-uid $authentik_uid;
}

# all requests to /outpost.goauthentik.io must be accessible without authentication
location /outpost.goauthentik.io {
    proxy_pass              http://192.168.1.124:9000/outpost.goauthentik.io;
    # ensure the host of this vserver matches your external URL you've configured
    # in authentik
    proxy_set_header        Host $host;
    proxy_set_header        X-Original-URL $scheme://$http_host$request_uri;
    add_header              Set-Cookie $auth_cookie;
    auth_request_set        $auth_cookie $upstream_http_set_cookie;
    proxy_pass_request_body off;
    proxy_set_header        Content-Length "";
}

# Special location for when the /auth endpoint returns a 401,
# redirect to the /start URL which initiates SSO
location @goauthentik_proxy_signin {
    internal;
    add_header Set-Cookie $auth_cookie;
    return 302 /outpost.goauthentik.io/start?rd=$request_uri;
    # For domain level, use the below error_page to redirect to your authentik server with the full redirect path
    # return 302 https://192.168.1.124:9000/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
}

TY for this - UptimeKuma INSTANTLY breaks when I put it behind Authentik, and I've been told time and time again they are not compatible, but you are displaying the opposite here!

Unfortunately for me, I think my issue is moreso with Nginx Proxy Manager (NPM) than Authentik - I get the dreaded "500 Internal Server Error" when I try to drop in the Authentik config on the advanced tab. Shame :(

[martijndierckx]

Thanks!

I've added these lines to all my configs in NPM:

location / {
    # Put your proxy_pass to your application here
    proxy_pass          $forward_scheme://$server:$port;

    # CUSTOM - Websocket behind authenticated proxy
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";

And can confirm this works for:

• Uptime Kuma
• EVCC

Photoprism also needs these lines:
`# pass original hostname and url to Nginx Proxy Manager, it might be needed for some apps to work
proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;

# Extras for photoprism
proxy_set_header    X-Forwarded-Scheme $scheme;
proxy_set_header    X-Forwarded-Proto  $scheme;
proxy_set_header    X-Forwarded-For    $remote_addr;
proxy_http_version 1.1;`

Grafana also needs the below line, but still triggers a 403 on the websocket path:
proxy_set_header Host $host;

[thermoscookies]

In case anyone searches, this also worked for getting the map to load in teslamate, thank you!

` # Set any other headers your application might need

proxy_set_header Host $host;

proxy_set_header Upgrade $http_upgrade;

proxy_set_header Connection "upgrade";`

[joewashear007]

Thank for all the info, I was able to get I needed to add these lines for lscr.io/linuxserver/code-server:latest running behind authentik with these settings

proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade; 
proxy_set_header Connection "upgrade";