I'm currently beating my head up against Authentik. What I'm trying to do is to use Authentik to secure an unsecured service, like VS-Code server. Supposedly I can do this by pointing the domain to the Authentik server and then Authentik's proxy points to the Code Server, but everything that I try either redirects back to Authentik or just gives me a blank screen.
Authentik and VS-Code are both running on the same system in docker, with my reverse proxy on another system.
The DNS (pihole) for both code.test and auth.test point to my reverse proxy running Caddy, and all of this is running local network only.
Any ideas what I am missing? Any help would be appreciated.
Caddyfile:
code.test.example.com {
tls internal
reverse_proxy auth.test.example.com
}
auth.test.example.com {
tls internal
reverse_proxy 192.168.1.110:9000
}
Authentik Proxy Provider:
External host: https://code.test.example.com
Internal host: http://192.168.1.110:8443
Internal host SSL Validation = false
VS-Code Server docker-compose.yaml:
version: "2.1"
services:
code-server:
image: lscr.io/linuxserver/code-server:latest
container_name: code-server
environment:
- PUID=1000
- PGID=1000
- TZ=Etc/UTC
#- PASSWORD= #optional
#- HASHED_PASSWORD= #optional
- SUDO_PASSWORD=Password #optional
#- SUDO_PASSWORD_HASH= #optional
- PROXY_DOMAIN=code.test.example.com #optional
- DEFAULT_WORKSPACE=/config/workspace #optional
volumes:
- ./config:/config
ports:
- 8443:8443
restart: unless-stopped
Authentik docker-compose.yaml:
***
version: "3.4"
services:
postgresql:
image: docker.io/library/postgres:12-alpine
restart: unless-stopped
healthcheck:
test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
start_period: 20s
interval: 30s
retries: 5
timeout: 5s
volumes:
- database:/var/lib/postgresql/data
environment:
POSTGRES_PASSWORD: ${PG_PASS:?database password required}
POSTGRES_USER: ${PG_USER:-authentik}
POSTGRES_DB: ${PG_DB:-authentik}
env_file:
- .env
redis:
image: docker.io/library/redis:alpine
command: --save 60 1 --loglevel warning
restart: unless-stopped
healthcheck:
test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
start_period: 20s
interval: 30s
retries: 5
timeout: 3s
volumes:
- redis:/data
server:
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.8.3}
restart: unless-stopped
command: server
environment:
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
volumes:
- ./media:/media
- ./custom-templates:/templates
env_file:
- .env
ports:
- "${COMPOSE_PORT_HTTP:-9000}:9000"
- "${COMPOSE_PORT_HTTPS:-9443}:9443"
depends_on:
- postgresql
- redis
worker:
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.8.3}
restart: unless-stopped
command: worker
environment:
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
# `user: root` and the docker socket volume are optional.
# See more for the docker socket integration here:
# https://goauthentik.io/docs/outposts/integrations/docker
# Removing `user: root` also prevents the worker from fixing the permissions
# on the mounted folders, so when removing this make sure the folders have the correct UID/GID
# (1000:1000 by default)
user: root
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./media:/media
- ./certs:/certs
- ./custom-templates:/templates
env_file:
- .env
depends_on:
- postgresql
- redis
volumes:
database:
driver: local
redis:
driver: local
why? basic password protection (the one that comes by default) - is working for me just fine + haproxy as reverse proxy for tls.
Been using one vs code server for coding for years and another one for notes. - but I dont expose this to the internet without VPN
My goal is not so much to add authentication to VS Code ( I agree it’s built in function is fine for local network use and I likely would not be putting it on the open net), but rather to learn to use Authentik. In the end I would like all of my services (or rather, as many as possible) using a single login provider.
Right now, I have 15 services running, each of which have their own authentication system with their own user names and passwords. It gets annoying, especially when my family members also use many of the services I run. I wanted a single place I could go to add and administer user accounts.
I could do this many ways, (LDAP, Authelia, KeyCloak) but I chose Authentik because it appeares to support everything I currently run, with the possible exception of Home Assistant and Jellyfin.