proxy authentik and dav with sso

2025-01-21 00:16:31 +00:00 · 2025-01-21 00:16:31 +00:00 · 5bbfdddaaa
commit 5bbfdddaaa
parent 3a98bf89b6
4 changed files with 70 additions and 58 deletions
--- a/hosts/cloud/proxy/auth.nix
+++ b/hosts/cloud/proxy/auth.nix
@ -1,23 +1,35 @@
 { ... }:
 {
-  services.nginx.upstreams.keycloak = {
+  services.nginx.upstreams.authentik = {
    servers = {
-      "10.89.88.11:38080" = { };
-      "[fd31:185d:722f::11]:38080" = { };
+      "10.89.88.11:9000" = { };
+      "[fd31:185d:722f::11]:9000" = { };
    };
+    extraConfig = ''
+      keepalive 10;
+    '';
  };

  services.nginx.virtualHosts."auth.oxapentane.com" = {
    forceSSL = true;
    enableACME = true;
    locations."/" = {
-      proxyPass = "http://keycloak";
+      proxyPass = "http://authentik";
      extraConfig = ''
-        proxy_set_header X-Forwarded-Proto $scheme;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header Host $host;
-        proxy_set_header X-Forwarded-Host $host;
-        proxy_set_header X-Forwarded-Port 433;
+        # general proxy settings
+	    proxy_connect_timeout   60s;
+	    proxy_send_timeout      60s;
+	    proxy_read_timeout      60s;
+	    proxy_http_version      1.1;
+        proxy_set_header        Host $host;
+        proxy_set_header        X-Real-IP $remote_addr;
+        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header        X-Forwarded-Proto $scheme;
+        proxy_set_header        X-Forwarded-Host $host;
+        proxy_set_header        X-Forwarded-Server $host;
+        # authentik specifik
+        proxy_set_header        Upgrade $http_upgrade;
+        proxy_set_header        Connection $connection_upgrade_keepalive;
      '';
    };
  };