# Increase buffer size for large headers# This is needed only if you get 'upst

1. # Increase buffer size for large headers
2. # This is needed only if you get 'upstream sent too big header while reading response
3. # header from upstream' error when trying to access an application protected by goauthentik
4. proxy_buffers 8 16k;
5. proxy_buffer_size 32k;
6.  
7. # Make sure not to redirect traffic to a port 4443
8. port_in_redirect off;
9.  
10. location / {
11.     # Put your proxy_pass to your application here
12.     proxy_pass          $forward_scheme://$server:$port;
13.     # Set any other headers your application might need
14.     # proxy_set_header Host $host;
15.     # proxy_set_header ...
16.  
17.     ##############################
18.     # authentik-specific config
19.     ##############################
20.     auth_request     /outpost.goauthentik.io/auth/nginx;
21.     error_page       401 = @goauthentik_proxy_signin;
22.     auth_request_set $auth_cookie $upstream_http_set_cookie;
23.     add_header       Set-Cookie $auth_cookie;
24.  
25.     # translate headers from the outposts back to the actual upstream
26.     auth_request_set $authentik_username $upstream_http_x_authentik_username;
27.     auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
28.     auth_request_set $authentik_entitlements $upstream_http_x_authentik_entitlements;
29.     auth_request_set $authentik_email $upstream_http_x_authentik_email;
30.     auth_request_set $authentik_name $upstream_http_x_authentik_name;
31.     auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
32.  
33.     proxy_set_header X-authentik-username $authentik_username;
34.     proxy_set_header X-authentik-groups $authentik_groups;
35.     proxy_set_header X-authentik-entitlements $authentik_entitlements;
36.     proxy_set_header X-authentik-email $authentik_email;
37.     proxy_set_header X-authentik-name $authentik_name;
38.     proxy_set_header X-authentik-uid $authentik_uid;
39.  
40.     # This section should be uncommented when the "Send HTTP Basic authentication" option
41.     # is enabled in the proxy provider
42.     # auth_request_set $authentik_auth $upstream_http_authorization;
43.     # proxy_set_header Authorization $authentik_auth;
44. }
45.  
46. # all requests to /outpost.goauthentik.io must be accessible without authentication
47. location /outpost.goauthentik.io {
48.     # When using the embedded outpost, use:
49.     proxy_pass              http://192.168.0.9:9000/outpost.goauthentik.io;
50.     # For manual outpost deployments:
51.     # proxy_pass              http://outpost.company:9000;
52.  
53.     # Note: ensure the Host header matches your external authentik URL:
54.     proxy_set_header        Host $host;
55.  
56.     proxy_set_header        X-Original-URL $scheme://$http_host$request_uri;
57.     add_header              Set-Cookie $auth_cookie;
58.     auth_request_set        $auth_cookie $upstream_http_set_cookie;
59.     proxy_pass_request_body off;
60.     proxy_set_header        Content-Length "";
61. }
62.  
63. # Special location for when the /auth endpoint returns a 401,
64. # redirect to the /start URL which initiates SSO
65. location @goauthentik_proxy_signin {
66.     internal;
67.     add_header Set-Cookie $auth_cookie;
68.     return 302 /outpost.goauthentik.io/start?rd=$request_uri;
69.     # For domain level, use the below error_page to redirect to your authentik server with the full redirect path
70.     # return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
71. }