# Increase buffer size for large headers# This is needed only if you get 'upst

1. # Increase buffer size for large headers
2. # This is needed only if you get 'upstream sent too big header while reading response
3. # header from upstream' error when trying to access an application protected by goauthentik
4. proxy_buffers 8 16k;
5. proxy_buffer_size 32k;
6.  
7. # Make sure not to redirect traffic to a port 4443
8. port_in_redirect off;
9.  
10. location / {
11. # Put your proxy_pass to your application here
12. proxy_pass $forward_scheme://$server:$port;
13. # Set any other headers your application might need
14. # proxy_set_header Host $host;
15. # proxy_set_header ...
16.  
17. ##############################
18. # authentik-specific config
19. ##############################
20. auth_request /outpost.goauthentik.io/auth/nginx;
21. error_page 401 = u/goauthentik_proxy_signin;
22. auth_request_set $auth_cookie $upstream_http_set_cookie;
23. add_header Set-Cookie $auth_cookie;
24.  
25. # translate headers from the outposts back to the actual upstream
26. auth_request_set $authentik_username $upstream_http_x_authentik_username;
27. auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
28. auth_request_set $authentik_email $upstream_http_x_authentik_email;
29. auth_request_set $authentik_name $upstream_http_x_authentik_name;
30. auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
31.  
32. proxy_set_header X-authentik-username $authentik_username;
33. proxy_set_header X-authentik-groups $authentik_groups;
34. proxy_set_header X-authentik-email $authentik_email;
35. proxy_set_header X-authentik-name $authentik_name;
36. proxy_set_header X-authentik-uid $authentik_uid;
37. }
38.  
39. # all requests to /outpost.goauthentik.io must be accessible without authentication
40. location /outpost.goauthentik.io {
41. proxy_pass http://authentik_IP_here:10005/outpost.goauthentik.io;
42. # ensure the host of this vserver matches your external URL you've configured
43. # in authentik
44. proxy_set_header Host $host;
45. proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
46. add_header Set-Cookie $auth_cookie;
47. auth_request_set $auth_cookie $upstream_http_set_cookie;
48. proxy_pass_request_body off;
49. proxy_set_header Content-Length "";
50. }
51.  
52. # Special location for when the /auth endpoint returns a 401,
53. # redirect to the /start URL which initiates SSO
54. location u/goauthentik_proxy_signin {
55. internal;
56. add_header Set-Cookie $auth_cookie;
57. return 302 /outpost.goauthentik.io/start?rd=$request_uri;
58. # For domain level, use the below error_page to redirect to your authentik server with the full redirect path
59. # return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
60. }