Securing my Remote access using Authentik+NGINX

Macnite · May 14, 2025, 4:25am

Hey Networking experts,

I am running TrueNas Scale 24.10 in a dell T20 and want to make some of the apps I have running on IT available remotely. Ihave Limited experience with Linux, TrueNas Scale and CLI. I prefer GUI based interfaces.

I allready Setup a VPN for a connection to the apps. Now i want to Change that and make some App (i.e. NextCloud) available through my Domain.

I have allready Setup the NGINX Proxy Manager App as a Reverse Proxy. I now have Access to NextCloud through https://NextCloud.mydomain.tld. The ssl certificates are from lets encrytp via nginx.

I know want to add 2FA with SSO for all apps. I First tried Authelia but couldn’t get the configuration right…mainly because of my lacking CLI skills.

I then switched to the Authentik App. Setting Up Authentik worked after initial struggles. Now I have Setup an a Provider (Proxy-Provider, …implicit-consent, Forward auth (single application), external host: https://nextcloud.mydomain.tld)), Application and added the Application to the Outpost.

As shown in most tutorials I found I added the custom configuration in NGINX for my NextCloud Reverse Proxy (see below) as well as a new Reverse Proxy for Authentik.

As you can see in the the config below I have set location /{ proxy_pass to my local ip with the port for nextcloudand my location /outpost.goauthentik.io { proxy_pass to my local ip of with the http port of Authentik.

From my local network I get the expected behaviour: If I access https://Nextcloud.mydomain.tld I get redirected to Authentik (local ip), can log in and can than log into Nextcloud (local ip). Obviously this does not work remotly because I can not access the IPs over the web (it works with a VPN). One strange thing: although I speciefied port 30140 for Authentik I am redirected to port 30141. I assume this has something to do with the SSL certification. If i set

proxy_pass https://mylocalip:30141/outpost.goauthentik.io;

it works as well. Now I want to access this remotly using

https://authentik.mydomain.tld/
https://nextcloud.mydomain.tld/

And here is when everything breaks. I can only get server error 500. From what I read it may hav to do with SSL/Https certification issues (both domains/links from NGINX work fine on their own) and/or header issues (which I really do not understand).

I think this is an issue someone with more experience can solve easily but I am really stuck. I tried multiple, different solutions I found online but none worked (maybe again because of my lacking knowledge/skill to implement these correctly). I also tried to completely disable ssl/https in NGINX (removing certificats and setting scheme as http) but this did not help.

# Increase buffer size for large headers
# This is needed only if you get 'upstream sent too big header while reading response
# header from upstream' error when trying to access an application protected by goauthentik
proxy_buffers 8 16k;
proxy_buffer_size 32k;

# Make sure not to redirect traffic to a port 4443
port_in_redirect off;

location / {
    # Put your proxy_pass to your application here
    proxy_pass          http://mylocalip:30027/;
    #proxy_pass          https://nextcloud.mydomain.tld/;
    # Set any other headers your application might need
    # proxy_set_header Host $host;
    # proxy_set_header ...

    ##############################
    # authentik-specific config
    ##############################
    auth_request     /outpost.goauthentik.io/auth/nginx;
    error_page       401 = @goauthentik_proxy_signin;
    auth_request_set $auth_cookie $upstream_http_set_cookie;
    add_header       Set-Cookie $auth_cookie;

    # translate headers from the outposts back to the actual upstream
    auth_request_set $authentik_username $upstream_http_x_authentik_username;
    auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
    auth_request_set $authentik_entitlements $upstream_http_x_authentik_entitlements;
    auth_request_set $authentik_email $upstream_http_x_authentik_email;
    auth_request_set $authentik_name $upstream_http_x_authentik_name;
    auth_request_set $authentik_uid $upstream_http_x_authentik_uid;

    proxy_set_header X-authentik-username $authentik_username;
    proxy_set_header X-authentik-groups $authentik_groups;
    proxy_set_header X-authentik-entitlements $authentik_entitlements;
    proxy_set_header X-authentik-email $authentik_email;
    proxy_set_header X-authentik-name $authentik_name;
    proxy_set_header X-authentik-uid $authentik_uid;

    # This section should be uncommented when the "Send HTTP Basic authentication" option
    # is enabled in the proxy provider
    # auth_request_set $authentik_auth $upstream_http_authorization;
    # proxy_set_header Authorization $authentik_auth;
}

# all requests to /outpost.goauthentik.io must be accessible without authentication
location /outpost.goauthentik.io {
    # When using the embedded outpost, use:
    #proxy_pass              https://authentik.mydomain.tld/outpost.goauthentik.io;
    proxy_pass              http://mylocalip:30140/outpost.goauthentik.io;

    # For manual outpost deployments:
    # proxy_pass              http://outpost.company:9000;

    # Note: ensure the Host header matches your external authentik URL:
    proxy_set_header        Host $host;

    proxy_set_header        X-Original-URL $scheme://$http_host$request_uri;
    add_header              Set-Cookie $auth_cookie;
    auth_request_set        $auth_cookie $upstream_http_set_cookie;
    proxy_pass_request_body off;
    proxy_set_header        Content-Length "";
}

# Special location for when the /auth endpoint returns a 401,
# redirect to the /start URL which initiates SSO
location @goauthentik_proxy_signin {
    internal;
    add_header Set-Cookie $auth_cookie;
    return 302 /outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
    # For domain level, use the below error_page to redirect to your authentik server with the full redirect path
    # return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
}

swc-phil · May 15, 2025, 12:49am

I’m not a network guy, but I have a tiny bit of experience in exposing my homelab services.

First of all, you leaked your domain name. IMO this is not a big deal, but I think you should know.

Secondly, I’ve tried to access nextcloud.yourdomain.tld and authentik.yourdomain.tld and saw the login screens. In the case of nextcloud, that was a nextcloud login page (non-authentik).

So if your issue was

, it seems that you have already resolved it.

Macnite · May 15, 2025, 3:49am

Thanks for the hint. I have removed the Leak.

No, i have actually left the reverse proxy in NGINX enabeld to test somethings within Nextcloud and stripped the config for Authentik.

So at the moment I use the 2fa within nextcloud but want to use Authentik as an added security layer. So if I go to nextcloud.mydomain.tld I want to be redirected to Authentik and if I set the login data correctly want to be redirected to the nextcloud login.

If I re-enable the settings as listed in my initial post I still get Error 500.

swc-phil · May 15, 2025, 11:38am

Actually, you didn’t. Anyone can see the post’s change history.

You do not plan to use Authentik as SSO?

I’ve searched a tad about nextcloud integration with authentik. Seems like I can’t help (because my general knowledge/experience won’t help with the case).

Macnite · May 15, 2025, 12:01pm

Maybe my description was a little missleading. Later on I want to use Authentik as an SSO for all the apps I run on my server.

But from what I understood is, that i first have to get it to properly “redirect” the access from the subdomains to Authentik and then back to the App. When that works, I can configure Authentik for SSO.

Exampel:
I try to access an app through nextcloud.mydomain.tld. Then I am redirected to Authentik instead of nextcloud. I sign into Authentik. I am then redirected to nextcloud (at this stage I will be redirected to the Nextcloud Login page because SSO in Authentik is not set up).

This behavour works perfectly using the local IPs within my home network or via VPN. Exchanging the IP with app.mydomain.tld leads to error 500.

LarsR · May 15, 2025, 2:06pm

I tried to achive this last year with traefik as reverse proxy instead of nginx, but i gave up in the end. As far as i can still remember you had to edit the nextcloud config.php and either change or add some stuff, but even after i changed it i was never able to connect and always got the same error then you . In the end i just gave up and just set a very save password for all accounts and tfa

swc-phil · May 15, 2025, 2:43pm

Did you post only part of the config? Or is it just a file that is included in the “main” nginx config?

I’m asking cause I can’t find the server { directive.

Macnite · May 16, 2025, 4:22am

@LarsR Yes, I was thinking about this as well but there are some apps I want to use which do not have 2FA. For these I want to have an added security layer.

@swc-phil I add the custom config in the NGINX gui:

LarsR · May 16, 2025, 4:57am

All my other apps use authentik, just nextcloud and vaultwarden had issues

swc-phil · May 16, 2025, 5:32am

Welp, it says almost nothing to me, because I only used ~~vanilla nginx~~ swag as a reverse proxy, which is nginx + fail2ban + other stuff. Seems like NPM dynamically assembles its configuration.

Swag’s authentik configuration looks very similar to yours. But what’s more interesting – their nextcloud config doesn’t have an authentik section (even though other apps’ configs have such a section).

So, I’m out of ideas, but maybe you will find something useful in their configs.