Joakim
0507e3291d
- Change reverse_proxy from https:// to http:// backend - Use authentik_http_port instead of authentik_https_port - Remove unnecessary TLS transport configuration - Remove health check for non-existent endpoint This aligns the Ansible template with the working configuration where authentik only serves HTTP internally and Caddy handles SSL.
32 lines
943 B
Django/Jinja
32 lines
943 B
Django/Jinja
# Authentik Authentication Service
|
|
{{ authentik_domain }} {
|
|
reverse_proxy http://{{ authentik_bind_address }}:{{ authentik_http_port }} {
|
|
header_up Host {host}
|
|
header_up X-Real-IP {remote_host}
|
|
header_up X-Forwarded-Proto https
|
|
header_up X-Forwarded-For {remote_host}
|
|
header_up X-Forwarded-Host {host}
|
|
}
|
|
|
|
# Security headers
|
|
header {
|
|
X-Frame-Options SAMEORIGIN
|
|
X-Content-Type-Options nosniff
|
|
X-XSS-Protection "1; mode=block"
|
|
Referrer-Policy strict-origin-when-cross-origin
|
|
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
|
|
}
|
|
|
|
# Authentik-specific paths
|
|
handle_path /outpost.goauthentik.io/* {
|
|
reverse_proxy http://{{ authentik_bind_address }}:{{ authentik_http_port }}
|
|
}
|
|
|
|
# Logging
|
|
log {
|
|
output file {{ caddy_log_dir }}/authentik.log
|
|
level INFO
|
|
format json
|
|
}
|
|
}
|