Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Using Obligator to protect apps #25

Open
MitPitt opened this issue Mar 31, 2024 · 7 comments
Open

Using Obligator to protect apps #25

MitPitt opened this issue Mar 31, 2024 · 7 comments

Comments

@MitPitt
Copy link

MitPitt commented Mar 31, 2024

Currently I am using Authentik to protect my apps. It is too slow and I would like to use Obligator instead. As I understand it, forward auth is the needed feature for this kind of stuff. But I can't wrap my head around what settings I need to specify in my reverse proxy.

I'm using Authentik with Caddy and this setup: https://docs.goauthentik.io/docs/providers/proxy/server_caddy

This way, when someone tries to access an app, he is first redirected to an outpost, where he must login.

Please let me know if this is possible to do with Obligator
@anderspitman
Copy link
Collaborator

Hey @MitPitt, forward auth should be what you want. This functionality is currently broken in obligator (it's not used by LastLogin), but it should be pretty easy for me to fix. The settings should be almost the same as Authentik. Do you know what Authentik headers you're currently making use of?

@MitPitt
Copy link
Author

MitPitt commented Apr 1, 2024

I'm protecting a dashboard and some other static pages, which do not require authorization. Hence I am not making use of any headers. Just protecting the dashboard with an authentication layer.

In the Caddy config I linked above, the uri /outpost.goauthentik.io/auth/caddy looks like a feature of Authentik which seems to autofill the auth request. Obligator should have something similar.

@anderspitman
Copy link
Collaborator

Ah ok you should be good to go then. Just use the /validate endpoint on the obligator server. Note that vouch might be a more battle-tested alternative that will work for you.

@anderspitman
Copy link
Collaborator

@MitPitt I just did a new beta release so you don't have to build manually if you wanted to try this.

@MitPitt
Copy link
Author

MitPitt commented Apr 2, 2024

Would you also mind building a docker image please? I noticed that latest image on docker hub is 6 months old now

@MitPitt
Copy link
Author

MitPitt commented Apr 8, 2024
edited
Loading

I tried running the binary now with ./obligator-linux-x64-0.2.0 -storage-dir ./data -root-uri https://obligator.mywebsite.com -port 1616 -api-socket-dir ./api

Now it shows 404 page not found when I visit obligator.mywebsite.com. This doesn't happen when I run the binary of previous version (Beta 0.1.0) in the same way.

I also tried the following Caddyfile:

obligator.mysebsite.com {
    reverse_proxy localhost:1616
}

mysebsite.com {
    reverse_proxy /auth* http://obligator.mysebsite.com:1616

    forward_auth http://obligator.mysebsite.com:1616 {
        uri /validate
    }

    # the app i'm protecting
    reverse_proxy localhost:1234 
}

Shows client_id missing at https://obligator.mysebsite.com/auth?client_id=&redirect_uri=&response_type=code&state=&scope=

@anderspitman
Copy link
Collaborator

Hey @MitPitt, sorry I'm traveling at the moment, but I'll take a look at this when I get back.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@anderspitman @MitPitt