Authentik was one of my very first projects when setting up my home lab, Beyond this now but one of the best configurations I had was OpenID with CloudFlare Zero & a bunch of application & firewall rules while messing around with FWaaS, Ofc the most tedious process was setting up OTP with Yubikeys, ill never forget the hours on end messing with policy and flows. Ive been in CyberSec professionally for a while since then, I stumbled across this channel last week & your vids have been background music since, but i must say This channel is without doubt the easiest to follow along, explanations are fantastic! Loving the content, breath of fresh air.
@Jims-Garage
11 ай бұрын
Thanks so much for the feedback and hello to a fellow cyber security professional 👋 you have an interesting setup, I'll likely move on to hardware tokens further down the road.
@boukeelsinghorst4848
4 ай бұрын
@@Jims-Garage I love to see a video on forcing 2fa on all applications using authentik, that would be a great benefit in my opinion
@roellert
3 ай бұрын
FINALLY a video that helped me set this up!! Now the only thing left is to figure out how to go from here to singel application ForwardAuth
@Jims-Garage
3 ай бұрын
Glad it helped!
@PW-72648
Ай бұрын
Literally the first time in my life I needed to go through yt videos pausing to understand something. Authentik while powerful proved to be clusterf... for me, but man... Your explanations Jim are superb! //Few restarts later it works, lol 🤔
@Jims-Garage
Ай бұрын
Glad I could help! I often find a restart of containers sorts things out.
@randyyang5574
Ай бұрын
This is what I want to achieve proxy + Oauth, thanks for sharing
@Jims-Garage
Ай бұрын
Glad it was helpful!
@chrisumali9841
11 ай бұрын
thanks for the demo and info, have a great day
@Jims-Garage
11 ай бұрын
Thanks, Chris.
@TheGrumpyCyclist
11 ай бұрын
Great videos ! Keep it up ! I am actually doing the same thing as we speak :) Perfect timing
@Jims-Garage
11 ай бұрын
Thanks, stay tuned for keycloak...
@bluesquadron593
11 ай бұрын
Haha, same here. Did some stuff differently a bit though.
@ppaliwal89
8 ай бұрын
As usual, videos are great. One suggestion I would like to make here is that it would be good if you show where you are getting some of these things from, for example, the forward auth configuration is available on Authentik's documentation; but you didn't mention/encourage/enable the viewers to that direction. If you can add that information as well, it would be a lot more helpful and people would then be able to go figure out problems on their own rather than the current spoon fed info. Another thing is that your videos are still fresh, and so are the configurations, but a year down the line, a lot of it might not be fresh; at that point, the official documentation would be really helpful to bridge the gaps.
@Jims-Garage
8 ай бұрын
Thanks for the feedback. I do endeavour to keep the configs up to date on GitHub. If there are significant changes I'll likely do another video.
@BladeWDR
5 ай бұрын
10:25 ish, slightly confusing because you show creating a new Outpost, but the settings you use here only work if you select the embedded Outpost. Took me a few minutes of fumbling around to figure that out. You can have Authentik dynamically create the new outposts with the local docker connection, but you'll need to either remove the ports it's exposing, or change the external ones to something else, as the containers it spawns also listen on 9443. EDIT: after playing with this some more I definitely prefer manually deploying the outpost container, so I can set the name, dispense with the exposed ports, and connect it to the existing docker network.
@Jr-hv1ct
11 ай бұрын
You read multiple minds, had seen you post the Authentik video, and didn't get to watch it yet but a question I had was, are you using both or which replaces the other. Thanks Jim keep up the great work , it is much appreciated
@Jims-Garage
11 ай бұрын
You're welcome, glad you're enjoying the content. You have some choices to make now haha
@Jr-hv1ct
11 ай бұрын
@@Jims-Garage Yup, just jabe to set some time to review all the content and start building, work a little rough at the moment so when things settle on my end
@Jims-Garage
11 ай бұрын
@@Jr-hv1ct one thing there's never enough of, time! Well at least the videos aren't going anywhere and if you need help/advice jump into the Discord and we can help you out.
@Jr-hv1ct
11 ай бұрын
@Jims-Garage yup its true. Noted and thanks again
@fedefede843
11 ай бұрын
Nice content! Congrats
@Jims-Garage
11 ай бұрын
Thanks!
@lsik231l
2 ай бұрын
Hey mate. In your Authentik videos, I’ve noticed that your compose yaml files don't have the authentik secret key entries to pull from your .env file. Is that on purpose or an oversight/not required?
@zakhounet
2 ай бұрын
Hey, first of all thanks for your videos they are very inspiring (at least for me ☺). I have one question : I am running Truenas Scale (Bare metal) on Traefik and I wondering if i can get logged via Authentik ? If so how ?
@Jims-Garage
2 ай бұрын
I don't believe it's supported natively.
@buzzy_cnayl
4 ай бұрын
Bit confusing setting up outpost as it starts out called "Domain Forward Auth Provider" but then magically becomes "authentik Embedded Outpost" ?
@lsik231l
2 ай бұрын
I had an issue with this, too. What I think he did (and what ended up working for me) was to simply edit the existing outpost. Authentik automatically creates this embedded outpost. I couldn't get a new one to work/communicate. So I re-watched that part and noticed that instead of creating a new one, he was actually using the embedded outpost (but modified with the inputs he explained). And, boom - it finally worked for me. The only app I can't get to work with this is Pihole. I think it has to do with the /admin requirement. Can't figure out how to strip it.
@dylanpremo5290
2 ай бұрын
@@lsik231l That's been my experience too. Works with embedded outpost. Doesn't work with created one. I've spent the last 10 hours trying to get it working with a created outpost (like he talks about in the video), and I just feel like putting my head through a wall. I really need at least one other outpost though, so I can have two separate URLs for two separate traefik middlewares, and use groups to restrict access to admin-only apps. Basically, to have a User Forward Auth middleware and an Admin Forward Auth middleware, to be applied to each application via traefik labels as needed.
@marcussteck3782
Ай бұрын
from my point of view the current Version 2024.6.1 does not run very stable and its very hard to change things if the application is loosing the session all couple of minutes. I saw, that this is a very buggy version at the github forum. I will test the 2024.4.3 now because this was suggested from a user of the forum. Did you get similar issues?
@Jims-Garage
Ай бұрын
I have also witnessed this behaviour, that's likely what was happening in my recent headscale video...
@fulesmackofule
8 ай бұрын
I want to achieve push notification 2FA through a free provider/solution. Authelia uses Duo, which is not free. Is there an alternative way to configure it? Does Authentik support something like this? Unfortunately, the video only showed things up to the point that it is installed and no use cases have been presented. Thanks for any help!
@xiaxiao7567
10 ай бұрын
When logging out of authentik the proxy session is still kept have anyone solved this problem?
@mmospanenko
Ай бұрын
Try to reduce session cache time
@CC-zr6fp
2 ай бұрын
Should I have watched a video before this one? I don't have the env file so not sure if it will work should I watch something else 1st?
@DigiDoc101
11 ай бұрын
Great video. Thank you. Do you recommend deploying this is a DMZ vlan and forward to server vlan from security stand point or just use an external network points to the DMZ as you pointed out in another video to secure other local services?
@Jims-Garage
11 ай бұрын
I don't think it matters too much, but from a security perspective micro segmentation is always better. Try it first and decide later.
@redstormsju777
5 ай бұрын
Currently using cloudflared tunnel…would this be better? Can this be used with tunnels?
@Jims-Garage
5 ай бұрын
I prefer to not use tunnels due to privacy. I like Authentik as I have full control. It's all personal preference though. Try it and see
@redstormsju777
5 ай бұрын
@@Jims-Garage I will check it out…will I need to port forward ? 443, 80 or both? My current set up is docker on my synology.
@MrNolimitech
8 ай бұрын
How portainer and authentik not in conflict with port 9000, if they both use traefik ? did you change portainer's port? are they running in the same docker or server?
@Jims-Garage
8 ай бұрын
You can run many servers on the same port behind a reverse proxy, that's one of the main advantages. It routes traffic based on the container, not the IP:port
@MrNolimitech
8 ай бұрын
@@Jims-Garage You're right. Great work. I just realized that it was traefik who randomly pick a network, when I had multiples networks inside a service. I had to name explicitly, all my networks, even if I had "- traefik.docker.network=..." everywhere. Continue your good job ;)
@CrsMthw
6 ай бұрын
Traefik has its own load balancer. You do not need to expose ports like how you would on nginx proxy manager.
@pfroehlich
8 ай бұрын
I split my docker applications from one host to two hosts, one for admin stuff like pihole, authentik etc, the other for outbound applications. The formerly working configuration broke when authentik ended up on a different host than the traefik reversee proxy for the app - just some mistake on my side or do we need to change the traefik / authentik config when they don't share a (docker) host? Traefik is on both hosts - should it be only on one? Thanks for any hints!
@Jims-Garage
8 ай бұрын
You're good with a single Traefik, be sure to use an external service.
@pfroehlich
8 ай бұрын
Solved... (I lost the overview). Expose port 9443 or 9000 (https or http) in docker-compose.yaml for authentik (server). Modify traefik/data/config.yml and use the external authentik.mydomain/outpost.go... instead of the docker internal one authentik_server:9000/outpost...
@arsalan1377
11 ай бұрын
Please cover an mail server too tnx
@Jims-Garage
11 ай бұрын
I might do this later, but self-hosted email is generally not recommended due to the way domain trust is established. You'll likely have a high non delivery rate with a home mail server.
@kurt_hansen
11 ай бұрын
Hi, thanks for this.... After i follow the steps exactly how you did, i try to access my app, but after authentification with authentik i will be fowarded to the authentik dashboard and not to the app.... Am i do something wrong?
@Jims-Garage
11 ай бұрын
Make sure the redirect URL is for the app and not Authentik (you will need to set the redirect in the App and the Authentik Provider).
@kurt_hansen
11 ай бұрын
@@Jims-Garage thanks for the answer. I have done everything exactly how you did it in this video. After i add the authentik middleware to my container (traefik label) and will access my app url, a login promt from authentik appears, and after this, there is only the authentik dashboard, but not the app.... Strange...... Is it a bug? Because i have followed you in every single step.....
@kurt_hansen
11 ай бұрын
@@Jims-Garage I did't understand what you mean here. In your video, you set the authentik url in the config.yml, what i did, too. And on the app the only thing is to add the middleware for authentik.... But i always will end on the authentik dashboard after select my app url and authenticate with authentik.... ?!?!
@Jims-Garage
11 ай бұрын
@@kurt_hansen let me take a look at the video and replicate the steps. I'll come back to you.
@daro_
8 ай бұрын
@@Jims-Garage I have the same following this video. Is there any further response to this issue ?
@dzmelinux7769
11 ай бұрын
Hmm, you are not really giving up on that background "noise"?
@Jims-Garage
11 ай бұрын
I've recorded my next one without any, just for you :)
@KeesFluitman
11 ай бұрын
I think the music is of a nice level. But maybe too similar to ibracorp
@Jims-Garage
11 ай бұрын
@@KeesFluitman we probably use the same stock music, I'll have to check. I'm actually a metal head but I don't think that would go down too well 😂
@chuck-snow
6 ай бұрын
I had to separate the networks proxy on only the server and Authentik network for the rest for some reason there is a conflict I haven't been able to find but this fix it for now ... if I put every thing on the proxy network it goes haywire the web server wont server half the info and the log in blips in and out it was a horrid. maybe a port conflict whit Portainer port 9000, maybe some thing else ?
@CrsMthw
6 ай бұрын
I had the same issue and was able to fix it. The issue was that, i had other redis and databases on the same network, so all you have to do is rename redis to authentik-redis and postgresql to authentik-postgreql. And also give them the same container_name. And make sure you change that everywhere else it was mentioned, like the redis host variable.
@chuck-snow
6 ай бұрын
Yes, I think having any database, or Redis related on your open docker network is just bad news for conflicts.. I have found out, all those times where I could nt figure out why the database is'nt working all the setting are correct, look at the logs and think most of those issues where related to having them on the main docker proxy network, now I segregate the apps in there own network if they need it, and then only have the main app on the Proxy network. but I have had prob to where if you don't put others thing on the network or some shared network and it just wont work ...
@xdeathoreox
10 ай бұрын
It's got a good start. It's just a shame that LDAP authentication seems to be totally busted for a lot of people. Authentik will eventually just end up returning invalid access or invalid credentials with no change required from the user.
@Jims-Garage
10 ай бұрын
Interesting, I will look into this at a later date. I'd also like to cover zitadel.
@jacobmadden91
10 ай бұрын
I've been using authentik as an LDAP provider for a while now. Working fine with Jellyfin, Opnsense and Mealie
@FawziBreidi
Ай бұрын
Problem with authentik that it requires an expensive enterprise license to integrate with google provider for oauth2.
Пікірлер: 70