Home A - Z
Page Index

Blame

28be1a Tebby Dog 2025-07-05 20:10:57 1 
# Authentik Basic Configuration
2
## **Disclaimer**
3
<font color="red">I am new to Authentik, follow these steps at your own risk, this is simply a guide based on how I configured it, there may be misleading steps in here that I am unaware of being a problem.</font>
4
5
### **Intro**
6
I recently went through the process of setting up Authentik, and I found that there wasn't a clear, step-by-step guide available. While the official documentation is comprehensive, it can be overwhelming for someone new to Authentik. In this post, I'll share my experience and provide a concise guide on how to set up Authentik.
7
8
Initially, I searched for videos that covered the basic setup process of Authentik, but most resources focused on integrating it with Traefik. This led me down a rabbit hole of learning about Traefik, which wasn't necessary for my use case. After digging through articles and documentation, I realized that there's a lack of resources that cover just the basics.
9
10
It appears that integration with Traefik might actually make things easier in the long run, as it allows you to leverage labels on each container to configure Authentik. This could potentially simplify the setup process and reduce the need for manual configuration within Authentik itself.
11
12
## Terms to know
13
14
### **Outposts**
15
16
To my understanding, Authentik outposts are used to route traffic and add the authentication portal in between.
17
18
#### Setting Up an Outpost
19
1. Click on outposts in Authentik
20
2. Click Create a new Outpost
21
3. Set up a Docker container to point to that Outpost
22
4. Verify the connection: In Authentik once it shows last connected with a time and date within the last 30 minutes, you know you've set it up correctly.
23
## **Initial Setup**
24
I recommend following the official authentik documentation for setting it up, but here is how I configured it in my docker stack
25
1. Add the Authentik Container
26
1. **Add the Authentik container to your stack**: Start by adding the official Authentik container to your Docker setup.
27
28
```yaml
29
services:
30
authentik-postgres:
31
image: docker.io/library/postgres:16.4 #It is never a good idea to use the :latest tag for your image, select a version and manually update it
32
container_name: authentik-postgres
33
environment:
34
- POSTGRES_USER=${AUTHENTIK_POSTGRES_USER}
35
- POSTGRES_PASSWORD=${AUTHENTIK_POSTGRES_PASSWORD}
36
- POSTGRES_DB=${AUTHENTIK_POSTGRES_DB}
37
- TZ=${TZ}
38
healthcheck:
39
test: ['CMD-SHELL', 'pg_isready -U "${AUTHENTIK_POSTGRES_USER}"']
40
start_period: 30s
41
interval: 10s
42
timeout: 10s
43
retries: 5
44
volumes:
45
- authentik_postgres_data:/var/lib/postgresql/data
46
restart: unless-stopped
47
networks:
48
vpcbr:
49
ipv4_address: 172.20.0.10 #Set an IP in your docker network, I am not a fan of using hostnames, you will use this IP to point your cloudflare zero trust DNS records
50
51
authentik-redis:
52
image: docker.io/library/redis:7.4.0 #It is never a good idea to use the :latest tag for your image, select a version and manually update it
53
container_name: authentik-redis
54
command: --save 60 1 --loglevel warning
55
healthcheck:
56
test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
57
start_period: 20s
58
interval: 30s
59
retries: 5
60
timeout: 3s
61
volumes:
62
- authentik_redis_data:/data
63
restart: unless-stopped
64
environment:
65
- TZ=${TZ}
66
networks:
67
vpcbr:
68
ipv4_address: 172.20.0.11 #Set an IP in your docker network
69
70
authentik-server:
71
image: ghcr.io/goauthentik/server:2024.8.0 #It is never a good idea to use the :latest tag for your image, select a version and manually update it
72
container_name: authentik-server
73
command: server
74
environment:
75
- AUTHENTIK_REDIS__HOST=authentik-redis #If logs show issues communicating with redis replace this with the IP for that container, IE: 172.20.0.11
76
- AUTHENTIK_POSTGRESQL__HOST=authentik-postgres #If logs show issues communicating with the database replace this with the IP for that container, IE: 172.20.0.10
77
- AUTHENTIK_POSTGRESQL__USER=${POSTGRES_USER}
78
- AUTHENTIK_POSTGRESQL__NAME=${POSTGRES_DB}
79
- AUTHENTIK_POSTGRESQL__PASSWORD=${POSTGRES_PASSWORD}
80
# (Required) To generate a secret key run the following command:
81
# echo $(openssl rand -base64 32)
82
- AUTHENTIK_SECRET_KEY=${AUTHENTIK_SECRET_KEY}
83
# (Optional) Enable Error Reporting
84
- AUTHENTIK_ERROR_REPORTING__ENABLED=${AUTHENTIK_ERROR_REPORTING:-false}
85
# (Optional) Enable Email Sending
86
- AUTHENTIK_EMAIL__HOST=${AUTHENTIK_EMAIL_HOST}
87
- AUTHENTIK_EMAIL__PORT=${AUTHENTIK_EMAIL_PORT}
88
- AUTHENTIK_EMAIL__USERNAME=${AUTHENTIK_EMAIL_USERNAME}
89
- AUTHENTIK_EMAIL__PASSWORD=${AUTHENTIK_EMAIL_PASSWORD}
90
- AUTHENTIK_EMAIL__USE_TLS=${AUTHENTIK_EMAIL_USE_TLS}
91
- AUTHENTIK_EMAIL__USE_SSL=${AUTHENTIK_EMAIL_USE_SSL}
92
- AUTHENTIK_EMAIL__TIMEOUT=${AUTHENTIK_EMAIL_TIMEOUT}
93
- AUTHENTIK_EMAIL__FROM=${AUTHENTIK_EMAIL_FROM}
94
volumes:
95
- /home/user/docker/authentik/media:/media #Persistent storage for media, replace /home/user/docker with a valid local path IE: /home/johndoe/docker
96
- /some/path/custom-templates:/templates #Persistent storage for authentik templates, replace /home/user/docker with a valid local path IE: /home/johndoe/docker
97
depends_on:
98
- authentik-postgres # Match this to the postgres container
99
- authentik-redis # Match this to the redis container
100
restart: unless-stopped
101
networks:
102
vpcbr:
103
ipv4_address: 172.20.0.12 #Set an IP in your docker network
104
105
authentik-authentik_proxy:2024.8.0 #Match version to authentik-server version
106
image: ghcr.io/goauthentik/proxy:2024.6.3
107
environment:
108
- AUTHENTIK_HOST=${AUTHENTIK_HOST}
109
- AUTHENTIK_INSECURE=${AUTHENTIK_INSECURE}
110
- AUTHENTIK_TOKEN=${AUTHENTIK_TOKEN}
111
- AUTHENTIK_DEBUG=${AUTHENTIK_DEBUG}
112
network_mode: host
113
114
authentik-worker:
115
image: ghcr.io/goauthentik/server:2024.8.0 #Match version to authentik-server version
116
container_name: authentik-worker
117
command: worker
118
environment:
119
- AUTHENTIK_REDIS__HOST=authentik-redis
120
- AUTHENTIK_POSTGRESQL__HOST=authentik-db
121
- AUTHENTIK_POSTGRESQL__USER=${POSTGRES_USER}
122
- AUTHENTIK_POSTGRESQL__NAME=${POSTGRES_DB}
123
- AUTHENTIK_POSTGRESQL__PASSWORD=${POSTGRES_PASSWORD}
124
# (Required) To generate a secret key run the following command:
125
# echo $(openssl rand -base64 32)
126
- AUTHENTIK_SECRET_KEY=${AUTHENTIK_SECRET_KEY}
127
# (Optional) Enable Error Reporting
128
- AUTHENTIK_ERROR_REPORTING__ENABLED=${AUTHENTIK_ERROR_REPORTING:-false}
129
# (Optional) Enable Email Sending
130
# DO NOT REMOVE THE DOUBLE UNDERSCORES BELOW THEY ARE INTENTIONAL
131
- AUTHENTIK_EMAIL__HOST=${AUTHENTIK_EMAIL_HOST}
132
- AUTHENTIK_EMAIL__PORT=${AUTHENTIK_EMAIL_PORT}
133
- AUTHENTIK_EMAIL__USERNAME=${AUTHENTIK_EMAIL_USERNAME}
134
- AUTHENTIK_EMAIL__PASSWORD=${AUTHENTIK_EMAIL_PASSWORD}
135
- AUTHENTIK_EMAIL__USE_TLS=${AUTHENTIK_EMAIL_USE_TLS}
136
- AUTHENTIK_EMAIL__USE_SSL=${AUTHENTIK_EMAIL_USE_SSL}
137
- AUTHENTIK_EMAIL__TIMEOUT=${AUTHENTIK_EMAIL_TIMEOUT}
138
- AUTHENTIK_EMAIL__FROM=${AUTHENTIK_EMAIL_FROM}
139
# DO NOT REMOVE THE DOUBLE UNDERSCORES ABOVE THEY ARE INTENTIONAL
140
# (Optional) When using the docker socket integration
141
# See more for the docker socket integration here:
142
# https://goauthentik.io/docs/outposts/integrations/docker
143
user: root
144
volumes:
145
# (Optional) When using the docker socket integration uncomment the next line by removing the # at the beginning of the line
146
# - /var/run/docker.sock:/run/docker.sock
147
- /home/user/docker/authentik/media:/media #Persistent storafe for media, replace /home/user/docker with a valid local path IE: /home/johndoe/docker
148
- /home/user/docker/authentik/certs:/certs #Persistent storage for certs used for SSL replace /home/user/docker with a valid local path IE: /home/johndoe/docker
149
- /home/user/docker/authentik/custom-templates:/templates #Persistent storage for authentik templates, replace /home/user/docker with a valid local path IE: /home/johndoe/docker
150
depends_on:
151
- postgres
152
- redis
153
restart: unless-stopped
154
networks:
155
vpcbr:
156
ipv4_address: 172.20.0.13 #Set an IP in your docker network
157
158
# Define docker volumes for information that needs to be persistent but shouldnt need to be accessed
159
volumes:
160
authentik_postgres_data:
161
driver: local
162
authentik_redis_data:
163
driver: local
164
165
# Define a docker network
166
# REMOVE BELOW if you already have a network and are using IP addresses in an existing network
167
networks:
168
vpcbr:
169
driver: bridge
170
ipam:
171
config:
172
- subnet: 172.20.0.0/24
173
gateway: 172.20.0.1
174
# REMOVE ABOVE if you already have a network and are using IP addresses in an existing network
4ca346 Tebby Dog 2025-07-05 20:39:44 175
```
28be1a Tebby Dog 2025-07-05 20:10:57 176
2. Set up environment variables
4ca346 Tebby Dog 2025-07-05 20:39:44 177
42e47e Tebby Dog 2025-07-05 20:40:54 178
```
4ca346 Tebby Dog 2025-07-05 20:39:44 179
42e47e Tebby Dog 2025-07-05 20:40:54 180
TZ: Your time zone, if you dont know what it is use the link below
181
IE: America/New_York
28be1a Tebby Dog 2025-07-05 20:10:57 182
AUTHENTIK_POSTGRES_USER: enter a username
183
AUTHENTIK_POSTGRES_PASSWORD: enter a secure password or generate a password with echo $(openssl rand -base64 32)
184
AUTHENTIK_POSTGRES_DB: select a database name
185
AUTHENTIK_SECRET_KEY: enter a secret key or generate one with echo $(openssl rand -base64 32)
186
AUTHENTIK_ERROR_REPORTING: select if logs are enabled
187
AUTHENTIK_EMAIL_HOST: email server domain, check with your email provider
188
AUTHENTIK_EMAIL_PORT: email server port,check with your email provider
189
AUTHENTIK_EMAIL_USERNAME: email for logging in, check with your email provider
190
AUTHENTIK_EMAIL_PASSWORD: password for email, check with your email provider
191
AUTHENTIK_EMAIL_USE_TLS: select if TLS is enabled, check with your email provider
192
AUTHENTIK_EMAIL_USE_SSL: select if SSL is enabled, check with your email provider
193
AUTHENTIK_EMAIL_TIMEOUT: select email timeout period, check with your email provider
194
AUTHENTIK_EMAIL_FROM: select the email that authentik will send from, this can be blank if it is the same as the username
195
4ca346 Tebby Dog 2025-07-05 20:39:44 196
```
42e47e Tebby Dog 2025-07-05 20:40:54 197
[Find your correct timezone](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones)
69f114 Tebby Dog 2025-07-05 20:41:15 198
28be1a Tebby Dog 2025-07-05 20:10:57 199
Example .env file
e000f8 Tebby Dog 2025-07-05 20:37:30 200
28be1a Tebby Dog 2025-07-05 20:10:57 201
```env
202
TZ: America/New_York
203
AUTHENTIK_POSTGRES_USER: authentik_db_user
204
AUTHENTIK_POSTGRES_PASSWORD: pMdh6ta2uiRWMEjYO6I/efX9Ex9k843/pI5EEyGw9Z4=
205
AUTHENTIK_POSTGRES_DB: authentik_db
206
AUTHENTIK_SECRET_KEY: Vd5CrkGSFC3nYnkRGHTlwqk3XGcW6K9v4hrMEKwPYUs=
207
AUTHENTIK_ERROR_REPORTING: true
208
AUTHENTIK_EMAIL_HOST: smtp.some.website
209
AUTHENTIK_EMAIL_PORT: 465
210
AUTHENTIK_EMAIL_USERNAME: [email protected]
211
AUTHENTIK_EMAIL_PASSWORD: CH4nFvshAuFgYLN1mbye40RdM3TKtmO3sWG3werOYZ8=
212
AUTHENTIK_EMAIL_USE_TLS: true
213
AUTHENTIK_EMAIL_USE_SSL: false
214
AUTHENTIK_EMAIL_TIMEOUT: 30
215
AUTHENTIK_EMAIL_FROM: [email protected]
216
```
217
1. Configure Services
218
1. **Configure each service one at a time**: Look up the specific service you want to protect with Authentik(e.g., somearr authentik)
219
2. Follow the directions on the Authentik Official Website search result for integration.
220
221
## **My Setup**
222
223
### Cloudflare Zero Trust Tunnel Setup
224
**Turn off Internal SSL Verification**: I could not get it working with this enabled even with my cloudflare SSL cert added and selected in Authentik for that Application
225
226
Create a Docker container for a Cloudflare Zero Trust Tunnel in the same Docker stack and network.
227
228
On the cloudflare website, point the Cloudflare Tunnel with HTTPS to the Authentik Outposts local Docker network IP port 9443 in the same Docker stack and network. (e.g., https://172.20.0.22:9443)
229
230
Disable TLS verification for the Cloudflare sub-domains.
231
232
### Authentik Configuration
233
Create an Application and Provider in Authentik using the wizard (Applications > Applications > Create with Wizard).
234
235
Choose between Implicit Authentication Flow (once logged into Authentik, don't require logging in for each service) or Explicit Authentication Flow (require logging into Authentik for each service individually).
236
237
Follow steps from the Authentik Website for the specific service or continue with Transparent Reverse Proxy
238
239
### **Additional Steps**
240
#### Basic HTML Authentication
241
While setting up the application
242
1. In Authentik Navigate to Authentication Settings
243
2. Toggle Send HTTP-Basic Authentication
244
3. Enter variables that you will use in a later step.
245
User: somearr_user
246
Password: somearr_password
247
4. Follow **Create or Update Group**
248
249
#### Create or Update Group:
250
1. In Authentik Navigate to Directory>Groups
251
2. Create a new group or select an existing group
252
3. For the group select Edit
253
4. In the Attributes field add your variables from **Basic HTML Authentikation Step 1**, replacing [user] with a username and [password] with a password that works for logging into the Application with basic HTML credentials. Make sure the variables you enter here match the variables from **Basic HTML Authentikation Step 1** and following the colon is a space and the username and password from your application
254
somearr_user: [user]
255
somearr_password: [password]
256
5. Update
257
6. Follow **Add yourself to the Group**
258
259
#### Add yourself to the group:
260
1. In Authentik Navigate to Directory>Groups>[Your Group]>Edit, replacing [Your Group] with your actual group created in **Create or Update Group**
261
2. Users>Add Existing User
262
3. Select + icon
263
4. Select the checkmark next to your user
264
5. Add
265
266
### Transparent Reverse Proxy
267
#### Create the Application and Provider
268
1. In Authentik Navigate to Applications>Applications>Create with Wizard
269
2. Enter a name, make sure the slug autopopulated
270
3. Next>Transparent Reverse Proxy>Next
271
4. Authorization Flow
272
1. Select Implicit for: Only log into Authentik once, all Applications will automatically log in while your token is active
273
2. Select Explicit for: Log into each Application independently
274
5. External Host: the domain where you will be accessing this application, should match the zero trust tunnel created in cloudflare IE: https://somearr.somewebsite.com
275
6. Internal Host: the IP address of the service accessible from the proxy outpost docker container, the docker container created in the **Setting Up an Outpost** step of this guide should be in the same network as the service, you can create multiple outposts if you have multiple docker stacks. IE: http://172.20.0.5:8989
276
7. Internal host SSL Validation: I have this disabled, I am unable to load the page with this enabled
277
8. Open the Authentication settings by clicking on >
278
9. Follow **Basic HTML Authentication**
279
10. Follow **Create or Update Group**
280
11. Follow **Add yourself to the group**
281
12. Follow **Assign the application to an Outpost**
282
283
#### **Assign the application to an Outpost**:
284
285
1. Navigate to Applications > Outposts > Your outpost (Docker container that has access to your service at its local Docker IP address) > Edit
286
2. On the left side under Available Applications Double click your application so it shows up on the right side under Selected Applications
245fdc Tebby Dog 2025-07-05 20:43:50 287
3. Visit the domain you created in cloudflare, somesubdomain.some.website and it should be proxied by Authentik