From 01c28da51e9b561272a35515dc5da0223ebd2b11 Mon Sep 17 00:00:00 2001
From: Eric Nemchik <eric@nemchik.com>
Date: Sun, 5 Feb 2023 16:50:45 -0600
Subject: [PATCH] Adjustments to bring it closer to authentik docs

---
 .../nginx/authentik-location.conf.sample      |  7 ++++--
 .../nginx/authentik-server.conf.sample        | 23 +++++++------------
 2 files changed, 13 insertions(+), 17 deletions(-)

diff --git a/root/defaults/nginx/authentik-location.conf.sample b/root/defaults/nginx/authentik-location.conf.sample
index 1322314..ddeb42c 100644
--- a/root/defaults/nginx/authentik-location.conf.sample
+++ b/root/defaults/nginx/authentik-location.conf.sample
@@ -3,6 +3,8 @@
 
 ## Send a subrequest to Authentik to verify if the user is authenticated and has permission to access the resource.
 auth_request /outpost.goauthentik.io/auth/nginx;
+## If the subreqest returns 200 pass to the backend, if the subrequest returns 401 redirect to the portal.
+error_page 401 = @goauthentik_proxy_signin;
 
 ## Save the upstream metadata response headers from Authentik to variables.
 auth_request_set $authentik_username $upstream_http_x_authentik_username;
@@ -18,5 +20,6 @@ proxy_set_header X-authentik-email $authentik_email;
 proxy_set_header X-authentik-name $authentik_name;
 proxy_set_header X-authentik-uid $authentik_uid;
 
-## If the subreqest returns 200 pass to the backend, if the subrequest returns 401 redirect to the portal.
-error_page 401 = @authentik_auth_request;
+## Include the Set-Cookie header if present.
+auth_request_set $set_cookie $upstream_http_set_cookie;
+add_header Set-Cookie $set_cookie;
diff --git a/root/defaults/nginx/authentik-server.conf.sample b/root/defaults/nginx/authentik-server.conf.sample
index be12484..cf01680 100644
--- a/root/defaults/nginx/authentik-server.conf.sample
+++ b/root/defaults/nginx/authentik-server.conf.sample
@@ -8,20 +8,16 @@ location /outpost.goauthentik.io {
     set $upstream_authentik authentik-server;
     proxy_pass http://$upstream_authentik:9000/outpost.goauthentik.io;
 
-    ## Headers
-    proxy_set_header X-Forwarded-Host $host; # overwrite header from proxy.conf to not include $server_port
-    proxy_set_header Content-Length "";
-
-    ## Basic Proxy Configuration
+    proxy_set_header        Host $host;
+    proxy_set_header        X-Original-URL $scheme://$http_host$request_uri;
+    add_header              Set-Cookie $auth_cookie;
+    auth_request_set        $auth_cookie $upstream_http_set_cookie;
     proxy_pass_request_body off;
-    client_body_buffer_size 128k;
-
-    ## Advanced Proxy Configuration
-    send_timeout 5m;
+    proxy_set_header        Content-Length "";
 }
 
 # Virtual location for authentik 401 redirects
-location @authentik_401_redirect {
+location @goauthentik_proxy_signin {
     internal;
 
     ## Set the $target_url variable based on the original request.
@@ -31,16 +27,13 @@ location @authentik_401_redirect {
     auth_request_set $set_cookie $upstream_http_set_cookie;
     add_header Set-Cookie $set_cookie;
 
-    ## Set $authentik_backend to route requests to the current domain by default
-    set $authentik_backend $http_host;
     ## In order for Webauthn to work with multiple domains authentik must operate on a separate subdomain
     ## To use authentik on a separate subdomain:
-    ##  * comment the $authentik_backend line above
     ##  * rename /config/nginx/proxy-confs/authentik.conf.sample to /config/nginx/proxy-confs/authentik.conf
     ##  * make sure that your dns has a cname set for authentik
-    ##  * uncomment the $authentik_backend line below and change example.com to your domain
+    ##  * modify the $authentik_backend line below to set example.com to your domain
     ##  * restart the swag container
-    #set $authentik_backend authentik.example.com;
+    set $authentik_backend authentik.example.com;
 
     return 302 https://$authentik_backend/authentik/?rd=$target_url;
 }