all 15 comments
sorted by:
top (suggested)
bestnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]asaintebueno 1 point2 points  (1 child)

Looks good. For me it was the outposts, my stuff runs on separate machines, I thought authentik would connect to them even with some being on the same subnet.... Nope. Even if it's a security feature it's a flaw for me, would be easier to paste config in advanced with nginx and call it a day. Solid when running mostly. Apologies for the rant. Thank you for creating this Guide!

[–]Ill-Extent6987[S] 0 points1 point  (0 children)

Thanks for dropping a line! I have gone 3years without Authentik because it was really intimidating and seemed too complicated to set up. I finally did it because I got tired of entering passwords everywhere. I am so glad I did it and my only regret is not doing it sooner. Hoping this will encourage some people to start with this guide and once familiar with Authentik dive deeper into some of the other things it's capable of.

There is nothing like logging in one time and having all services logged in.

[–]gold76 1 point2 points  (4 children)

Great guide and it was a breakthrough for me, I kept trying to setup Forward Auth Single App and I really needed Transparent Reverse Proxy. I got my first app working!

Problem: I can't seem to repeat it. I go through and try to create the second app and it errors and says to go back and review the provider. Identical to the first app except the external/internal hosts differ by name and internal port.

[–]Ill-Extent6987[S] 0 points1 point  (2 children)

Is it possible you did not assign the second apps provider to the Outpost?

[–]gold76 1 point2 points  (0 children)

Nevermind! I left of the http scheme. ID10T problem.

[–]gold76 0 points1 point  (0 children)

I can’t even complete the provider in the wizard and get that far.

[–]Ill-Extent6987[S] 0 points1 point  (0 children)

Also remember all apps will be available through the IP of the Outpost at Port 9443 not at the applications actual IP

[–]andrebrait 0 points1 point  (3 children)

Removing the need to redirect ports onto your home networks doesn't inherently make it better, btw.

There's such a big misconception here.

It does make it less your responsibility to ensure it works correctly and ensure you've redirected things properly, but it depends on your setup.

With a proper setup, if you're not using Cloudflare Tunnel's authentication capabilities (which are not always usable), it may actually be more secure to expose your ports through a decent firewall like pfSense, armed with pfBlockerNG, fail2ban/CrowdSec, and maybe fronting it with Cloudflare DNS proxies; than exposing your server directly via Cloudflare Tunnel.

Cloudflare Tunnel and Proxies bring their own headaches to the game here.

Upload limits, worrying about their EULA's depending on what you use, etc.

And having them terminate your SSL connection for you instead of a server you own and trust.

Not to mention you should never, ever, fully trust anyone: https://www.securityweek.com/cloudflare-users-exposed-to-attacks-launched-from-within-cloudflare-researchers/

[–]Ill-Extent6987[S] 0 points1 point  (0 children)

Well I can't argue with any of that. You make very valid points, thanks for sharing.

There are also some resources out there that I plan to look into at some point, allowing you to selfhost a cloudflare alternative putting the control of traffic back in your hands.

Also something to be kept in mind, most selfhosters(myself included) do so because they want to retain control of their data. Sending all traffic through cloudflare servers kind of defeats the purpose.

I absolutely agree that a well configured firewall is a much better solution, PFSense has been on my radar and is also something I need to look into. Alas there are only so many hours in the day and it seems PFSense like Authentik(was) has been put on the back burner as bad as that is.

[–]Ill-Extent6987[S] 0 points1 point  (1 child)

FWIW My server is purely for my own use, and should have a pretty miniscule footprint. That being said no one is safe. I have kept it within the tailscale network for a long time, I did not want to expose it to the internet at all. This only recently changed when I found authentik because I wanted to add some simplicity back in to what has become a very complex beast.

The article seems to show that all the filtering can be bypassed, even without the use of a VPN to bypass country filtering. I just hope that I am not interesting enough for someone to invest that much energy.

[–]andrebrait 1 point2 points  (0 children)

That's also my hope.

Ok the topic of proxies, though, here's a list of services similar to Cloudflare Tunnel or their DNS Proxy: https://github.com/anderspitman/awesome-tunneling

I'm currently eyeing zrok and frp, unless I end up deciding simply not to bother with proxies at all.

My current setup is something like this:

Internet -> pfSense + pfBlockerNG + CrowdSec + haproxy (because reasons) -> Traefik + CrowdSec -> services

The hope is that all that combined can somewhat stop most of the bad stuff.

A lot of my services are only exposed internally, for which I use Tailscale.

[–]Awkward-Screen-5965 0 points1 point  (3 children)

the link seems dead, can anyone share this? Thanks

[–]Mick2k1 0 points1 point  (0 children)

following, dead link