Bypass Cockpit Login Screen to implement reverse proxy Authentication.

[moutasem1989]

I am using Cockpit on my Home Lab and I would like to use it with Authentik.
Like many self hosted Services, SSO and Header Authentication are not supported. I want to solve this by using Authentik + Nginx reverse proxy authentication and using Nginx to bypass the internal login screen. This way no configurations of PAM or Cockpit that could break things. Theoretically one can add authentication information as additionalheaders here for Authentik users.

According to Cockpit documentation, they use basic HTTP authentication to send log in data to the server.

location / {
    proxy_pass  $forward_scheme://$server:$port;
    auth_request  /login
    error_page  401
    proxy_set_header Host $host;

    #websockets support?
    proxy_set_header X-Forwarded-Scheme $scheme;
    proxy_set_header X-Forwarded-Proto  $scheme;
    proxy_set_header X-Forwarded-For    $remote_addr;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $http_connection;
    proxy_http_version 1.1;
}
location /login {
    proxy_pass_request_body off;
    proxy_set_header Content-Length "";
    proxy_set_header X-Original-URI $request_uri;
    
    proxy_pass  $forward_scheme://$server:$port/login;
    proxy_set_header Authorization "Basic abcxyz";  #base64 of user:password 
    proxy_pass_header Authorization;
}

Unfortunately the auth_request /login part is breaking the configurations and I am not sure how to get this part to work.
if this is something feasible, any help is much appreciated!

Additionally, I saw that many are requesting SSO authentication in NPM, perhaps this could be a possibility for a workaround?

[moutasem1989]

this is the working custom configuration of NPM with Authentik reverse proxy authentication

# Increase buffer size for large headers
# This is needed only if you get 'upstream sent too big header while reading response
# header from upstream' error when trying to access an application protected by goauthentik
proxy_buffers 8 16k;
proxy_buffer_size 32k;

# Make sure not to redirect traffic to a port 4443
port_in_redirect off;

location / {
    # Put your proxy_pass to your application here
    # proxy_pass          $forward_scheme://$server:$port;
    # Set any other headers your application might need
    # proxy_set_header Host $host;
    # proxy_set_header ...
    proxy_set_header        Host $host;
    proxy_set_header Authorization "Basic abcxyz==";  #base64 of user:password 
    proxy_pass_header Authorization;
    proxy_pass  $forward_scheme://$server:$port;

    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-Scheme $scheme;
    proxy_set_header X-Forwarded-Proto  $scheme;
    proxy_set_header X-Forwarded-For    $remote_addr;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $http_connection;
    proxy_http_version 1.1;

    ##############################
    # authentik-specific config
    ##############################
    auth_request     /outpost.goauthentik.io/auth/nginx;
    error_page       401 = @goauthentik_proxy_signin;
    auth_request_set $auth_cookie $upstream_http_set_cookie;
    add_header       Set-Cookie $auth_cookie;

    # translate headers from the outposts back to the actual upstream
    auth_request_set $authentik_username $upstream_http_x_authentik_username;
    auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
    auth_request_set $authentik_email $upstream_http_x_authentik_email;
    auth_request_set $authentik_name $upstream_http_x_authentik_name;
    auth_request_set $authentik_uid $upstream_http_x_authentik_uid;

    proxy_set_header X-authentik-username $authentik_username;
    proxy_set_header X-authentik-groups $authentik_groups;
    proxy_set_header X-authentik-email $authentik_email;
    proxy_set_header X-authentik-name $authentik_name;
    proxy_set_header X-authentik-uid $authentik_uid;
    #add_header X-calibre-web-user "CloudAdmin" always;
}

# all requests to /outpost.goauthentik.io must be accessible without authentication
location /outpost.goauthentik.io {
    proxy_pass              https://authentik-server:9443/outpost.goauthentik.io;
    # ensure the host of this vserver matches your external URL you've configured
    # in authentik
    proxy_set_header        Host $host;
    proxy_set_header        X-Original-URL $scheme://$http_host$request_uri;
    add_header              Set-Cookie $auth_cookie;
    auth_request_set        $auth_cookie $upstream_http_set_cookie;
    proxy_pass_request_body off;
    proxy_set_header        Content-Length "";
}

# Special location for when the /auth endpoint returns a 401,
# redirect to the /start URL which initiates SSO
location @goauthentik_proxy_signin {
    internal;
    add_header Set-Cookie $auth_cookie;
    return 302 /outpost.goauthentik.io/start?rd=$request_uri;
    # For domain level, use the below error_page to redirect to your authentik server with the full redirect path
    # return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
}