[GH-ISSUE #437] Extended authentication (SSO) #367

New issue

Open

opened 2026-02-26 06:32:34 +03:00 by kerem · 32 comments

kerem commented 2026-02-26 06:32:34 +03:00

Owner

Copy link

Originally created by @lazee486 on GitHub (May 30, 2020).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/437

This software is amazing for homelab, I'd love if had the ability to use with

https://github.com/vouch/vouch-proxy/blob/master/README.md

Or keycloak

Basically any single sign on or similar system
It would be at the same step as your current password protection. Currently I have to put password so many times...

Instead of each service having its own(and some don't) any site you tag with auth gets proxied with sso

Originally created by @lazee486 on GitHub (May 30, 2020). Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/437 This software is amazing for homelab, I'd love if had the ability to use with https://github.com/vouch/vouch-proxy/blob/master/README.md Or keycloak Basically any single sign on or similar system It would be at the same step as your current password protection. Currently I have to put password so many times... Instead of each service having its own(and some don't) any site you tag with auth gets proxied with sso

kerem added the

enhancement

label 2026-02-26 06:32:34 +03:00

kerem commented 2026-02-26 06:32:35 +03:00

Author

Owner

Copy link

@ITNerdbox commented on GitHub (Jun 2, 2020):

Also, certificate based authentication would be a nice to have feature.

<!-- gh-comment-id:637464301 --> @ITNerdbox commented on GitHub (Jun 2, 2020): Also, certificate based authentication would be a nice to have feature.

kerem commented 2026-02-26 06:32:35 +03:00

Author

Owner

Copy link

@archness1 commented on GitHub (Jun 15, 2020):

OIDC/Keycloak integration would be awesome to have with this.

<!-- gh-comment-id:644219794 --> @archness1 commented on GitHub (Jun 15, 2020): OIDC/Keycloak integration would be awesome to have with this.

kerem commented 2026-02-26 06:32:35 +03:00

Author

Owner

Copy link

@fbartels commented on GitHub (Jun 23, 2020):

https://github.com/jc21/nginx-proxy-manager/pull/433 added the ability to do oidc

<!-- gh-comment-id:647916008 --> @fbartels commented on GitHub (Jun 23, 2020): https://github.com/jc21/nginx-proxy-manager/pull/433 added the ability to do oidc

kerem commented 2026-02-26 06:32:35 +03:00

Author

Owner

Copy link

@joe307bad commented on GitHub (Dec 6, 2020):

Keycloak works with nginx-proxy-manager!

<!-- gh-comment-id:739552903 --> @joe307bad commented on GitHub (Dec 6, 2020): [Keycloak works with `nginx-proxy-manager`!](https://github.com/jc21/nginx-proxy-manager/pull/753#issuecomment-739552690)

kerem commented 2026-02-26 06:32:35 +03:00

Author

Owner

Copy link

@MarioGK commented on GitHub (Jun 25, 2021):

Any updates on this issue?

<!-- gh-comment-id:868487681 --> @MarioGK commented on GitHub (Jun 25, 2021): Any updates on this issue?

kerem commented 2026-02-26 06:32:35 +03:00

Author

Owner

Copy link

@chaptergy commented on GitHub (Jun 25, 2021):

It will not be in this version, unless someone from the community wants to implement it. See https://github.com/jc21/nginx-proxy-manager/discussions/1202.

<!-- gh-comment-id:868497144 --> @chaptergy commented on GitHub (Jun 25, 2021): It will not be in this version, unless someone from the community wants to implement it. See https://github.com/jc21/nginx-proxy-manager/discussions/1202.

kerem commented 2026-02-26 06:32:35 +03:00

Author

Owner

Copy link

@stibra commented on GitHub (Sep 16, 2021):

Please integrate NPM with spnego for Kerberos integration.

https://github.com/stnoonan/spnego-http-auth-nginx-module

<!-- gh-comment-id:920858472 --> @stibra commented on GitHub (Sep 16, 2021): Please integrate NPM with spnego for Kerberos integration. https://github.com/stnoonan/spnego-http-auth-nginx-module

kerem commented 2026-02-26 06:32:35 +03:00

Author

Owner

Copy link

@hairy-tortoise commented on GitHub (Jan 10, 2023):

Any update on this?

<!-- gh-comment-id:1377743660 --> @hairy-tortoise commented on GitHub (Jan 10, 2023): Any update on this?

kerem commented 2026-02-26 06:32:35 +03:00

Author

Owner

Copy link

@marekful commented on GitHub (Feb 24, 2023):

FYI https://github.com/NginxProxyManager/nginx-proxy-manager/pull/2630 @hairy-tortoise

<!-- gh-comment-id:1444588416 --> @marekful commented on GitHub (Feb 24, 2023): FYI https://github.com/NginxProxyManager/nginx-proxy-manager/pull/2630 @hairy-tortoise

kerem commented 2026-02-26 06:32:35 +03:00

Author

Owner

Copy link

@Hadatko commented on GitHub (Aug 25, 2023):

+1

<!-- gh-comment-id:1692825422 --> @Hadatko commented on GitHub (Aug 25, 2023): +1

kerem commented 2026-02-26 06:32:35 +03:00

Author

Owner

Copy link

@fomurjiom commented on GitHub (Feb 2, 2024):

Please integrate NPM with spnego for Kerberos integration.

https://github.com/stnoonan/spnego-http-auth-nginx-module

+1 pls

<!-- gh-comment-id:1923367131 --> @fomurjiom commented on GitHub (Feb 2, 2024): > Please integrate NPM with spnego for Kerberos integration. > > https://github.com/stnoonan/spnego-http-auth-nginx-module +1 pls

kerem commented 2026-02-26 06:32:35 +03:00

Author

Owner

Copy link

@alexsalex commented on GitHub (Feb 10, 2024):

+100500

Authentik implementation will be amazing too!

<!-- gh-comment-id:1936831064 --> @alexsalex commented on GitHub (Feb 10, 2024): +100500 Authentik implementation will be amazing too!

kerem commented 2026-02-26 06:32:35 +03:00

Author

Owner

Copy link

@github-actions[bot] commented on GitHub (Aug 30, 2024):

Issue is now considered stale. If you want to keep it open, please comment 👍

<!-- gh-comment-id:2319674269 --> @github-actions[bot] commented on GitHub (Aug 30, 2024): Issue is now considered stale. If you want to keep it open, please comment :+1:

kerem commented 2026-02-26 06:32:35 +03:00

Author

Owner

Copy link

@dimo414 commented on GitHub (Aug 30, 2024):

Stalebot is a blight

<!-- gh-comment-id:2319987536 --> @dimo414 commented on GitHub (Aug 30, 2024): Stalebot is a blight

kerem commented 2026-02-26 06:32:35 +03:00

Author

Owner

Copy link

@stibra commented on GitHub (Aug 30, 2024):

KeyCloak and Kerberos please.

<!-- gh-comment-id:2320088502 --> @stibra commented on GitHub (Aug 30, 2024): KeyCloak and Kerberos please.

kerem commented 2026-02-26 06:32:35 +03:00

Author

Owner

Copy link

@lazee486 commented on GitHub (Oct 15, 2024):

just an update, by using the section where you can post your own Nginx commands on a proxy. NPM does work with Authelia and authentik that ive tested, as a domain level auth. ie: if you go to radarr.mysite.com, it will redirect you to authentik sso page, sign in, then store and use that cookie so going to sonarr.mysite.com or any other site behind your sso becomes passwordless. you also have to configure the apps to accept the SSO or no password to make it seamless, but this does work.

so unless this is a request for the addition of maybe presaved configs or per app buttons for this, it works and Im happy. :)

<!-- gh-comment-id:2413343264 --> @lazee486 commented on GitHub (Oct 15, 2024): just an update, by using the section where you can post your own Nginx commands on a proxy. NPM does work with Authelia and authentik that ive tested, as a domain level auth. ie: if you go to radarr.mysite.com, it will redirect you to authentik sso page, sign in, then store and use that cookie so going to sonarr.mysite.com or any other site behind your sso becomes passwordless. you also have to configure the apps to accept the SSO or no password to make it seamless, but this does work. so unless this is a request for the addition of maybe presaved configs or per app buttons for this, it works and Im happy. :)

kerem commented 2026-02-26 06:32:35 +03:00

Author

Owner

Copy link

@MahmoudAlyuDeen commented on GitHub (Oct 17, 2024):

NPM does work with Authelia and authentik that ive tested

The reverse proxy functionality of NPM works with Authentik / Authelia / other tools.

But the web GUI of NPM itself doesn't work:

It would be awesome if we don't have to enter an email or password to get to NPM settings.

<!-- gh-comment-id:2419206079 --> @MahmoudAlyuDeen commented on GitHub (Oct 17, 2024): > NPM does work with Authelia and authentik that ive tested The reverse proxy functionality of NPM works with Authentik / Authelia / other tools. But the web GUI of NPM itself doesn't work: It would be awesome if we don't have to enter an email or password to get to NPM settings.

kerem commented 2026-02-26 06:32:35 +03:00

Author

Owner

Copy link

@moutasem1989 commented on GitHub (Oct 24, 2024):

Here is how I set up Authentik to log into NginX Proxy Manager UI:

In this case i created A group with special permition to log into several services but you can do this on user level. In the group/user add the following Attributes with the correct user/pass. Leave the Token as Null

nginx_password: pass
nginx_username: user
additionalHeaders:
  X-Nginx-Token: null

Under Property Mappings create a new Scoop Maping. Name is NginX Token and Scoop Name must be ak_proxy otherwise NginX cannot call the apropeate headers. Adjust the Expression from group_attributes() to attributes for user based authentication.
The Expression should be as following:

import json
from urllib.parse import urlencode
from urllib.request import Request, urlopen

if request.user.username == "":
  return ("null")
else:
  nginxuser = request.user.group_attributes().get("nginx_username", "placeholderuser")
  nginxpass = request.user.group_attributes().get("nginx_password", "placeholderpassword")

base_url = "http://nginx:81"
end_point = "/api/tokens"
json_data = {'identity': nginxuser,'secret': nginxpass}
postdata = json.dumps(json_data).encode()
headers = {"Content-Type": "application/json; charset=UTF-8"}
try:
  httprequest = Request(base_url + end_point, data=postdata, method="POST", headers=headers)
  with urlopen(httprequest) as response:
    responddata = json.loads(response.read().decode())
  return {"ak_proxy": {"user_attributes": {"additionalHeaders": {"X-Nginx-Token": responddata['token']}}}}
except: return ("null")

The Expression will fetch a new Autherization Token which can be accessed through the X-Nginx-Token Header.
Create a Proxy Provider and make sure the Scoop we just created is included.
In NPM I added this configuration. Dnt forget to change the Authentik Server address

proxy_buffers 8 16k;
proxy_buffer_size 32k;

# Make sure not to redirect traffic to a port 4443
port_in_redirect off;

location / {
    proxy_pass          $forward_scheme://$server:$port;

    ##############################
    # authentik-specific config
    ##############################
    auth_request     /outpost.goauthentik.io/auth/nginx;
    error_page       401 = @goauthentik_proxy_signin;
    auth_request_set $auth_cookie $upstream_http_set_cookie;
    add_header       Set-Cookie $auth_cookie;

    # Here we call the Header we created and use the Token that Authentik fetched for us
    auth_request_set $authentik_auth $upstream_http_x_nginx_token;
    proxy_set_header Authorization "Bearer ${authentik_auth}";
    proxy_pass_header Authorization;
}

# all requests to /outpost.goauthentik.io must be accessible without authentication
location /outpost.goauthentik.io {
    # When using the embedded outpost, use:
    proxy_pass              https://authentik-server:9443/outpost.goauthentik.io;

    # Note: ensure the Host header matches your external authentik URL:
    proxy_set_header        Host $host;

    proxy_set_header        X-Original-URL $scheme://$http_host$request_uri;
    add_header              Set-Cookie $auth_cookie;
    auth_request_set        $auth_cookie $upstream_http_set_cookie;
    proxy_pass_request_body off;
    proxy_set_header        Content-Length "";
}

# Special location for when the /auth endpoint returns a 401,
# redirect to the /start URL which initiates SSO
location @goauthentik_proxy_signin {
    internal;
    add_header Set-Cookie $auth_cookie;
    return 302 /outpost.goauthentik.io/start?rd=$request_uri;
    # For domain level, use the below error_page to redirect to your authentik server with the full redirect path
    # return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
}

That should be it. I tried it and it works perfectly

edit code to handle exceptions

<!-- gh-comment-id:2435042515 --> @moutasem1989 commented on GitHub (Oct 24, 2024): Here is how I set up Authentik to log into NginX Proxy Manager UI: In this case i created A group with special permition to log into several services but you can do this on user level. In the group/user add the following Attributes with the correct `user/pass`. Leave the Token as Null ``` nginx_password: pass nginx_username: user additionalHeaders: X-Nginx-Token: null ``` Under `Property Mappings` create a new `Scoop Maping`. Name is `NginX Token` and Scoop Name must be `ak_proxy` otherwise NginX cannot call the apropeate headers. Adjust the Expression from `group_attributes()` to `attributes` for user based authentication. The Expression should be as following: ``` import json from urllib.parse import urlencode from urllib.request import Request, urlopen if request.user.username == "": return ("null") else: nginxuser = request.user.group_attributes().get("nginx_username", "placeholderuser") nginxpass = request.user.group_attributes().get("nginx_password", "placeholderpassword") base_url = "http://nginx:81" end_point = "/api/tokens" json_data = {'identity': nginxuser,'secret': nginxpass} postdata = json.dumps(json_data).encode() headers = {"Content-Type": "application/json; charset=UTF-8"} try: httprequest = Request(base_url + end_point, data=postdata, method="POST", headers=headers) with urlopen(httprequest) as response: responddata = json.loads(response.read().decode()) return {"ak_proxy": {"user_attributes": {"additionalHeaders": {"X-Nginx-Token": responddata['token']}}}} except: return ("null") ``` The Expression will fetch a new Autherization Token which can be accessed through the `X-Nginx-Token` Header. Create a Proxy Provider and make sure the Scoop we just created is included. In NPM I added this configuration. Dnt forget to change the Authentik Server address ``` proxy_buffers 8 16k; proxy_buffer_size 32k; # Make sure not to redirect traffic to a port 4443 port_in_redirect off; location / { proxy_pass $forward_scheme://$server:$port; ############################## # authentik-specific config ############################## auth_request /outpost.goauthentik.io/auth/nginx; error_page 401 = @goauthentik_proxy_signin; auth_request_set $auth_cookie $upstream_http_set_cookie; add_header Set-Cookie $auth_cookie; # Here we call the Header we created and use the Token that Authentik fetched for us auth_request_set $authentik_auth $upstream_http_x_nginx_token; proxy_set_header Authorization "Bearer ${authentik_auth}"; proxy_pass_header Authorization; } # all requests to /outpost.goauthentik.io must be accessible without authentication location /outpost.goauthentik.io { # When using the embedded outpost, use: proxy_pass https://authentik-server:9443/outpost.goauthentik.io; # Note: ensure the Host header matches your external authentik URL: proxy_set_header Host $host; proxy_set_header X-Original-URL $scheme://$http_host$request_uri; add_header Set-Cookie $auth_cookie; auth_request_set $auth_cookie $upstream_http_set_cookie; proxy_pass_request_body off; proxy_set_header Content-Length ""; } # Special location for when the /auth endpoint returns a 401, # redirect to the /start URL which initiates SSO location @goauthentik_proxy_signin { internal; add_header Set-Cookie $auth_cookie; return 302 /outpost.goauthentik.io/start?rd=$request_uri; # For domain level, use the below error_page to redirect to your authentik server with the full redirect path # return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri; } ``` That should be it. I tried it and it works perfectly edit code to handle exceptions

kerem commented 2026-02-26 06:32:35 +03:00

Author

Owner

Copy link

@MahmoudAlyuDeen commented on GitHub (Oct 24, 2024):

@moutasem1989 great approach!

I tried the custom property mapping with user properties and I got this exception when navigating to the proxied page, same when using the test function from authentik admin panel:

Traceback (most recent call last): File "nginx-token", line 27, in <module> File "nginx-token", line 17, in handler File "/usr/local/lib/python3.12/json/__init__.py", line 346, in loads return _default_decoder.decode(s) ^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/lib/python3.12/json/decoder.py", line 337, in decode obj, end = self.raw_decode(s, idx=_w(s, 0).end()) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/lib/python3.12/json/decoder.py", line 355, in raw_decode raise JSONDecodeError("Expecting value", s, err.value) from None json.decoder.JSONDecodeError: Expecting value: line 5 column 1 (char 4)

<!-- gh-comment-id:2435249202 --> @MahmoudAlyuDeen commented on GitHub (Oct 24, 2024): @moutasem1989 great approach! I tried the custom property mapping with user properties and I got this exception when navigating to the proxied page, same when using the test function from authentik admin panel: ``` Traceback (most recent call last): File "nginx-token", line 27, in <module> File "nginx-token", line 17, in handler File "/usr/local/lib/python3.12/json/__init__.py", line 346, in loads return _default_decoder.decode(s) ^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/lib/python3.12/json/decoder.py", line 337, in decode obj, end = self.raw_decode(s, idx=_w(s, 0).end()) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/lib/python3.12/json/decoder.py", line 355, in raw_decode raise JSONDecodeError("Expecting value", s, err.value) from None json.decoder.JSONDecodeError: Expecting value: line 5 column 1 (char 4) ```

kerem commented 2026-02-26 06:32:35 +03:00

Author

Owner

Copy link

@moutasem1989 commented on GitHub (Oct 25, 2024):

@MahmoudAlyuDeen The code above makes a call to Nginx to retrieve an authentication code in JSON file. If the server cannot be reached because of the wrong host name or IP address or simply bad authentication values it will throw an error. Make sure the Authentik server and NginX are on the same network and try the following. It should return the entire JSON file not just the token. If it is also unsuccessful, then a connection was not possible.

comment out all the lines after with urlopen… and add this and try the test function.

with urlopen(httprequest) as response:
     return(response.read().decode())

In Terminal you can also try this to see if an authentication token can be fetched. The bove code is the express of this curl command:

curl 'http://nginx:81/api/tokens' \
  -H 'Content-Type: application/json; charset=UTF-8' \
  --data-raw '{"identity":"[Your Email]","secret":"[Your Secret]"}' \
  --compressed

Hope it works out!

<!-- gh-comment-id:2437095914 --> @moutasem1989 commented on GitHub (Oct 25, 2024): @MahmoudAlyuDeen The code above makes a call to Nginx to retrieve an authentication code in JSON file. If the server cannot be reached because of the wrong host name or IP address or simply bad authentication values it will throw an error. Make sure the Authentik server and NginX are on the same network and try the following. It should return the entire JSON file not just the token. If it is also unsuccessful, then a connection was not possible. comment out all the lines after `with urlopen…` and add this and try the test function. ``` with urlopen(httprequest) as response: return(response.read().decode()) ``` In Terminal you can also try this to see if an authentication token can be fetched. The bove code is the express of this curl command: ``` curl 'http://nginx:81/api/tokens' \ -H 'Content-Type: application/json; charset=UTF-8' \ --data-raw '{"identity":"[Your Email]","secret":"[Your Secret]"}' \ --compressed ``` Hope it works out!

kerem commented 2026-02-26 06:32:35 +03:00

Author

Owner

Copy link

@MahmoudAlyuDeen commented on GitHub (Oct 25, 2024):

Okay, I figured out one problem with your help, thanks! 😅 I had the external URL in the expression but switching to the internal URL of NPM works.

Testing the scope mapping in authentik generates a valid token now.

🤔 Somehow I still get this error when navigating to the proxied page:

This is the same error I get when I test the scope mapping with a user, that doesn't have the appropriate attributes.

<!-- gh-comment-id:2437393283 --> @MahmoudAlyuDeen commented on GitHub (Oct 25, 2024): Okay, I figured out one problem with your help, thanks! 😅 I had the external URL in the expression but switching to the internal URL of NPM works. Testing the scope mapping in authentik generates a valid token now.  🤔 Somehow I still get this error when navigating to the proxied page:  This is the same error I get when I test the scope mapping with a user, that doesn't have the appropriate attributes.

kerem commented 2026-02-26 06:32:35 +03:00

Author

Owner

Copy link

@moutasem1989 commented on GitHub (Oct 25, 2024):

If you added the attributes to the group use group_attributes() otherwise it would be a user attribute and should be replaced with attributes. Check that the attributes names in User/Group are identical to the ones called in the code. Only Users/Groups with attributes names can log in.

I did some changes to handle exceptions. Check the Property Mapping code: I made it so if a user has no name it will return null instead of throwing an error trying to retrieve values

Alternatively you can directly set the values in the code.

<!-- gh-comment-id:2437409850 --> @moutasem1989 commented on GitHub (Oct 25, 2024): If you added the attributes to the group use `group_attributes()` otherwise it would be a user attribute and should be replaced with `attributes`. Check that the attributes names in User/Group are identical to the ones called in the code. Only Users/Groups with attributes names can log in. I did some changes to handle exceptions. Check the Property Mapping code: I made it so if a user has no name it will return null instead of throwing an error trying to retrieve values Alternatively you can directly set the values in the code.

kerem commented 2026-02-26 06:32:35 +03:00

Author

Owner

Copy link

@MahmoudAlyuDeen commented on GitHub (Oct 25, 2024):

Nice! No more exceptions. But now login doesn't work, I'm now just getting redirected to NPM login page.

<!-- gh-comment-id:2437428865 --> @MahmoudAlyuDeen commented on GitHub (Oct 25, 2024): Nice! No more exceptions. But now login doesn't work, I'm now just getting redirected to NPM login page.

kerem commented 2026-02-26 06:32:35 +03:00

Author

Owner

Copy link

@moutasem1989 commented on GitHub (Oct 25, 2024):

Also try it incognito mode cuz cookies could mess things up

<!-- gh-comment-id:2437439149 --> @moutasem1989 commented on GitHub (Oct 25, 2024): Also try it incognito mode cuz cookies could mess things up

kerem commented 2026-02-26 06:32:35 +03:00

Author

Owner

Copy link

@MahmoudAlyuDeen commented on GitHub (Oct 25, 2024):

Tried in incognito.

Looking at the logs, the token is there with the correct scope. ✅

But there are also default scopes that I suspect could be confusing NPM, when I try removing the default scopes from the provider, they just keep coming back.

Is there any configuration I need to do on NPM side? Other than the custom nginx code you posted?

<!-- gh-comment-id:2437445003 --> @MahmoudAlyuDeen commented on GitHub (Oct 25, 2024): Tried in incognito. Looking at the logs, the token is there with the correct scope. ✅ But there are also default scopes that I suspect could be confusing NPM, when I try removing the default scopes from the provider, they just keep coming back.  Is there any configuration I need to do on NPM side? Other than the custom nginx code you posted?

kerem commented 2026-02-26 06:32:35 +03:00

Author

Owner

Copy link

@moutasem1989 commented on GitHub (Oct 25, 2024):

The scoop is there but you need to check the headers

    auth_request_set $authentik_auth $upstream_http_x_nginx_token;
    proxy_set_header Authorization "Bearer ${authentik_auth}";
    proxy_pass_header Authorization;

$upstream_http_x_nginx_token calls for the value of X-Nginx-Token attribute. Check if the user has the right to get the token and then check if the attribute value is being called. The header Authorization should be “Bearer <token>”.

<!-- gh-comment-id:2437507431 --> @moutasem1989 commented on GitHub (Oct 25, 2024): The scoop is there but you need to check the headers ``` auth_request_set $authentik_auth $upstream_http_x_nginx_token; proxy_set_header Authorization "Bearer ${authentik_auth}"; proxy_pass_header Authorization; ``` `$upstream_http_x_nginx_token` calls for the value of `X-Nginx-Token` attribute. Check if the user has the right to get the token and then check if the attribute value is being called. The header `Authorization` should be `“Bearer <token>”`.

kerem commented 2026-02-26 06:32:35 +03:00

Author

Owner

Copy link

@lazee486 commented on GitHub (Oct 25, 2024):

I mean I know it could be an issue if it broke, but in docker restrict port 81 to localhost and use npm to access it, and put authentik etc there...if it broke just remove the interface restriction on the docker till you fixed it

<!-- gh-comment-id:2438592980 --> @lazee486 commented on GitHub (Oct 25, 2024): I mean I know it could be an issue if it broke, but in docker restrict port 81 to localhost and use npm to access it, and put authentik etc there...if it broke just remove the interface restriction on the docker till you fixed it

kerem commented 2026-02-26 06:32:35 +03:00

Author

Owner

Copy link

@eligibbs commented on GitHub (Nov 8, 2024):

The scoop is there but you need to check the headers

    auth_request_set $authentik_auth $upstream_http_x_nginx_token;
    proxy_set_header Authorization "Bearer ${authentik_auth}";
    proxy_pass_header Authorization;

$upstream_http_x_nginx_token calls for the value of X-Nginx-Token attribute. Check if the user has the right to get the token and then check if the attribute value is being called. The header Authorization should be “Bearer <token>”.

@moutasem1989 Is this method still working, even with commit 280bac8 causing problems with some of the code here?

I'm in the same boat as @MahmoudAlyuDeen where my scope tests fine with a token, but I get redirected to the login page.

With "custom locations" not working, can you define locations in the advanced field? Depending on the configuration, I can quickly get an error 500

<!-- gh-comment-id:2465330747 --> @eligibbs commented on GitHub (Nov 8, 2024): > The scoop is there but you need to check the headers > > ``` > auth_request_set $authentik_auth $upstream_http_x_nginx_token; > proxy_set_header Authorization "Bearer ${authentik_auth}"; > proxy_pass_header Authorization; > ``` > > `$upstream_http_x_nginx_token` calls for the value of `X-Nginx-Token` attribute. Check if the user has the right to get the token and then check if the attribute value is being called. The header `Authorization` should be `“Bearer <token>”`. @moutasem1989 Is this method still working, even with commit [280bac8](https://github.com/NginxProxyManager/nginx-proxy-manager/commit/280bac8b430a3465f1fbc4d7e8d94e148ad740e7) causing problems with some of the code here? I'm in the same boat as @MahmoudAlyuDeen where my scope tests fine with a token, but I get redirected to the login page. With "custom locations" not working, can you define locations in the advanced field? Depending on the configuration, I can quickly get an error 500

kerem commented 2026-02-26 06:32:35 +03:00

Author

Owner

Copy link

@apocaliss92 commented on GitHub (Dec 7, 2024):

Tried this approach and getting redirect on the login page too, mapping seems fine on authentic
The token check seems failing, returns a bad request error but no further details unfortunately

Actually something is there
[12/7/2024] [11:46:42 AM] [Express ] › ⚠ warning Existing token contained invalid user data

<!-- gh-comment-id:2525048341 --> @apocaliss92 commented on GitHub (Dec 7, 2024): Tried this approach and getting redirect on the login page too, mapping seems fine on authentic The token check seems failing, returns a bad request error but no further details unfortunately Actually something is there [12/7/2024] [11:46:42 AM] [Express ] › ⚠ warning Existing token contained invalid user data

kerem commented 2026-02-26 06:32:35 +03:00

Author

Owner

Copy link

@exenza commented on GitHub (Apr 25, 2025):

Tried this approach and getting redirect on the login page too, mapping seems fine on authentic The token check seems failing, returns a bad request error but no further details unfortunately

Actually something is there [12/7/2024] [11:46:42 AM] [Express ] › ⚠ warning Existing token contained invalid user data

get same error, and when I test the Property mappings I get the following:

Traceback (most recent call last): File "/authentik/core/models.py", line 984, in evaluate return evaluator.evaluate(self.expression) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/authentik/core/expression/evaluator.py", line 89, in evaluate return super().evaluate(*args, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/authentik/lib/expression/evaluator.py", line 263, in evaluate raise exc File "NgiX Token", line 23, in <module> File "NgiX Token", line 9, in handler builtins.TypeError: 'dict' object is not callable

<!-- gh-comment-id:2830542926 --> @exenza commented on GitHub (Apr 25, 2025): > Tried this approach and getting redirect on the login page too, mapping seems fine on authentic The token check seems failing, returns a bad request error but no further details unfortunately > > Actually something is there [12/7/2024] [11:46:42 AM] [Express ] › ⚠ warning Existing token contained invalid user data get same error, and when I test the Property mappings I get the following: ` Traceback (most recent call last): File "/authentik/core/models.py", line 984, in evaluate return evaluator.evaluate(self.expression) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/authentik/core/expression/evaluator.py", line 89, in evaluate return super().evaluate(*args, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/authentik/lib/expression/evaluator.py", line 263, in evaluate raise exc File "NgiX Token", line 23, in <module> File "NgiX Token", line 9, in handler builtins.TypeError: 'dict' object is not callable`

kerem commented 2026-02-26 06:32:35 +03:00

Author

Owner

Copy link

@github-actions[bot] commented on GitHub (Nov 12, 2025):

Issue is now considered stale. If you want to keep it open, please comment 👍

<!-- gh-comment-id:3519567868 --> @github-actions[bot] commented on GitHub (Nov 12, 2025): Issue is now considered stale. If you want to keep it open, please comment :+1:

kerem commented 2026-02-26 06:32:35 +03:00

Author

Owner

Copy link

@kominoshja commented on GitHub (Nov 12, 2025):

👍

<!-- gh-comment-id:3519872144 --> @kominoshja commented on GitHub (Nov 12, 2025): 👍

kerem referenced this issue 2026-02-26 07:38:33 +03:00

[PR #367] [CLOSED] Adding S3 host option #3231

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

develop

dependabot/npm_and_yarn/backend/liquidjs-10.25.7

dependabot/npm_and_yarn/frontend/prod-minor-updates-2a16bf3987

dependabot/npm_and_yarn/frontend/dev-patch-updates-754666cf41

dependabot/npm_and_yarn/backend/basic-ftp-5.3.0

dependabot/npm_and_yarn/test/follow-redirects-1.16.0

dependabot/npm_and_yarn/test/axios-1.15.0

dependabot/npm_and_yarn/frontend/lodash-4.18.1

dependabot/npm_and_yarn/backend/lodash-4.18.1

dependabot/npm_and_yarn/test/lodash-4.18.1

dependabot/npm_and_yarn/frontend/vite-7.3.2

dependabot/npm_and_yarn/backend/prod-minor-updates-5ec19a7f21

dependabot/npm_and_yarn/frontend/lodash-es-4.18.1

dependabot/npm_and_yarn/frontend/happy-dom-20.8.9

dependabot/npm_and_yarn/backend/path-to-regexp-8.4.0

dependabot/npm_and_yarn/frontend/picomatch-4.0.4

dependabot/npm_and_yarn/backend/picomatch-2.3.2

dependabot/npm_and_yarn/frontend/yaml-1.10.3

dependabot/npm_and_yarn/test/flatted-3.4.2

dependabot/npm_and_yarn/test/tar-7.5.11

dependabot/npm_and_yarn/frontend/immutable-5.1.5

master

dependabot/npm_and_yarn/test/glob-10.5.0

dependabot/npm_and_yarn/frontend/mdast-util-to-hast-13.2.1

dependabot/npm_and_yarn/test/form-data-4.0.4

v3-abandoned

bump-freedns

openidc

ssl-passthrough-hosts

static-content

v2.14.0

v2.13.7

v2.13.6

v2.13.5

v2.13.4

v2.13.3

v2.13.2

v2.13.1

v2.13.0

v2.12.6

v2.12.5

v2.12.4

v2.12.3

v2.12.2

v2.12.1

v2.12.0

v2.11.3

v2.11.2

v2.11.1

v2.11.0

v2.10.4

v2.10.3

v2.10.2

v2.10.1

v2.10.0

v2.9.22

v2.9.21

v2.9.20

v2.9.19

v2.9.18

v2.9.17

v2.9.16

v2.9.15

v2.9.14

v2.9.13

v2.9.12

v2.9.11

v2.9.10

v2.9.9

v2.9.8

v2.9.7

v2.9.6

v2.9.5

v2.9.4

v2.9.3

v2.9.2

v2.9.1

v2.9.0

v2.8.1

v2.8.0

v2.7.3

v2.7.2

v2.7.1

v2.7.0

v2.6.2

v2.6.1

v2.6.0

v2.5.0

v2.4.0

v2.3.1

v2.3.0

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.2

v2.1.1

v2.1.0

2.0.14

2.0.13

2.0.12

2.0.11

2.0.10

2.0.9

2.0.8

2.0.7

2.0.6

2.0.5

2.0.4

2.0.3

2.0.2

2.0.0

v2.0.0

1.1.2

1.1.1

1.0.1

Labels

Clear labels   

awaiting feedback

  

bug

  

cannot reproduce

  

dns provider request

  

duplicate

  

enhancement

  

enhancement

  

enhancement

  

good first issue

  

help wanted

  

invalid

  

need more info

  

no certbot plugin available

  

product-support

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

stale

  

troll

  

upstream issue

  

v2

  

v2

  

v2

  

v3

  

wontfix

No labels

awaiting feedback

bug

cannot reproduce

dns provider request

duplicate

enhancement

enhancement

enhancement

good first issue

help wanted

invalid

need more info

no certbot plugin available

product-support

pull-request

question

stale

troll

upstream issue

v2

v2

v2

v3

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/nginx-proxy-manager-NginxProxyManager#367

No description provided.