From b217cbbc0f2be437763ce2c89bc91066796eb672 Mon Sep 17 00:00:00 2001 From: Brian Date: Sun, 5 Apr 2026 20:45:25 -0400 Subject: [PATCH] fix(npm): proxy outpost directly to internal Authentik IP - Replace https://auth.hetherman.cloud with http://192.168.50.224:30140 to avoid NPM loopback and SSL SNI mismatch (alert 112) - Add port_in_redirect off - Fix sign-in redirect to include full scheme+host in rd= param Co-Authored-By: Claude Sonnet 4.6 --- config/npm-advanced.conf | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/config/npm-advanced.conf b/config/npm-advanced.conf index eb18a04..45e7474 100644 --- a/config/npm-advanced.conf +++ b/config/npm-advanced.conf @@ -6,6 +6,7 @@ # Requires an Authentik Proxy Provider of type "Forward auth (single # application)" with external host https://stream.hetherman.cloud and an # Application bound to the `stream-viewers` group. +port_in_redirect off; # Forward every incoming request to the Authentik outpost for validation. auth_request /outpost.goauthentik.io/auth/nginx; @@ -24,7 +25,9 @@ auth_request_set $authentik_email $upstream_http_x_authentik_email; location /outpost.goauthentik.io { # All traffic to /outpost.goauthentik.io is proxied to the Authentik host. # Point this at your Authentik outpost URL. - proxy_pass https://auth.hetherman.cloud/outpost.goauthentik.io; + # Use the internal Authentik address directly (HTTP, no TLS) to avoid + # routing back through NPM and the SSL SNI issues that come with it. + proxy_pass http://192.168.50.224:30140/outpost.goauthentik.io; proxy_set_header Host $host; proxy_set_header X-Original-URL $scheme://$http_host$request_uri; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; @@ -43,5 +46,5 @@ location /outpost.goauthentik.io { location @goauthentik_proxy_signin { internal; add_header Set-Cookie $auth_cookie; - return 302 /outpost.goauthentik.io/start?rd=$request_uri; + return 302 /outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri; }