# Paste this snippet into the "Advanced" tab of the NPM Proxy Host for
# stream.hetherman.cloud. It enables Authentik Forward Auth via the
# goauthentik.io outpost, so every request is gated before hitting the
# frontend, WHEP signaling, HLS, or the MediaMTX API.
#
# Requires an Authentik Proxy Provider of type "Forward auth (single
# application)" with external host https://stream.hetherman.cloud and an
# Application bound to the `stream-viewers` group.
port_in_redirect off;

# Forward every incoming request to the Authentik outpost for validation.
auth_request                 /outpost.goauthentik.io/auth/nginx;
error_page       401         = @goauthentik_proxy_signin;

# Propagate user identity headers set by the outpost back to the browser
# (and optionally to upstream if you ever want to read the user in MediaMTX).
auth_request_set $auth_cookie        $upstream_http_set_cookie;
add_header       Set-Cookie          $auth_cookie;
auth_request_set $authentik_username $upstream_http_x_authentik_username;
auth_request_set $authentik_groups   $upstream_http_x_authentik_groups;
auth_request_set $authentik_email    $upstream_http_x_authentik_email;

# The outpost endpoint itself must be reachable un-gated so that the
# auth_request subrequest and the sign-in redirect can complete.
location /outpost.goauthentik.io {
    # All traffic to /outpost.goauthentik.io is proxied to the Authentik host.
    # Point this at your Authentik outpost URL.
    # Use the internal Authentik address directly (HTTP, no TLS) to avoid
    # routing back through NPM and the SSL SNI issues that come with it.
    proxy_pass              http://192.168.50.224:30140/outpost.goauthentik.io;
    proxy_set_header        Host                  $host;
    proxy_set_header        X-Original-URL        $scheme://$http_host$request_uri;
    proxy_set_header        X-Forwarded-For       $proxy_add_x_forwarded_for;
    proxy_set_header        X-Forwarded-Proto     $scheme;
    proxy_set_header        X-Forwarded-Host      $http_host;
    proxy_set_header        X-Forwarded-Uri       $request_uri;
    proxy_set_header        X-Forwarded-Ssl       on;
    add_header              Set-Cookie            $auth_cookie;
    proxy_pass_request_body off;
    proxy_set_header        Content-Length        "";
}

# When auth_request returns 401, send the browser to the outpost sign-in page
# and preserve the original request URL so the user lands back where they
# started after logging in.
location @goauthentik_proxy_signin {
    internal;
    add_header Set-Cookie $auth_cookie;
    return 302 /outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
}