Skip to main content


The configuration template shown below apply to both single-application and domain-level forward auth.


Requires authentik 2022.8


example-outpost is used as a placeholder for the outpost name. is used as a placeholder for the authentik install. is used as a placeholder for the external domain for the application. is used as a placeholder for the outpost. When using the embedded outpost, this can be the same as

Use the following configuration: {
# always forward outpost path to actual outpost
reverse_proxy /*

# forward authentication to outpost
forward_auth {
uri /

# capitalization of the headers is important, otherwise they will be empty
copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version

# optional, in this config trust all private ranges, should probably be set to the outposts IP
trusted_proxies private_ranges

# actual site configuration below, for example
reverse_proxy localhost:1234

If you're trying to proxy to an upstream over HTTPS, you need to set the Host header to the value they expect for it to work correctly.

reverse_proxy /* {
header_up Host {http.reverse_proxy.upstream.hostport}