SOP: Make Docusaurus fully private (Authentik + NPM)

Purpose

Require login for all pages on docs.aurbotstem.com (Docusaurus running on 10.10.8.110:3002).

Scope

Docusaurus: 10.10.8.110:3002
NPM: 10.10.8.131 (public edge)
Authentik: 10.10.8.131:9000 published as auth.aurbotstem.com

Architecture

Internet → NPM (10.10.8.131) → forward-auth to Authentik → proxy to Docusaurus (10.10.8.110:3002).

Prereqs

auth.aurbotstem.com working (Authentik reachable externally)
docs.aurbotstem.com proxy host exists in NPM and reaches 10.10.8.110:3002
DNS:
- docs.aurbotstem.com A record → Public IP
- auth.aurbotstem.com A record → Public IP

Inputs

Docs domain: docs.aurbotstem.com
Auth domain: auth.aurbotstem.com

Procedure

1) Create Authentik Proxy Provider

In Authentik admin UI:

Applications → Providers → Create
Choose Proxy Provider
Name: docs-forwardauth
External host: https://docs.aurbotstem.com
Mode: Forward Auth (single application) (wording varies by version)
Save

2) Create an Application

Applications → Applications → Create
Name: Docs
Slug: docs
Provider: docs-forwardauth
Save

3) Ensure Outpost is enabled

Applications → Outposts
Use Embedded Outpost (recommended to start)
Ensure the Docs application/provider is selected for that outpost

4) Add Forward-Auth to NPM (docs host)

In NPM → Proxy Hosts → docs.aurbotstem.com → Advanced add the Authentik snippet.

Note: Authentik provides a ready-made snippet in the Proxy Provider screen. Prefer copying that exact snippet (it is version-correct).

Typical structure looks like:

# --- authentik forward-auth (example; copy from Authentik UI) ---
location / {
  proxy_set_header Host $host;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header X-Forwarded-Proto $scheme;

  # forward auth request
  auth_request /outpost.goauthentik.io/auth/nginx;
  error_page 401 = @goauthentik_proxy_signin;

  auth_request_set $authentik_username $upstream_http_x_authentik_username;
  auth_request_set $authentik_groups $upstream_http_x_authentik_groups;

  proxy_pass http://10.10.8.110:3002;
}

location /outpost.goauthentik.io/ {
  proxy_pass https://auth.aurbotstem.com/outpost.goauthentik.io/;
  proxy_set_header Host $host;
  proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
  add_header Cache-Control no-cache;
}

location @goauthentik_proxy_signin {
  internal;
  return 302 https://auth.aurbotstem.com/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
}
# --- /authentik forward-auth ---

5) Save and test

Open an incognito window:
- https://docs.aurbotstem.com
Expected behavior:
- You are redirected to https://auth.aurbotstem.com to sign in
- After login, you return to the requested docs page

Verification

Incognito user is forced to login
After login, deep links work (e.g. /docs/network/subdomains)
No infinite redirect loop

Rollback

Remove the Advanced config snippet from the NPM proxy host for docs.aurbotstem.com

Troubleshooting

Redirect loop: confirm the Authentik provider external host is exactly https://docs.aurbotstem.com
401 after login: check outpost selection; ensure provider/application attached to embedded outpost
Check NPM logs:
- docker logs -f npm

References

Authentik Nginx/NPM forward-auth docs: https://goauthentik.io/docs/

Changelog

2026-02-12: Initial SOP created.

Purpose​

Scope​

Architecture​

Prereqs​

Inputs​

Procedure​

1) Create Authentik Proxy Provider​

2) Create an Application​

3) Ensure Outpost is enabled​

4) Add Forward-Auth to NPM (docs host)​

5) Save and test​

Verification​

Rollback​

Troubleshooting​

References​

Changelog​