Skip to content

Authentik Integration

This section explains how to add Authentik as a middleware through Traefik so that you can secure the CSF web interface behind an authentication server.



What is Authentik?

Authentik is an open-source identity provider that helps you manage authentication and access control for your applications. It acts as a centralized system for securely verifying the identity of users before they can access your services. By using Authentik, you can enforce consistent security policies across all the software you manage, rather than relying on separate logins for each service.

With Authentik, you can protect your applications using traditional passwords, implement two-factor authentication (2FA), or even leverage modern passkey solutions. This includes hardware keys such as YubiKey, or software-based passkeys stored in password managers like KeePassXC or Vaultwarden.

Using Authentik adds an extra layer of security and simplifies access management, ensuring that only authorized users can reach sensitive applications like the CSF web interface. It can also integrate with middleware to enforce access policies without exposing your services to the public internet.



Before You Begin

Currently, CSF does not have built-in functionality to detect if your system is protected by an authentication service such as Authentik or Authelia.

If you choose to put CSF behind Authentik, you will encounter two authentication prompts when accessing the CSF web interface:

  1. The Authentik sign-in screen
  2. CSF’s native login interface


We are working on a feature that will allow CSF to disable its built-in login system and rely entirely on a third-party authentication app. When this is implemented, you will only see a single login screen.



Setup

If you are adding Authentik as middleware in the steps above; the last thing you must do is log in to your Authentik admin panel and add a new Provider so that we can access the CSF web interface via your domain.


Once you sign into the Authentik admin panel, go to the left-side navigation, select ApplicationsProviders.


Authentik › Menu › Applications › Providers
Authentik › Menu › Applications › Providers


Then at the top of the new page, click Create.


Authentik › Create New Provider
Authentik › Create New Provider


For the provider, select Proxy Provider.


Authentik › New Provider › Proxy Provider
Authentik › New Provider › Proxy Provider


Add the following provider values:

  • Name: CSF ForwardAuth
  • Authentication Flow: default-source-authentication (Welcome to authentik!)
  • Authorization Flow: default-provider-authorization-implicit-consent (Authorize Application)


Select Forward Auth (single application):

  • External Host: https://csf.domain.com


Authentik › New Provider › Settings
Authentik › New Provider › Settings


Once finished, click Create. Then on the left-side menu, select ApplicationsApplications.


Authentik › Menu › Applications › Applications
Authentik › Menu › Applications › Applications


Then at the top of the new page, click Create.


Authentik › Create New App
Authentik › Create New App


Add the following parameters:

  • Name: CSF (ConfigServer Firewall)
  • Slug: csf
  • Group: Administrative
  • Provider: CSF ForwardAuth
  • Backchannel Providers: None
  • Policy Engine Mode: any


Authentik › Menu › Applications › Create
Authentik › Menu › Applications › Create


Save, and then on the left-side menu, select ApplicationsOutposts:


Authentik › Menu › Applications › Outposts
Authentik › Menu › Applications › Outposts


Find your Outpost and edit it.

Authentik › Outposts › Edit
Authentik › Outposts › Edit


Move CSF (ConfigServer Firewall) to the right side Selected Applications box.


Authentik › Outposts › Update
Authentik › Outposts › Update


You should be able to access csf.domain.com and be prompted now to authenticate with Authentik.



Authentication Types

When CSF is placed behind Authentik, you will be prompted to log in through Authentik to access the CSF web interface. The method of login depends on your Authentik configuration. Common authentication types include:


This guide does not cover the full setup of Authentik, as that is outside the scope of CSF. However, there are many tutorials and video guides available online that explain the process in detail.



Next Steps

Select what documentation you would like to proceed with next ...

  •   Geographical IP Block Integration

    Configure geographical restrictions in CSF to whitelist or blacklist specific regions from accessing your server.

    This chapter covers enabling the GeoIP blocklist feature using third-party services such as MaxMind (requires an API key), db-ip, ipdeny, or iptoasn.

    These services allow you to control access based on location while keeping your server secure.