Exposed ports in the default config

[EliRibble]

Thanks for this module - it's vastly superior on NixOS to running OCI containers.

One thing I noticed after starting the service is that a large number of ports were opened on all addresses:

• 9443
• 9300
• 9000

Turns out that's from the default configuration at /var/lib/private/authentik/authentik/lib/default.yml which specifies:

...
listen:
  listen_http: 0.0.0.0:9000
  listen_https: 0.0.0.0:9443
  listen_ldap: 0.0.0.0:3389
  listen_ldaps: 0.0.0.0:6636
  listen_radius: 0.0.0.0:1812
  listen_metrics: 0.0.0.0:9300
  listen_debug: 0.0.0.0:9900
  listen_debug_py: 0.0.0.0:9901

When running inside containers, which seems to be the normal way to install Authentik this is not nearly as dangerous as it is running directly on the host operating system as one does in NixOS.

Eventually I figured out how to add a much safer configuration to my NixOS config:

services.authentik.settings.listen = {
                                        listen_debug = "127.0.0.1:9900";
                                        listen_debug_py = "127.0.0.1:9901";
                                        listen_http = "127.0.0.1:9000";
                                        listen_https = "127.0.0.1:9443";
                                        listen_ldap = "127.0.0.1:3389";
                                        listen_ldaps = "127.0.0.1:6636";
                                        listen_radius = "127.0.0.1:1812";
                                        listen_metrics = "127.0.0.1:9300";
};

I think it'd be a good idea to make this the default for this flake for security, but if not, to explicitly document it since I did not expect this service to bind to public addresses quite so liberally. What do you think?

[Ma27]

I assume at least ldaps/https are things that are in theory supposed to be publicly exposed, right?

So this is something we sholdn't be doing for all of those, right?

[EliRibble]

I assume at least ldaps/https are things that are in theory supposed to be publicly exposed, right?

I believe that is accurate, yes. It also is possible that HTTPS should be exposed - I've always run Authentik behind a reverse proxy that handles TLS - since it could be that Authentik can terminate TLS itself and is secure enough. I just don't know. I wanted to document everything I found though.

So this is something we sholdn't be doing for all of those, right?

Security, as always, is a balance. I didn't do anything to configure particular outposts, so it looks like only http, https, and metrics are enabled by default. Personally, I'm familiar enough with networking that I kind of like it when services default to a safe binding, like a loopback address, until I tell them what addresses to bind to because it avoids any (potentially ugly) surprises. But, I also understand that if you're less familiar you can have a frustrating time when you enable a service but can't reach it externally.

I think that clearly the metrics should not bind a public address by default as that seems really insecure. I also think HTTP shouldn't bind to a public address by default since it encourages people to run unencrypted, which seems a dangerous thing to encourge for an authentication system. I think binding HTTPS to a public address by default is pretty arguable, but I would prefer not to. I don't know what happens with the debug ports as I've never used them, but that seems likely to be dangerous on a public address. LDAP/LDAPS/Radius is probably fine to be public, but I'm not sure since I've never used them.

[Ma27]

I think that clearly the metrics should not bind a public address by default as that seems really insecure

This is only a real problem when not using the builtin firewall from NixOS which rejects new traffic to ports by default (excl. ports from networking.firewall.allowedTCPPorts et al.)? And in that case I do expect people to know what they're doing.

[EliRibble]

I think relying on a firewall, even if enabled by default, is a security strategy that creates danger for customers.

The tradeoff is customer's security in exchange for their potential frustration when they install Authentik, want it exposed publicly, and have to figure out how to do that.

[Ma27]

I think you're overinterpreting stuff here:

• The sole reason this is 0.0.0.0 is that I usually do it the nixpkgs way, i.e. re-using upstream defaults.
• In fact none of the Authentik instances I ever operated, were routed publicly (i.e. a different machine was the reverse proxy).

My point is that there's a major difference between "really insecure" and the case you're describing here.

But to reiterate my first post, I'm fine with this being changed, feel free to file a PR. But I still think that this should not apply to ldaps/https.

[dminuoso]

The following should default to 0.0.0.0:

• listen_ldap: 0.0.0.0:3389
• listen_ldaps: 0.0.0.0:6636
• listen_radius: 0.0.0.0:1812
• listen_metrics: 0.0.0.0:9300

Whether you run a reverse proxy in a DMZ or not, you need those to be reachable across network. It is what the average user would want. The experts that set up a separate TLS or RadSec reverse proxy likely will be paranoid enough to think about listen addresses anyway and also worry about tight security policies.

But these should default to 127.0.0.1:

• listen_debug: 127.0.0.1:9900
• listen_debug_py: 127.0.0.1:9901

There is just no good reason to expose these on network reachable interfaces, 127.0.0.1 + SSH port forwarding is the norm for this style.

And as for

• listen_http: 127.0.0.1:9000
• listen_https: 127.0.0.1:9443

I dont think it matters. Should you want those exposed, you probably would reconfigure them to :80/:443 ports anyway, at which point you can just pick your preferred listen address. They probably can default to 127.0.0.1 without impacting anyone negatively.

That said, I do not like the upstream nixpkgs behavior in terms of network security. The defaults include both using 0.0.0.0 everywhere on listen addresses and using allowedTCPPorts/allowedUDPPorts, which in combination with multiple network interfaces can lead to security accidents that may be hard to notice, especially since allowedTCPPorts/allowedUDPPorts can hidden behind someone elses modules, it may not even be obvious that ports are wide open in your firewall.

[Ma27]

This is essentially what I suggested before, no?
Feel free to file a PR.

[GeoffreyFrogeye]

Only tangentially related, but I figure people reading this issue might want to know this:

Since 2025.8.4, the listen.listen_* options have been renamed to just listen.* : goauthentik/authentik#17023 .

For people that relied on this setting not to expose their ports to the outside world (as proposed in config snippets above), upgrading to 2025.8.4 silently makes it listen to the outside world again.

For people that relied on this setting to use non-default ports, upgrading to 2025.8.4 will break your setup (that's how I found out).