Skip to main content

Air-gapped environments

Outbound connections

By default, authentik creates outbound connections to the following URLs:

Configuration

To disable these outbound connections, adjust the following settings:

Add the following block to your .env file:

AUTHENTIK_DISABLE_STARTUP_ANALYTICS=true
AUTHENTIK_DISABLE_UPDATE_CHECK=true
AUTHENTIK_ERROR_REPORTING__ENABLED=false

Afterwards, run the upgrade commands from the latest release notes.

Additionally, adjust the following System settings:

  • Avatars: By default this setting connects to Gravatar. To avoid outgoing connections, set this to a combination of other options, such as initials.

Required resources

Container images

authentik deployments require access to the following container images. In an air-gapped environment, this can be achieved by mirroring the images to an internal registry, or using other methods appropriate for your environment.

Main image

  • ghcr.io/goauthentik/server or authentik/server

Outpost images

  • ghcr.io/goauthentik/ldap or authentik/ldap
  • ghcr.io/goauthentik/proxy or authentik/proxy
  • ghcr.io/goauthentik/rac or authentik/rac
  • ghcr.io/goauthentik/radius or authentik/radius

Supporting services

  • PostgreSQL

Helm repositories

For Helm deployments, ensure access to the following repository. In an air-gapped environment, this can be achieved by mirroring the chart to an internal registry, or using other methods appropriate for your environment.

Upgrades

Before upgrading an air-gapped deployment, review the release notes for the target version and mirror the required resources for that version into your internal registry or artifact repository. The air-gapped upgrade itself uses the same upgrade commands as a connected deployment, but those commands must reference the mirrored images and chart artifacts.

On a system with internet access, download the target release's compose.yml file, then mirror the authentik server image that is referenced by that file. If you use managed outposts, mirror the matching outpost images as well.

After transferring the updated compose.yml into the air-gapped environment, update your .env file to point to the mirrored authentik image repository and target tag:

AUTHENTIK_IMAGE=registry.company/authentik/server
AUTHENTIK_TAG=2026.2.0
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=registry.company/authentik/%(type)s:%(version)s

Replace the registry path and version with your mirrored image location and target authentik version. If the air-gapped environment can pull from an internal registry, run the normal Docker Compose upgrade commands:

docker compose pull
docker compose up -d

If you transfer images as archives instead of using an internal registry, load the images on the Docker host first, then run docker compose up -d.

Network requirements

Required ports

  • 9000/9443: Default authentik server ports for HTTP/HTTPS access.
  • 80/443: For reverse proxy setups (if using a load balancer or ingress controller).
  • SMTP ports: Connectivity to your configured SMTP server (typically 25, 465, or 587).
  • S3/object storage: If configured, connectivity to your S3-compatible storage.

Outpost-specific ports

Each outpost container, in order to communicate with authentik, requires access to the authentik server via whichever protocol is specified in the URL set in the AUTHENTIK_HOST environment variable (preferably HTTPS).

The outpost containers also need certain ports exposed:

  • LDAP Outpost: Ports 389/636 (LDAP/LDAPS) exposed to ports 3389/6636 of the container.
  • Proxy Outpost: Ports 9000/9443 (HTTP/HTTPS) exposed to ports 9000/9443 of the container.
  • RAC Outpost: Exposed ports not required.
  • RADIUS Outpost: Port 1812 (RADIUS Authentication) exposed to port 1812/udp of the container.

For more detailed information about outpost configuration in air-gapped environments, see the Outposts documentation.