Fix caddy forward_auth settings for authentik

The snippet will now set the correct Host for the next hop and keep the original site in the X-Forward-Auth-Host. The authentik caddy-site will then put the X-Forward-Auth-Host into the X-Forwarded-Host (which would normally be the authentik host/domain). Authentik is able to handle the X-Forwarded-Host header.
2025-05-30 15:15:34 +02:00 · 2025-05-30 15:15:34 +02:00 · 9af19f51fa
commit 9af19f51fa
parent 5d22308f0f
5 changed files with 16 additions and 10 deletions
--- a/playbooks/roles/authentik/vars/main.yml
+++ b/playbooks/roles/authentik/vars/main.yml
@ -2,6 +2,7 @@
 authentik_svc:
  domain: "{{ all_services | service_get_domain(role_name) }}"
  port: 9000
+  caddy_proxy_extra: "header_up X-Forwarded-Host {http.request.header.X-Forward-Auth-Host}"
  image_tag: 2025.2
  db:
    host: "{{ postgres.host }}"
--- a/playbooks/roles/caddy/files/snippets
+++ b/playbooks/roles/caddy/files/snippets
@ -1,16 +1,19 @@
 (auth_serguzim_me) {
    # always forward outpost path to actual outpost
-    reverse_proxy /outpost.goauthentik.io/* authentik:9000
+    reverse_proxy /outpost.goauthentik.io/* https://auth.serguzim.me {
+				header_up Host {http.reverse_proxy.upstream.hostport}
+				header_up X-Forward-Auth-Host {http.request.host}
+		}

    # forward authentication to outpost
-    forward_auth authentik:9000 {
+    forward_auth https://auth.serguzim.me {
        uri /outpost.goauthentik.io/auth/caddy

+				header_up Host {http.reverse_proxy.upstream.hostport}
+				header_up X-Forward-Auth-Host {http.request.host}
+
        # capitalization of the headers is important, otherwise they will be empty
        copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
-
-        # optional, in this config trust all private ranges, should probably be set to the outposts IP
-        trusted_proxies private_ranges
    }
 }

--- a/playbooks/roles/caddy/templates/Caddyfile.j2
+++ b/playbooks/roles/caddy/templates/Caddyfile.j2
@ -1,7 +1,7 @@
 {
 	email {{ admin_email }}

-    metrics
+	metrics

 	servers {
 		strict_sni_host on
@ -11,9 +11,9 @@
 import /etc/caddy/snippets

 http://{{ host_vpn.domain }} {
-    import vpn_only
+	import vpn_only

-    metrics
+	metrics
 }

 *.serguzim.me {
--- a/playbooks/templates/caddy_site.conf.j2
+++ b/playbooks/templates/caddy_site.conf.j2
@ -21,7 +21,9 @@
 {% elif svc.redirect|default(false) %}
 		redir "{{ svc.redirect }}"
 {% else %}
-		reverse_proxy {{ svc.docker_host|default(role_name) }}:{{ svc.port }}
+		reverse_proxy {{ svc.docker_host|default(role_name) }}:{{ svc.port }} {
+			{{ svc.caddy_proxy_extra | indent(width='\t', first=False) if svc.caddy_proxy_extra|default(false) }}
+		}
 {% endif %}
 	}
 {% endif %}
--- a/scripts/visualize.py
+++ b/scripts/visualize.py
@ -9,7 +9,7 @@ import hcl2
 icon_overrides = {
    "acme_dns": "lets-encrypt",
    "backup": "restic",
-    "deploy": "webhook",
+    "deploy": "adnanh-webhook",
    "extra_services": None,
    "forgejo_runner": "forgejo",
    "healthcheck": "healthchecks",