serguzim/infrastructure
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fix caddy forward_auth settings for authentik

Browse source 
The snippet will now set the correct Host for the next hop and keep the
original site in the X-Forward-Auth-Host. The authentik caddy-site will
then put the X-Forward-Auth-Host into the X-Forwarded-Host (which would
normally be the authentik host/domain). Authentik is able to handle the
X-Forwarded-Host header.
This commit is contained in:
Tobias Reisinger 2025-05-30 15:15:34 +02:00
parent 5d22308f0f
commit 9af19f51fa
Signed by: serguzim
GPG key ID: 13AD60C237A28DFE
5 changed files with 16 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

13
playbooks/roles/caddy/files/snippets
View file

@ -1,16 +1,19 @@
(auth_serguzim_me) {
# always forward outpost path to actual outpost
reverse_proxy /outpost.goauthentik.io/* authentik:9000
reverse_proxy /outpost.goauthentik.io/* https://auth.serguzim.me {
header_up Host {http.reverse_proxy.upstream.hostport}
header_up X-Forward-Auth-Host {http.request.host}
}
# forward authentication to outpost
forward_auth authentik:9000 {
forward_auth https://auth.serguzim.me {
uri /outpost.goauthentik.io/auth/caddy
header_up Host {http.reverse_proxy.upstream.hostport}
header_up X-Forward-Auth-Host {http.request.host}
# capitalization of the headers is important, otherwise they will be empty
copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
# optional, in this config trust all private ranges, should probably be set to the outposts IP
trusted_proxies private_ranges
}
}