serguzim/infrastructure
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fix caddy forward_auth settings for authentik

Browse source 
The snippet will now set the correct Host for the next hop and keep the
original site in the X-Forward-Auth-Host. The authentik caddy-site will
then put the X-Forward-Auth-Host into the X-Forwarded-Host (which would
normally be the authentik host/domain). Authentik is able to handle the
X-Forwarded-Host header.
This commit is contained in:
Tobias Reisinger 2025-05-30 15:15:34 +02:00
parent 5d22308f0f
commit 9af19f51fa
Signed by: serguzim
GPG key ID: 13AD60C237A28DFE
5 changed files with 16 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

1
playbooks/roles/authentik/vars/main.yml
View file

@ -2,6 +2,7 @@
authentik_svc: authentik_svc:
domain: "{{ all_services | service_get_domain(role_name) }}" domain: "{{ all_services | service_get_domain(role_name) }}"
port: 9000 port: 9000
caddy_proxy_extra: "header_up X-Forwarded-Host {http.request.header.X-Forward-Auth-Host}"
image_tag: 2025.2 image_tag: 2025.2
db: db:
host: "{{ postgres.host }}" host: "{{ postgres.host }}"

13
playbooks/roles/caddy/files/snippets
View file

@ -1,16 +1,19 @@
(auth_serguzim_me) { (auth_serguzim_me) {
# always forward outpost path to actual outpost # always forward outpost path to actual outpost
reverse_proxy /outpost.goauthentik.io/* authentik:9000 reverse_proxy /outpost.goauthentik.io/* https://auth.serguzim.me {
header_up Host {http.reverse_proxy.upstream.hostport}
header_up X-Forward-Auth-Host {http.request.host}
}
# forward authentication to outpost # forward authentication to outpost
forward_auth authentik:9000 { forward_auth https://auth.serguzim.me {
uri /outpost.goauthentik.io/auth/caddy uri /outpost.goauthentik.io/auth/caddy
header_up Host {http.reverse_proxy.upstream.hostport}
header_up X-Forward-Auth-Host {http.request.host}
# capitalization of the headers is important, otherwise they will be empty # capitalization of the headers is important, otherwise they will be empty
copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
# optional, in this config trust all private ranges, should probably be set to the outposts IP
trusted_proxies private_ranges
} }
} }

4
playbooks/templates/caddy_site.conf.j2
View file

@ -21,7 +21,9 @@
{% elif svc.redirect|default(false) %} {% elif svc.redirect|default(false) %}
redir "{{ svc.redirect }}" redir "{{ svc.redirect }}"
{% else %} {% else %}
reverse_proxy {{ svc.docker_host|default(role_name) }}:{{ svc.port }} reverse_proxy {{ svc.docker_host|default(role_name) }}:{{ svc.port }} {
{{ svc.caddy_proxy_extra | indent(width='\t', first=False) if svc.caddy_proxy_extra|default(false) }}
}
{% endif %} {% endif %}
} }
{% endif %} {% endif %}

2
scripts/visualize.py
View file

@ -9,7 +9,7 @@ import hcl2
icon_overrides = { icon_overrides = {
"acme_dns": "lets-encrypt", "acme_dns": "lets-encrypt",
"backup": "restic", "backup": "restic",
"deploy": "webhook", "deploy": "adnanh-webhook",
"extra_services": None, "extra_services": None,
"forgejo_runner": "forgejo", "forgejo_runner": "forgejo",
"healthcheck": "healthchecks", "healthcheck": "healthchecks",