Tobias Reisinger
9af19f51fa
The snippet will now set the correct Host for the next hop and keep the original site in the X-Forward-Auth-Host. The authentik caddy-site will then put the X-Forward-Auth-Host into the X-Forwarded-Host (which would normally be the authentik host/domain). Authentik is able to handle the X-Forwarded-Host header.
56 lines
1.5 KiB
Text
56 lines
1.5 KiB
Text
(auth_serguzim_me) {
|
|
# always forward outpost path to actual outpost
|
|
reverse_proxy /outpost.goauthentik.io/* https://auth.serguzim.me {
|
|
header_up Host {http.reverse_proxy.upstream.hostport}
|
|
header_up X-Forward-Auth-Host {http.request.host}
|
|
}
|
|
|
|
# forward authentication to outpost
|
|
forward_auth https://auth.serguzim.me {
|
|
uri /outpost.goauthentik.io/auth/caddy
|
|
|
|
header_up Host {http.reverse_proxy.upstream.hostport}
|
|
header_up X-Forward-Auth-Host {http.request.host}
|
|
|
|
# capitalization of the headers is important, otherwise they will be empty
|
|
copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
|
|
}
|
|
}
|
|
|
|
(default) {
|
|
encode zstd gzip
|
|
}
|
|
|
|
(acmedns) {
|
|
tls {
|
|
dns acmedns {
|
|
username "{$ACMEDNS_USER}"
|
|
password "{$ACMEDNS_PASS}"
|
|
subdomain "{$ACMEDNS_SUBD}"
|
|
server_url "{$ACMEDNS_URL}"
|
|
}
|
|
}
|
|
}
|
|
|
|
(faas) {
|
|
rewrite * /function/{args[0]}{uri}
|
|
reverse_proxy https://faas.serguzim.me {
|
|
header_up Host {http.reverse_proxy.upstream.hostport}
|
|
}
|
|
}
|
|
|
|
(analytics) {
|
|
handle_path /_a/* {
|
|
reverse_proxy https://analytics.serguzim.me {
|
|
header_up X-Analytics-IP {remote_host}
|
|
header_up Host {http.reverse_proxy.upstream.hostport}
|
|
}
|
|
}
|
|
}
|
|
|
|
(vpn_only) {
|
|
@denied not client_ip private_ranges
|
|
handle @denied {
|
|
redir https://www.serguzim.me/
|
|
}
|
|
}
|