Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ForwardAuth with copy_headers leaves template code in header if auth backend doesn't set that header #6610

Open
mbunkus opened this issue Oct 7, 2024 · 4 comments · May be fixed by #6608
Open

ForwardAuth with copy_headers leaves template code in header if auth backend doesn't set that header #6610

mbunkus opened this issue Oct 7, 2024 · 4 comments · May be fixed by #6608

Comments

@mbunkus
Copy link

mbunkus commented Oct 7, 2024
edited
Loading

Caddy 2.8.4

Using Caddy with Authelia, I have Authelia configured to only do 2FA with certain URIs & to completely bypass certain other URIs. For those URIs that completely bypass authentication Authelia cannot & does not set a Remote-User header.

Unfortunately Caddy doesn't like that very much. With a simple configuration snippet such as

https://… {
	forward_auth https://authelia-server:8000 {
		uri /api/authz/forward-auth
		copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
	}
	reverse_proxy https://…
}

what happens is that Caddy sets the Remove-User header correctly when Authelia sets the header, too. But when Authelia does not set the Remove-User header (or any of the others), what Caddy sends to the proxied server is actually the following:

Remote-User: {http.reverse_proxy.header.Remote-User}

Yes, it leaves the template code as-is in the headers it sends to the proxy server. Same for the any other header configured via copy_headers that isn't set by Authelia.

This means I'll have to include the bypassed URIs from Authelia's configuration in Caddy's configuration & only send requests for other URIs to Authelia, making this whole configuration much more complex & difficult to maintain.
@francislavoie
Copy link
Member

I just opened #6608 yesterday to fix it 😂

@francislavoie francislavoie linked a pull request Oct 7, 2024 that will close this issue
Open
@mbunkus
Copy link
Author

mbunkus commented Oct 7, 2024

That's very fortunate 😂 Thanks!

@francislavoie
Copy link
Member

FWIW if you need an immediate workaround, you can check out the forum thread linked in the PR

@mbunkus
Copy link
Author

mbunkus commented Oct 7, 2024

Thanks, but it's not that urgent. I've added the bypassed URIs as a negative matcher & used that with for forward_auth. That suffices until a new release fixes the issue. I'd just rather I don't have to keep both locations in sync indefinitely, which I won't have to. Yay!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

forwardauth: Skip copying missing response headers caddyserver/caddy
2 participants
@mbunkus @francislavoie