Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Nginx forward auth is looking at the X-Original-URI header instead of X-Original-URL #9858

Open
fabrepe opened this issue May 24, 2024 · 1 comment
Open

Nginx forward auth is looking at the X-Original-URI header instead of X-Original-URL #9858

fabrepe opened this issue May 24, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@fabrepe
Copy link

fabrepe commented May 24, 2024

Describe the bug
Nginx Forward Auth provider (domain level) returned the following error : Outpost authentik Embedded Outpost (Provider Provider for XXX) failed to detect a forward URL from nginx

Steps to reproduce the behavior:

While connecting to an application, the application nginx reverse proxy returned an error 500.
Authentik related logs show the error message Outpost authentik Embedded Outpost (Provider Provider for XXX) failed to detect a forward URL from nginx

The application reverse proxy is configured as following (slightly modified copy from the authentik web ui):

1 # authentik-specific config
 auth_request        /outpost.goauthentik.io/auth/nginx;
 ...
 # all requests to /outpost.goauthentik.io must be accessible without authentication
 location /outpost.goauthentik.io {
     proxy_pass          https://authentik:9443/outpost.goauthentik.io;
     # ensure the host of this vserver matches your external URL you've configured
     # in authentik
     proxy_set_header    Host $host;
     add_header          X-Original-URL $scheme://$http_host$request_uri;
 ...
 }

Expected behavior
No error

Solution

The proxy header configuration proposed by the ui is to set X-Original-URL to $scheme://$http_host$request_uri.
However, it seems that the authentik code is checking X-Original-URI (last character is I instead of L) cf.

authentik/internal/outpost/proxyv2/application/mode_common.go

Line 90 in 0766a47

ou := r.Header.Get("X-Original-URI")

In fact, setting the X-Original-URI to $scheme://$http_host$request_uri instead of X-Original-URL solves the error.

It seems that the header X-Original-URL is a standard. Maybe the code may be changed to lookup for it instead ?

Thanks for your awesome application 👍
@fabrepe fabrepe added the bug Something isn't working label May 24, 2024
@ThisIsQasim
Copy link

If it is fixed, would that eliminate the need for enabling and adding additional auth snippet in ingress-nginx as mentioned in the docs?

nginx.ingress.kubernetes.io/auth-snippet: |
            proxy_set_header X-Forwarded-Host $http_host;

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fabrepe @ThisIsQasim