From 1f838bb2aa7df8a26aea24182287e07789fce41e Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Thu, 10 Feb 2022 23:09:55 +0100
Subject: [PATCH] outposts/proxy: add X-Forwarded-Host since Host now gets
 changed by the proxy

closes #2284

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 internal/outpost/proxyv2/application/mode_proxy.go      | 1 +
 internal/outpost/proxyv2/application/mode_proxy_test.go | 1 +
 website/docs/providers/proxy/proxy.md                   | 6 ++++++
 website/docs/releases/v2022.1.md                        | 2 ++
 4 files changed, 10 insertions(+)

diff --git a/internal/outpost/proxyv2/application/mode_proxy.go b/internal/outpost/proxyv2/application/mode_proxy.go
index 92dedd766..e4ccf14a3 100644
--- a/internal/outpost/proxyv2/application/mode_proxy.go
+++ b/internal/outpost/proxyv2/application/mode_proxy.go
@@ -73,6 +73,7 @@ func (a *Application) configureProxy() error {
 
 func (a *Application) proxyModifyRequest(ou *url.URL) func(req *http.Request) {
 	return func(r *http.Request) {
+		r.Header.Set("X-Forwarded-Host", r.Host)
 		claims, _ := a.getClaims(r)
 		r.URL.Scheme = ou.Scheme
 		r.URL.Host = ou.Host
diff --git a/internal/outpost/proxyv2/application/mode_proxy_test.go b/internal/outpost/proxyv2/application/mode_proxy_test.go
index 6aeb6ccb7..ffdfa978c 100644
--- a/internal/outpost/proxyv2/application/mode_proxy_test.go
+++ b/internal/outpost/proxyv2/application/mode_proxy_test.go
@@ -19,6 +19,7 @@ func TestProxy_ModifyRequest(t *testing.T) {
 	}
 	a.proxyModifyRequest(u)(req)
 
+	assert.Equal(t, "frontend", req.Header.Get("X-Forwarded-Host"))
 	assert.Equal(t, "/foo", req.URL.Path)
 	assert.Equal(t, "backend:8012", req.URL.Host)
 	assert.Equal(t, "backend:8012", req.Host)
diff --git a/website/docs/providers/proxy/proxy.md b/website/docs/providers/proxy/proxy.md
index 185e7fdf2..d458a561d 100644
--- a/website/docs/providers/proxy/proxy.md
+++ b/website/docs/providers/proxy/proxy.md
@@ -46,6 +46,12 @@ Besides these user-specific headers, some application specific headers are also
 
     The authentik outpost's version.
 
+### Only in proxy mode
+
+- X-Forwarded-Host:
+
+    The original Host header sent by the client. This is set as the `Host` header is set to the host of the configured backend.
+
 ## HTTPS
 
 The outpost listens on both 9000 for HTTP and 9443 for HTTPS.
diff --git a/website/docs/releases/v2022.1.md b/website/docs/releases/v2022.1.md
index c97dfc862..ce313f347 100644
--- a/website/docs/releases/v2022.1.md
+++ b/website/docs/releases/v2022.1.md
@@ -23,6 +23,8 @@ This release mostly removes legacy fields and features that have been deprecated
   - X-Forwarded-Preferred-Username, use `X-authentik-username`
   - X-Forwarded-User, use `X-authentik-uid`
 
+  The proxy now also sets the host header based on what is configured as upstream in the proxy provider. The original Host is forwarded as `X-Forwarded-Host`.
+
   Additionally, the header requirements for nginx have changed. Either a `X-Original-URL` or `X-Original-URI` header are now required. See the [*Proxy provider*](../providers/proxy/forward_auth) documentation for updated snippets.
 
 - API: