diff --git a/internal/outpost/proxyv2/application/mode_common.go b/internal/outpost/proxyv2/application/mode_common.go index 605ce1b60..6496808d9 100644 --- a/internal/outpost/proxyv2/application/mode_common.go +++ b/internal/outpost/proxyv2/application/mode_common.go @@ -74,9 +74,9 @@ func (a *Application) getTraefikForwardUrl(r *http.Request) *url.URL { return u } -// getNginxForwardUrl See https://github.com/kubernetes/ingress-nginx/blob/main/rootfs/etc/nginx/template/nginx.tmpl#L1044 +// getNginxForwardUrl See https://github.com/kubernetes/ingress-nginx/blob/main/rootfs/etc/nginx/template/nginx.tmpl func (a *Application) getNginxForwardUrl(r *http.Request) *url.URL { - h := r.Header.Get("X-Original-URI") + h := r.Header.Get("X-Original-URL") if len(h) < 1 { a.log.WithError(errors.New("blank URL")).Warning("blank URL") return r.URL diff --git a/internal/outpost/proxyv2/application/mode_forward_nginx_test.go b/internal/outpost/proxyv2/application/mode_forward_nginx_test.go index b63b4fb9b..3842a49bc 100644 --- a/internal/outpost/proxyv2/application/mode_forward_nginx_test.go +++ b/internal/outpost/proxyv2/application/mode_forward_nginx_test.go @@ -23,7 +23,7 @@ func TestForwardHandleNginx_Single_Blank(t *testing.T) { func TestForwardHandleNginx_Single_Skip(t *testing.T) { a := newTestApplication() req, _ := http.NewRequest("GET", "/akprox/auth/nginx", nil) - req.Header.Set("X-Original-URI", "http://test.goauthentik.io/skip") + req.Header.Set("X-Original-URL", "http://test.goauthentik.io/skip") rr := httptest.NewRecorder() a.forwardHandleNginx(rr, req) @@ -34,7 +34,7 @@ func TestForwardHandleNginx_Single_Skip(t *testing.T) { func TestForwardHandleNginx_Single_Headers(t *testing.T) { a := newTestApplication() req, _ := http.NewRequest("GET", "/akprox/auth/nginx", nil) - req.Header.Set("X-Original-URI", "http://test.goauthentik.io/app") + req.Header.Set("X-Original-URL", "http://test.goauthentik.io/app") rr := httptest.NewRecorder() a.forwardHandleNginx(rr, req) @@ -110,7 +110,7 @@ func TestForwardHandleNginx_Domain_Header(t *testing.T) { a.proxyConfig.CookieDomain = api.PtrString("foo") a.proxyConfig.ExternalHost = "http://auth.test.goauthentik.io" req, _ := http.NewRequest("GET", "/akprox/auth/nginx", nil) - req.Header.Set("X-Original-URI", "http://test.goauthentik.io/app") + req.Header.Set("X-Original-URL", "http://test.goauthentik.io/app") rr := httptest.NewRecorder() a.forwardHandleNginx(rr, req) diff --git a/website/docs/providers/proxy/_nginx_ingress.md b/website/docs/providers/proxy/_nginx_ingress.md index d162b8bf9..41f4475f5 100644 --- a/website/docs/providers/proxy/_nginx_ingress.md +++ b/website/docs/providers/proxy/_nginx_ingress.md @@ -32,5 +32,5 @@ metadata: nginx.ingress.kubernetes.io/auth-response-headers: | Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid nginx.ingress.kubernetes.io/auth-snippet: | - proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header Host $http_host; ``` diff --git a/website/docs/providers/proxy/_nginx_proxy_manager.md b/website/docs/providers/proxy/_nginx_proxy_manager.md index e8ec47c9c..14a473c76 100644 --- a/website/docs/providers/proxy/_nginx_proxy_manager.md +++ b/website/docs/providers/proxy/_nginx_proxy_manager.md @@ -6,8 +6,6 @@ For Nginx Proxy Manager you can use this snippet # header from upstream' error when trying to access an application protected by goauthentik proxy_buffers 8 16k; proxy_buffer_size 32k; -fastcgi_buffers 16 16k; -fastcgi_buffer_size 32k; location / { # Put your proxy_pass to your application here @@ -16,6 +14,8 @@ location / { # authentik-specific config auth_request /akprox/auth/nginx; error_page 401 = @akprox_signin; + auth_request_set $auth_cookie $upstream_http_set_cookie; + add_header Set-Cookie $auth_cookie; # translate headers from the outposts back to the actual upstream auth_request_set $authentik_username $upstream_http_x_authentik_username; @@ -37,6 +37,7 @@ location /akprox { # ensure the host of this vserver matches your external URL you've configured # in authentik proxy_set_header Host $host; + proxy_set_header X-Original-URL $scheme://$http_host$request_uri; add_header Set-Cookie $auth_cookie; auth_request_set $auth_cookie $upstream_http_set_cookie; } diff --git a/website/docs/providers/proxy/_nginx_standalone.md b/website/docs/providers/proxy/_nginx_standalone.md index 24885063c..884b98c24 100644 --- a/website/docs/providers/proxy/_nginx_standalone.md +++ b/website/docs/providers/proxy/_nginx_standalone.md @@ -13,8 +13,6 @@ server { # header from upstream' error when trying to access an application protected by goauthentik proxy_buffers 8 16k; proxy_buffer_size 32k; - fastcgi_buffers 16 16k; - fastcgi_buffer_size 32k; location / { # Put your proxy_pass to your application here @@ -25,6 +23,8 @@ server { error_page 401 = @akprox_signin; # For domain level, use the below error_page to redirect to your authentik server with the full redirect path # error_page 401 =302 https://authentik.company/akprox/start?rd=$scheme://$http_host$request_uri; + auth_request_set $auth_cookie $upstream_http_set_cookie; + add_header Set-Cookie $auth_cookie; # translate headers from the outposts back to the actual upstream auth_request_set $authentik_username $upstream_http_x_authentik_username; @@ -46,6 +46,7 @@ server { # ensure the host of this vserver matches your external URL you've configured # in authentik proxy_set_header Host $host; + proxy_set_header X-Original-URL $scheme://$http_host$request_uri; add_header Set-Cookie $auth_cookie; auth_request_set $auth_cookie $upstream_http_set_cookie; }