From 63b3434b6f40abc1b06b6a30125dc241857224ca Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Tue, 25 Jan 2022 14:25:21 +0100
Subject: [PATCH] website/docs: improve nginx examples

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 internal/outpost/proxyv2/application/mode_common.go         | 4 ++--
 .../outpost/proxyv2/application/mode_forward_nginx_test.go  | 6 +++---
 website/docs/providers/proxy/_nginx_ingress.md              | 2 +-
 website/docs/providers/proxy/_nginx_proxy_manager.md        | 5 +++--
 website/docs/providers/proxy/_nginx_standalone.md           | 5 +++--
 5 files changed, 12 insertions(+), 10 deletions(-)

diff --git a/internal/outpost/proxyv2/application/mode_common.go b/internal/outpost/proxyv2/application/mode_common.go
index 605ce1b60..6496808d9 100644
--- a/internal/outpost/proxyv2/application/mode_common.go
+++ b/internal/outpost/proxyv2/application/mode_common.go
@@ -74,9 +74,9 @@ func (a *Application) getTraefikForwardUrl(r *http.Request) *url.URL {
 	return u
 }
 
-// getNginxForwardUrl See https://github.com/kubernetes/ingress-nginx/blob/main/rootfs/etc/nginx/template/nginx.tmpl#L1044
+// getNginxForwardUrl See https://github.com/kubernetes/ingress-nginx/blob/main/rootfs/etc/nginx/template/nginx.tmpl
 func (a *Application) getNginxForwardUrl(r *http.Request) *url.URL {
-	h := r.Header.Get("X-Original-URI")
+	h := r.Header.Get("X-Original-URL")
 	if len(h) < 1 {
 		a.log.WithError(errors.New("blank URL")).Warning("blank URL")
 		return r.URL
diff --git a/internal/outpost/proxyv2/application/mode_forward_nginx_test.go b/internal/outpost/proxyv2/application/mode_forward_nginx_test.go
index b63b4fb9b..3842a49bc 100644
--- a/internal/outpost/proxyv2/application/mode_forward_nginx_test.go
+++ b/internal/outpost/proxyv2/application/mode_forward_nginx_test.go
@@ -23,7 +23,7 @@ func TestForwardHandleNginx_Single_Blank(t *testing.T) {
 func TestForwardHandleNginx_Single_Skip(t *testing.T) {
 	a := newTestApplication()
 	req, _ := http.NewRequest("GET", "/akprox/auth/nginx", nil)
-	req.Header.Set("X-Original-URI", "http://test.goauthentik.io/skip")
+	req.Header.Set("X-Original-URL", "http://test.goauthentik.io/skip")
 
 	rr := httptest.NewRecorder()
 	a.forwardHandleNginx(rr, req)
@@ -34,7 +34,7 @@ func TestForwardHandleNginx_Single_Skip(t *testing.T) {
 func TestForwardHandleNginx_Single_Headers(t *testing.T) {
 	a := newTestApplication()
 	req, _ := http.NewRequest("GET", "/akprox/auth/nginx", nil)
-	req.Header.Set("X-Original-URI", "http://test.goauthentik.io/app")
+	req.Header.Set("X-Original-URL", "http://test.goauthentik.io/app")
 
 	rr := httptest.NewRecorder()
 	a.forwardHandleNginx(rr, req)
@@ -110,7 +110,7 @@ func TestForwardHandleNginx_Domain_Header(t *testing.T) {
 	a.proxyConfig.CookieDomain = api.PtrString("foo")
 	a.proxyConfig.ExternalHost = "http://auth.test.goauthentik.io"
 	req, _ := http.NewRequest("GET", "/akprox/auth/nginx", nil)
-	req.Header.Set("X-Original-URI", "http://test.goauthentik.io/app")
+	req.Header.Set("X-Original-URL", "http://test.goauthentik.io/app")
 
 	rr := httptest.NewRecorder()
 	a.forwardHandleNginx(rr, req)
diff --git a/website/docs/providers/proxy/_nginx_ingress.md b/website/docs/providers/proxy/_nginx_ingress.md
index d162b8bf9..41f4475f5 100644
--- a/website/docs/providers/proxy/_nginx_ingress.md
+++ b/website/docs/providers/proxy/_nginx_ingress.md
@@ -32,5 +32,5 @@ metadata:
     nginx.ingress.kubernetes.io/auth-response-headers: |
       Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid
     nginx.ingress.kubernetes.io/auth-snippet: |
-       proxy_set_header X-Forwarded-Host $http_host;
+       proxy_set_header Host $http_host;
 ```
diff --git a/website/docs/providers/proxy/_nginx_proxy_manager.md b/website/docs/providers/proxy/_nginx_proxy_manager.md
index e8ec47c9c..14a473c76 100644
--- a/website/docs/providers/proxy/_nginx_proxy_manager.md
+++ b/website/docs/providers/proxy/_nginx_proxy_manager.md
@@ -6,8 +6,6 @@ For Nginx Proxy Manager you can use this snippet
 # header from upstream' error when trying to access an application protected by goauthentik
 proxy_buffers 8 16k;
 proxy_buffer_size 32k;
-fastcgi_buffers 16 16k;
-fastcgi_buffer_size 32k;
 
 location / {
     # Put your proxy_pass to your application here
@@ -16,6 +14,8 @@ location / {
     # authentik-specific config
     auth_request        /akprox/auth/nginx;
     error_page          401 = @akprox_signin;
+    auth_request_set $auth_cookie $upstream_http_set_cookie;
+    add_header Set-Cookie $auth_cookie;
 
     # translate headers from the outposts back to the actual upstream
     auth_request_set $authentik_username $upstream_http_x_authentik_username;
@@ -37,6 +37,7 @@ location /akprox {
     # ensure the host of this vserver matches your external URL you've configured
     # in authentik
     proxy_set_header    Host $host;
+    proxy_set_header    X-Original-URL $scheme://$http_host$request_uri;
     add_header          Set-Cookie $auth_cookie;
     auth_request_set    $auth_cookie $upstream_http_set_cookie;
 }
diff --git a/website/docs/providers/proxy/_nginx_standalone.md b/website/docs/providers/proxy/_nginx_standalone.md
index 24885063c..884b98c24 100644
--- a/website/docs/providers/proxy/_nginx_standalone.md
+++ b/website/docs/providers/proxy/_nginx_standalone.md
@@ -13,8 +13,6 @@ server {
     # header from upstream' error when trying to access an application protected by goauthentik
     proxy_buffers 8 16k;
     proxy_buffer_size 32k;
-    fastcgi_buffers 16 16k;
-    fastcgi_buffer_size 32k;
 
     location / {
         # Put your proxy_pass to your application here
@@ -25,6 +23,8 @@ server {
         error_page          401 = @akprox_signin;
         # For domain level, use the below error_page to redirect to your authentik server with the full redirect path
         # error_page          401 =302 https://authentik.company/akprox/start?rd=$scheme://$http_host$request_uri;
+        auth_request_set $auth_cookie $upstream_http_set_cookie;
+        add_header Set-Cookie $auth_cookie;
 
         # translate headers from the outposts back to the actual upstream
         auth_request_set $authentik_username $upstream_http_x_authentik_username;
@@ -46,6 +46,7 @@ server {
         # ensure the host of this vserver matches your external URL you've configured
         # in authentik
         proxy_set_header    Host $host;
+        proxy_set_header    X-Original-URL $scheme://$http_host$request_uri;
         add_header          Set-Cookie $auth_cookie;
         auth_request_set    $auth_cookie $upstream_http_set_cookie;
     }