outpost/embedded: only send requests for non-akprox paths when we're doing proxy mode

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

internal/outpost/proxy/api_bundle.go

@@ -25,6 +25,7 @@ type providerBundle struct {
 	Host  string
 
 	endSessionUrl string
+	Mode          *api.ProxyMode
 
 	cert *tls.Certificate
 
@@ -49,6 +50,10 @@ func (pb *providerBundle) replaceLocal(url string) string {
 }
 
 func (pb *providerBundle) prepareOpts(provider api.ProxyOutpostConfig) *options.Options {
+	// We need to save the mode in the bundle
+	// Since for the embedded outpost we only switch for fully proxy providers
+	pb.Mode = provider.Mode
+
 	externalHost, err := url.Parse(provider.ExternalHost)
 	if err != nil {
 		log.WithError(err).Warning("Failed to parse URL, skipping provider")

internal/web/web_proxy.go

@@ -6,6 +6,7 @@ import (
 	"net/http/httputil"
 	"net/url"
 
+	"goauthentik.io/api"
 	"goauthentik.io/internal/utils/web"
 )
 
@@ -36,12 +37,14 @@ func (ws *WebServer) configureProxy() {
 	ws.m.PathPrefix("/").HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
 		host := web.GetHost(r)
 		if ws.ProxyServer != nil {
-			if _, ok := ws.ProxyServer.Handlers[host]; ok {
+			if p, ok := ws.ProxyServer.Handlers[host]; ok {
+				if *p.Mode == api.PROXYMODE_PROXY {
 					ws.log.WithField("host", host).Trace("routing to proxy outpost")
 					ws.ProxyServer.Handler(rw, r)
 					return
 				}
 			}
+		}
 		ws.log.WithField("host", host).Trace("routing to application server")
 		rp.ServeHTTP(rw, r)
 	})