What `Host` header is sent by proxy provider to the application?

[garar]

Describe your question/

I have Authentik setup. And I want to use Authentik to protect Munin html page.

I was wondering what Host header is sent to application when using Proxy provider with basic auth?

Looking at the docs, I found something like:

I'm not sure what "host of the configured backend." mean, but as described below, something is not ok :)

Source: https://docs.goauthentik.io/docs/add-secure-apps/providers/proxy/#x-forwarded-host

My setup:
Authentik 2024.12.3 using docker compose. Embedded outpost.
Domains:

• Authentik: https://authentik.domain.tld
• Internal host: https://munin-internal.domain.tld
• External host: https://munin.domain.tld

I'm using Apache in front of everything. I have two vhosts:

• vhost for authentik with server alias for munin.domain.tld.
• vhost for munin-internal.domain.tld

I have proxy provider setup with basic auth.

Valid ssl certs from Lets Encrypt.

In theory, my setup seems to be working:

• I can access authentik and setup everything.
• When try to navigate to https://munin.domain.tld I get redirected to authentik login page.
• But when I click login, I get 404.
• I can navigate directly to https://munin-internal.domain.tld and when I enter Basic Auth I see Munin.

When I check access logs, it looks like, the requests are going to authentik backend instead of munin-internal, because invalid host header is sent.

Relevant info
i.e. Version of other software you're using, specifics of your setup

Screenshots
If applicable, add screenshots to help explain your problem.

Logs

Logs for a single request:

{"cidr":"172.16.0.0/12","event":"Setting proxy headers","level":"trace","remoteAddr":"172.18.0.1","timestamp":"2025-02-17T19:35:14Z"}
{"app":"Provider for Munin","event":"Found app based direct host match","host":"munin.domain.tld","level":"trace","logger":"authentik.outpost.proxyv2","timestamp":"2025-02-17T19:35:14Z"}
{"app":"Provider for Munin","event":"Found app based direct host match","host":"munin.domain.tld","level":"trace","logger":"authentik.outpost.proxyv2","timestamp":"2025-02-17T19:35:14Z"}
{"event":"passing to application mux","host":"munin.domain.tld","level":"trace","logger":"authentik.outpost.proxyv2","timestamp":"2025-02-17T19:35:14Z"}
{"event":"setting http basic auth","level":"trace","logger":"authentik.outpost.proxyv2.application","name":"Provider for Munin","timestamp":"2025-02-17T19:35:14Z","username":"garar"}
{"event":"final upstream url","level":"trace","logger":"authentik.outpost.proxyv2.application","name":"Provider for Munin","timestamp":"2025-02-17T19:35:14Z","upstream_url":"https://munin-internal.domain.tld/"}
{"cidr":"172.16.0.0/12","event":"Setting proxy headers","level":"trace","remoteAddr":"172.18.0.1","timestamp":"2025-02-17T19:35:14Z"}
{"event":"tracing request to backend","headers":{"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"],"Accept-Language":["en-US,en;q=0.5"],"Authorization":["Basic Z2FyYXI6RXY3Z2VqKkM0JEZXNks="],"Cache-Control":["no-cache"],"Connection":["Keep-Alive"],"Cookie":["authentik_session=asd"],"Pragma":["no-cache"],"Priority":["u=0, i"],"Sec-Fetch-Dest":["document"],"Sec-Fetch-Mode":["navigate"],"Sec-Fetch-Site":["none"],"Sec-Fetch-User":["?1"],"Sentry-Trace":["756688bcb8f980f43a0de09fc2ba48eb-f9604141d303e380-0"],"Upgrade-Insecure-Requests":["1"],"User-Agent":["Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:134.0) Gecko/20100101 Firefox/134.0"],"X-Authentik-Email":["foobar@gmail.com"],"X-Authentik-Entitlements":[""],"X-Authentik-Groups":["authentik Admins|Munin users"],"X-Authentik-Jwt":["asd"],"X-Authentik-Meta-App":["munin"],"X-Authentik-Meta-Jwks":["https://authentik.domain.tld/application/o/munin/jwks/"],"X-Authentik-Meta-Outpost":["authentik Embedded Outpost"],"X-Authentik-Meta-Provider":["Provider for Munin"],"X-Authentik-Meta-Version":["goauthentik.io/outpost/2024.12.3"],"X-Authentik-Name":["authentik Default Admin"],"X-Authentik-Uid":["96f474bb166857beba4349b27c6637f4c64ee50c4ea8c68fa1a04810ca9982d8"],"X-Authentik-Username":["akadmin"],"X-Forwarded-For":["192.168.0.243, 172.18.0.4"],"X-Forwarded-Host":["munin.domain.tld, munin.domain.tld"],"X-Forwarded-Proto":["https"],"X-Forwarded-Server":["authentik.domain.tld, authentik.domain.tld"]},"level":"trace","logger":"authentik.router","timestamp":"2025-02-17T19:35:14Z","url":"http://localhost:8000/"}
{"event":"/","host":"munin.domain.tld","level":"info","logger":"authentik.outpost.proxyv2.application","method":"GET","name":"Provider for Munin","remote":"192.168.0.243","runtime":"18.882","scheme":"https","size":0,"status":404,"timestamp":"2025-02-17T19:35:14Z","user":"akadmin","user_agent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:134.0) Gecko/20100101 Firefox/134.0"}

Version and Deployment (please complete the following information):

• authentik version: 2024.12.3
• Deployment: docker-compose

Additional context
Add any other context about the problem here.

[DirkDuesentrieb]

This seems to ba a duplicate of #12996
@BeryJu: I guess the best would be to make the Host-header configurable. Or at least there should be an option to overwrite it.