Skip to content

What Host header is sent by proxy provider to the application? #13094

Open
@garar

Description

@garar

Describe your question/

I have Authentik setup. And I want to use Authentik to protect Munin html page.

I was wondering what Host header is sent to application when using Proxy provider with basic auth?

Looking at the docs, I found something like:

Image

I'm not sure what "host of the configured backend." mean, but as described below, something is not ok :)

Source: https://docs.goauthentik.io/docs/add-secure-apps/providers/proxy/#x-forwarded-host

My setup:
Authentik 2024.12.3 using docker compose. Embedded outpost.
Domains:

I'm using Apache in front of everything. I have two vhosts:

  • vhost for authentik with server alias for munin.domain.tld.
  • vhost for munin-internal.domain.tld

I have proxy provider setup with basic auth.

Valid ssl certs from Lets Encrypt.

In theory, my setup seems to be working:

When I check access logs, it looks like, the requests are going to authentik backend instead of munin-internal, because invalid host header is sent.

Relevant info
i.e. Version of other software you're using, specifics of your setup

Screenshots
If applicable, add screenshots to help explain your problem.

Logs

Logs for a single request:

{"cidr":"172.16.0.0/12","event":"Setting proxy headers","level":"trace","remoteAddr":"172.18.0.1","timestamp":"2025-02-17T19:35:14Z"}
{"app":"Provider for Munin","event":"Found app based direct host match","host":"munin.domain.tld","level":"trace","logger":"authentik.outpost.proxyv2","timestamp":"2025-02-17T19:35:14Z"}
{"app":"Provider for Munin","event":"Found app based direct host match","host":"munin.domain.tld","level":"trace","logger":"authentik.outpost.proxyv2","timestamp":"2025-02-17T19:35:14Z"}
{"event":"passing to application mux","host":"munin.domain.tld","level":"trace","logger":"authentik.outpost.proxyv2","timestamp":"2025-02-17T19:35:14Z"}
{"event":"setting http basic auth","level":"trace","logger":"authentik.outpost.proxyv2.application","name":"Provider for Munin","timestamp":"2025-02-17T19:35:14Z","username":"garar"}
{"event":"final upstream url","level":"trace","logger":"authentik.outpost.proxyv2.application","name":"Provider for Munin","timestamp":"2025-02-17T19:35:14Z","upstream_url":"https://munin-internal.domain.tld/"}
{"cidr":"172.16.0.0/12","event":"Setting proxy headers","level":"trace","remoteAddr":"172.18.0.1","timestamp":"2025-02-17T19:35:14Z"}
{"event":"tracing request to backend","headers":{"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"],"Accept-Language":["en-US,en;q=0.5"],"Authorization":["Basic Z2FyYXI6RXY3Z2VqKkM0JEZXNks="],"Cache-Control":["no-cache"],"Connection":["Keep-Alive"],"Cookie":["authentik_session=asd"],"Pragma":["no-cache"],"Priority":["u=0, i"],"Sec-Fetch-Dest":["document"],"Sec-Fetch-Mode":["navigate"],"Sec-Fetch-Site":["none"],"Sec-Fetch-User":["?1"],"Sentry-Trace":["756688bcb8f980f43a0de09fc2ba48eb-f9604141d303e380-0"],"Upgrade-Insecure-Requests":["1"],"User-Agent":["Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:134.0) Gecko/20100101 Firefox/134.0"],"X-Authentik-Email":["[email protected]"],"X-Authentik-Entitlements":[""],"X-Authentik-Groups":["authentik Admins|Munin users"],"X-Authentik-Jwt":["asd"],"X-Authentik-Meta-App":["munin"],"X-Authentik-Meta-Jwks":["https://authentik.domain.tld/application/o/munin/jwks/"],"X-Authentik-Meta-Outpost":["authentik Embedded Outpost"],"X-Authentik-Meta-Provider":["Provider for Munin"],"X-Authentik-Meta-Version":["goauthentik.io/outpost/2024.12.3"],"X-Authentik-Name":["authentik Default Admin"],"X-Authentik-Uid":["96f474bb166857beba4349b27c6637f4c64ee50c4ea8c68fa1a04810ca9982d8"],"X-Authentik-Username":["akadmin"],"X-Forwarded-For":["192.168.0.243, 172.18.0.4"],"X-Forwarded-Host":["munin.domain.tld, munin.domain.tld"],"X-Forwarded-Proto":["https"],"X-Forwarded-Server":["authentik.domain.tld, authentik.domain.tld"]},"level":"trace","logger":"authentik.router","timestamp":"2025-02-17T19:35:14Z","url":"http://localhost:8000/"}
{"event":"/","host":"munin.domain.tld","level":"info","logger":"authentik.outpost.proxyv2.application","method":"GET","name":"Provider for Munin","remote":"192.168.0.243","runtime":"18.882","scheme":"https","size":0,"status":404,"timestamp":"2025-02-17T19:35:14Z","user":"akadmin","user_agent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:134.0) Gecko/20100101 Firefox/134.0"}

Version and Deployment (please complete the following information):

  • authentik version: 2024.12.3
  • Deployment: docker-compose

Additional context
Add any other context about the problem here.

Metadata

Metadata

Assignees

No one assigned

    Labels

    questionFurther information is requested

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions