[ci skip] Strip Authentik auth headers before forwarding to backend

Add strip-auth-headers Traefik middleware that removes X-authentik-* headers from requests before they reach the backend. Backends like iDRAC and TP-Link gateway break when receiving these extra headers.
2026-02-07 20:28:44 +00:00 · 2026-02-07 20:28:44 +00:00 · eef9d25874
commit eef9d25874
parent 30bc2e9386
3 changed files with 52 additions and 19 deletions
--- a/modules/kubernetes/reverse_proxy/factory/main.tf
+++ b/modules/kubernetes/reverse_proxy/factory/main.tf
@ -33,6 +33,10 @@ variable "custom_content_security_policy" {
  default = null
  type    = string
 }
+variable "strip_auth_headers" {
+  type    = bool
+  default = false
+}


 resource "kubernetes_service" "proxied-service" {
@ -67,11 +71,12 @@ resource "kubernetes_ingress_v1" "proxied-ingress" {
        var.custom_content_security_policy == null ? "traefik-csp-headers@kubernetescrd" : null,
        "traefik-crowdsec@kubernetescrd",
        var.protected ? "traefik-authentik-forward-auth@kubernetescrd" : null,
+        var.strip_auth_headers ? "traefik-strip-auth-headers@kubernetescrd" : null,
        var.rybbit_site_id != null ? "${var.namespace}-rybbit-analytics-${var.name}@kubernetescrd" : null,
        var.custom_content_security_policy != null ? "${var.namespace}-custom-csp-${var.name}@kubernetescrd" : null,
      ]))
-      "traefik.ingress.kubernetes.io/router.entrypoints"    = "websecure"
-      "traefik.ingress.kubernetes.io/service.serversscheme"  = var.backend_protocol == "HTTPS" ? "https" : null
+      "traefik.ingress.kubernetes.io/router.entrypoints"       = "websecure"
+      "traefik.ingress.kubernetes.io/service.serversscheme"    = var.backend_protocol == "HTTPS" ? "https" : null
      "traefik.ingress.kubernetes.io/service.serverstransport" = var.backend_protocol == "HTTPS" ? "traefik-insecure-skip-verify@kubernetescrd" : null
    }, var.extra_annotations)
  }
--- a/modules/kubernetes/reverse_proxy/main.tf
+++ b/modules/kubernetes/reverse_proxy/main.tf
@ -76,28 +76,30 @@ module "nas-files" {

 # https://idrac.viktorbarzin.me/
 module "idrac" {
-  source            = "./factory"
-  name              = "idrac"
-  external_name     = "idrac.viktorbarzin.lan"
-  port              = 443
-  tls_secret_name   = var.tls_secret_name
-  backend_protocol  = "HTTPS"
-  extra_annotations = {}
-  depends_on        = [kubernetes_namespace.reverse-proxy]
+  source             = "./factory"
+  name               = "idrac"
+  external_name      = "idrac.viktorbarzin.lan"
+  port               = 443
+  tls_secret_name    = var.tls_secret_name
+  backend_protocol   = "HTTPS"
+  strip_auth_headers = true
+  extra_annotations  = {}
+  depends_on         = [kubernetes_namespace.reverse-proxy]
 }

 # Can either listen on https or http; can't do both :/
 # TODO: Not working yet
 module "tp-link-gateway" {
-  source            = "./factory"
-  name              = "gw"
-  external_name     = "gw.viktorbarzin.lan"
-  port              = 443
-  tls_secret_name   = var.tls_secret_name
-  backend_protocol  = "HTTPS"
-  depends_on        = [kubernetes_namespace.reverse-proxy]
-  protected         = true
-  extra_annotations = {}
+  source             = "./factory"
+  name               = "gw"
+  external_name      = "gw.viktorbarzin.lan"
+  port               = 443
+  tls_secret_name    = var.tls_secret_name
+  backend_protocol   = "HTTPS"
+  depends_on         = [kubernetes_namespace.reverse-proxy]
+  protected          = true
+  strip_auth_headers = true
+  extra_annotations  = {}
 }

 # https://truenas.viktorbarzin.me/
--- a/modules/kubernetes/traefik/middleware.tf
+++ b/modules/kubernetes/traefik/middleware.tf
@ -173,6 +173,32 @@ resource "kubernetes_manifest" "servers_transport_insecure" {
  depends_on = [helm_release.traefik]
 }

+# Strip Authentik auth headers/cookies before forwarding to backend
+# Useful for backends (iDRAC, TP-Link) that break when receiving extra headers
+resource "kubernetes_manifest" "middleware_strip_auth_headers" {
+  manifest = {
+    apiVersion = "traefik.io/v1alpha1"
+    kind       = "Middleware"
+    metadata = {
+      name      = "strip-auth-headers"
+      namespace = kubernetes_namespace.traefik.metadata[0].name
+    }
+    spec = {
+      headers = {
+        customRequestHeaders = {
+          "X-authentik-username" = ""
+          "X-authentik-uid"      = ""
+          "X-authentik-email"    = ""
+          "X-authentik-name"     = ""
+          "X-authentik-groups"   = ""
+        }
+      }
+    }
+  }
+
+  depends_on = [helm_release.traefik]
+}
+
 # Immich-specific rate limit (higher limits for photo uploads)
 resource "kubernetes_manifest" "middleware_immich_rate_limit" {
  manifest = {