diff --git a/modules/kubernetes/reverse_proxy/factory/main.tf b/modules/kubernetes/reverse_proxy/factory/main.tf
index 4bb7135c..ba81b01b 100644
--- a/modules/kubernetes/reverse_proxy/factory/main.tf
+++ b/modules/kubernetes/reverse_proxy/factory/main.tf
@@ -33,6 +33,10 @@ variable "custom_content_security_policy" {
   default = null
   type    = string
 }
+variable "strip_auth_headers" {
+  type    = bool
+  default = false
+}
 
 
 resource "kubernetes_service" "proxied-service" {
@@ -67,11 +71,12 @@ resource "kubernetes_ingress_v1" "proxied-ingress" {
         var.custom_content_security_policy == null ? "traefik-csp-headers@kubernetescrd" : null,
         "traefik-crowdsec@kubernetescrd",
         var.protected ? "traefik-authentik-forward-auth@kubernetescrd" : null,
+        var.strip_auth_headers ? "traefik-strip-auth-headers@kubernetescrd" : null,
         var.rybbit_site_id != null ? "${var.namespace}-rybbit-analytics-${var.name}@kubernetescrd" : null,
         var.custom_content_security_policy != null ? "${var.namespace}-custom-csp-${var.name}@kubernetescrd" : null,
       ]))
-      "traefik.ingress.kubernetes.io/router.entrypoints"    = "websecure"
-      "traefik.ingress.kubernetes.io/service.serversscheme"  = var.backend_protocol == "HTTPS" ? "https" : null
+      "traefik.ingress.kubernetes.io/router.entrypoints"       = "websecure"
+      "traefik.ingress.kubernetes.io/service.serversscheme"    = var.backend_protocol == "HTTPS" ? "https" : null
       "traefik.ingress.kubernetes.io/service.serverstransport" = var.backend_protocol == "HTTPS" ? "traefik-insecure-skip-verify@kubernetescrd" : null
     }, var.extra_annotations)
   }
diff --git a/modules/kubernetes/reverse_proxy/main.tf b/modules/kubernetes/reverse_proxy/main.tf
index 7969b215..c34cf58c 100644
--- a/modules/kubernetes/reverse_proxy/main.tf
+++ b/modules/kubernetes/reverse_proxy/main.tf
@@ -76,28 +76,30 @@ module "nas-files" {
 
 # https://idrac.viktorbarzin.me/
 module "idrac" {
-  source            = "./factory"
-  name              = "idrac"
-  external_name     = "idrac.viktorbarzin.lan"
-  port              = 443
-  tls_secret_name   = var.tls_secret_name
-  backend_protocol  = "HTTPS"
-  extra_annotations = {}
-  depends_on        = [kubernetes_namespace.reverse-proxy]
+  source             = "./factory"
+  name               = "idrac"
+  external_name      = "idrac.viktorbarzin.lan"
+  port               = 443
+  tls_secret_name    = var.tls_secret_name
+  backend_protocol   = "HTTPS"
+  strip_auth_headers = true
+  extra_annotations  = {}
+  depends_on         = [kubernetes_namespace.reverse-proxy]
 }
 
 # Can either listen on https or http; can't do both :/
 # TODO: Not working yet
 module "tp-link-gateway" {
-  source            = "./factory"
-  name              = "gw"
-  external_name     = "gw.viktorbarzin.lan"
-  port              = 443
-  tls_secret_name   = var.tls_secret_name
-  backend_protocol  = "HTTPS"
-  depends_on        = [kubernetes_namespace.reverse-proxy]
-  protected         = true
-  extra_annotations = {}
+  source             = "./factory"
+  name               = "gw"
+  external_name      = "gw.viktorbarzin.lan"
+  port               = 443
+  tls_secret_name    = var.tls_secret_name
+  backend_protocol   = "HTTPS"
+  depends_on         = [kubernetes_namespace.reverse-proxy]
+  protected          = true
+  strip_auth_headers = true
+  extra_annotations  = {}
 }
 
 # https://truenas.viktorbarzin.me/
diff --git a/modules/kubernetes/traefik/middleware.tf b/modules/kubernetes/traefik/middleware.tf
index 61f0f338..f9508429 100644
--- a/modules/kubernetes/traefik/middleware.tf
+++ b/modules/kubernetes/traefik/middleware.tf
@@ -173,6 +173,32 @@ resource "kubernetes_manifest" "servers_transport_insecure" {
   depends_on = [helm_release.traefik]
 }
 
+# Strip Authentik auth headers/cookies before forwarding to backend
+# Useful for backends (iDRAC, TP-Link) that break when receiving extra headers
+resource "kubernetes_manifest" "middleware_strip_auth_headers" {
+  manifest = {
+    apiVersion = "traefik.io/v1alpha1"
+    kind       = "Middleware"
+    metadata = {
+      name      = "strip-auth-headers"
+      namespace = kubernetes_namespace.traefik.metadata[0].name
+    }
+    spec = {
+      headers = {
+        customRequestHeaders = {
+          "X-authentik-username" = ""
+          "X-authentik-uid"      = ""
+          "X-authentik-email"    = ""
+          "X-authentik-name"     = ""
+          "X-authentik-groups"   = ""
+        }
+      }
+    }
+  }
+
+  depends_on = [helm_release.traefik]
+}
+
 # Immich-specific rate limit (higher limits for photo uploads)
 resource "kubernetes_manifest" "middleware_immich_rate_limit" {
   manifest = {