viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

[ci skip] Strip Authentik auth headers before forwarding to backend

Browse source 
Add strip-auth-headers Traefik middleware that removes X-authentik-*
headers from requests before they reach the backend. Backends like
iDRAC and TP-Link gateway break when receiving these extra headers.
This commit is contained in:
Viktor Barzin 2026-02-07 20:28:44 +00:00
parent 30bc2e9386
commit eef9d25874
3 changed files with 52 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

5
modules/kubernetes/reverse_proxy/factory/main.tf
View file

@ -33,6 +33,10 @@ variable "custom_content_security_policy" {
default = null default = null
type = string type = string
} }
variable "strip_auth_headers" {
type = bool
default = false
}
resource "kubernetes_service" "proxied-service" { resource "kubernetes_service" "proxied-service" {
@ -67,6 +71,7 @@ resource "kubernetes_ingress_v1" "proxied-ingress" {
var.custom_content_security_policy == null ? "traefik-csp-headers@kubernetescrd" : null, var.custom_content_security_policy == null ? "traefik-csp-headers@kubernetescrd" : null,
"traefik-crowdsec@kubernetescrd", "traefik-crowdsec@kubernetescrd",
var.protected ? "traefik-authentik-forward-auth@kubernetescrd" : null, var.protected ? "traefik-authentik-forward-auth@kubernetescrd" : null,
var.strip_auth_headers ? "traefik-strip-auth-headers@kubernetescrd" : null,
var.rybbit_site_id != null ? "${var.namespace}-rybbit-analytics-${var.name}@kubernetescrd" : null, var.rybbit_site_id != null ? "${var.namespace}-rybbit-analytics-${var.name}@kubernetescrd" : null,
var.custom_content_security_policy != null ? "${var.namespace}-custom-csp-${var.name}@kubernetescrd" : null, var.custom_content_security_policy != null ? "${var.namespace}-custom-csp-${var.name}@kubernetescrd" : null,
])) ]))

2
modules/kubernetes/reverse_proxy/main.tf
View file

@ -82,6 +82,7 @@ module "idrac" {
port = 443 port = 443
tls_secret_name = var.tls_secret_name tls_secret_name = var.tls_secret_name
backend_protocol = "HTTPS" backend_protocol = "HTTPS"
strip_auth_headers = true
extra_annotations = {} extra_annotations = {}
depends_on = [kubernetes_namespace.reverse-proxy] depends_on = [kubernetes_namespace.reverse-proxy]
} }
@ -97,6 +98,7 @@ module "tp-link-gateway" {
backend_protocol = "HTTPS" backend_protocol = "HTTPS"
depends_on = [kubernetes_namespace.reverse-proxy] depends_on = [kubernetes_namespace.reverse-proxy]
protected = true protected = true
strip_auth_headers = true
extra_annotations = {} extra_annotations = {}
} }

26
modules/kubernetes/traefik/middleware.tf
View file

@ -173,6 +173,32 @@ resource "kubernetes_manifest" "servers_transport_insecure" {
depends_on = [helm_release.traefik] depends_on = [helm_release.traefik]
} }
# Strip Authentik auth headers/cookies before forwarding to backend
# Useful for backends (iDRAC, TP-Link) that break when receiving extra headers
resource "kubernetes_manifest" "middleware_strip_auth_headers" {
manifest = {
apiVersion = "traefik.io/v1alpha1"
kind = "Middleware"
metadata = {
name = "strip-auth-headers"
namespace = kubernetes_namespace.traefik.metadata[0].name
}
spec = {
headers = {
customRequestHeaders = {
"X-authentik-username" = ""
"X-authentik-uid" = ""
"X-authentik-email" = ""
"X-authentik-name" = ""
"X-authentik-groups" = ""
}
}
}
}
depends_on = [helm_release.traefik]
}
# Immich-specific rate limit (higher limits for photo uploads) # Immich-specific rate limit (higher limits for photo uploads)
resource "kubernetes_manifest" "middleware_immich_rate_limit" { resource "kubernetes_manifest" "middleware_immich_rate_limit" {
manifest = { manifest = {