viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

[ci skip] Strip Authentik auth headers before forwarding to backend

Browse source 
Add strip-auth-headers Traefik middleware that removes X-authentik-*
headers from requests before they reach the backend. Backends like
iDRAC and TP-Link gateway break when receiving these extra headers.
This commit is contained in:
Viktor Barzin 2026-02-07 20:28:44 +00:00
parent 30bc2e9386
commit eef9d25874
3 changed files with 52 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

9
modules/kubernetes/reverse_proxy/factory/main.tf
View file

@ -33,6 +33,10 @@ variable "custom_content_security_policy" {
default = null default = null
type = string type = string
} }
variable "strip_auth_headers" {
type = bool
default = false
}
resource "kubernetes_service" "proxied-service" { resource "kubernetes_service" "proxied-service" {
@ -67,11 +71,12 @@ resource "kubernetes_ingress_v1" "proxied-ingress" {
var.custom_content_security_policy == null ? "traefik-csp-headers@kubernetescrd" : null, var.custom_content_security_policy == null ? "traefik-csp-headers@kubernetescrd" : null,
"traefik-crowdsec@kubernetescrd", "traefik-crowdsec@kubernetescrd",
var.protected ? "traefik-authentik-forward-auth@kubernetescrd" : null, var.protected ? "traefik-authentik-forward-auth@kubernetescrd" : null,
var.strip_auth_headers ? "traefik-strip-auth-headers@kubernetescrd" : null,
var.rybbit_site_id != null ? "${var.namespace}-rybbit-analytics-${var.name}@kubernetescrd" : null, var.rybbit_site_id != null ? "${var.namespace}-rybbit-analytics-${var.name}@kubernetescrd" : null,
var.custom_content_security_policy != null ? "${var.namespace}-custom-csp-${var.name}@kubernetescrd" : null, var.custom_content_security_policy != null ? "${var.namespace}-custom-csp-${var.name}@kubernetescrd" : null,
])) ]))
"traefik.ingress.kubernetes.io/router.entrypoints" = "websecure" "traefik.ingress.kubernetes.io/router.entrypoints" = "websecure"
"traefik.ingress.kubernetes.io/service.serversscheme" = var.backend_protocol == "HTTPS" ? "https" : null "traefik.ingress.kubernetes.io/service.serversscheme" = var.backend_protocol == "HTTPS" ? "https" : null
"traefik.ingress.kubernetes.io/service.serverstransport" = var.backend_protocol == "HTTPS" ? "traefik-insecure-skip-verify@kubernetescrd" : null "traefik.ingress.kubernetes.io/service.serverstransport" = var.backend_protocol == "HTTPS" ? "traefik-insecure-skip-verify@kubernetescrd" : null
}, var.extra_annotations) }, var.extra_annotations)
} }

36
modules/kubernetes/reverse_proxy/main.tf
View file

@ -76,28 +76,30 @@ module "nas-files" {
# https://idrac.viktorbarzin.me/ # https://idrac.viktorbarzin.me/
module "idrac" { module "idrac" {
source = "./factory" source = "./factory"
name = "idrac" name = "idrac"
external_name = "idrac.viktorbarzin.lan" external_name = "idrac.viktorbarzin.lan"
port = 443 port = 443
tls_secret_name = var.tls_secret_name tls_secret_name = var.tls_secret_name
backend_protocol = "HTTPS" backend_protocol = "HTTPS"
extra_annotations = {} strip_auth_headers = true
depends_on = [kubernetes_namespace.reverse-proxy] extra_annotations = {}
depends_on = [kubernetes_namespace.reverse-proxy]
} }
# Can either listen on https or http; can't do both :/ # Can either listen on https or http; can't do both :/
# TODO: Not working yet # TODO: Not working yet
module "tp-link-gateway" { module "tp-link-gateway" {
source = "./factory" source = "./factory"
name = "gw" name = "gw"
external_name = "gw.viktorbarzin.lan" external_name = "gw.viktorbarzin.lan"
port = 443 port = 443
tls_secret_name = var.tls_secret_name tls_secret_name = var.tls_secret_name
backend_protocol = "HTTPS" backend_protocol = "HTTPS"
depends_on = [kubernetes_namespace.reverse-proxy] depends_on = [kubernetes_namespace.reverse-proxy]
protected = true protected = true
extra_annotations = {} strip_auth_headers = true
extra_annotations = {}
} }
# https://truenas.viktorbarzin.me/ # https://truenas.viktorbarzin.me/

26
modules/kubernetes/traefik/middleware.tf
View file

@ -173,6 +173,32 @@ resource "kubernetes_manifest" "servers_transport_insecure" {
depends_on = [helm_release.traefik] depends_on = [helm_release.traefik]
} }
# Strip Authentik auth headers/cookies before forwarding to backend
# Useful for backends (iDRAC, TP-Link) that break when receiving extra headers
resource "kubernetes_manifest" "middleware_strip_auth_headers" {
manifest = {
apiVersion = "traefik.io/v1alpha1"
kind = "Middleware"
metadata = {
name = "strip-auth-headers"
namespace = kubernetes_namespace.traefik.metadata[0].name
}
spec = {
headers = {
customRequestHeaders = {
"X-authentik-username" = ""
"X-authentik-uid" = ""
"X-authentik-email" = ""
"X-authentik-name" = ""
"X-authentik-groups" = ""
}
}
}
}
depends_on = [helm_release.traefik]
}
# Immich-specific rate limit (higher limits for photo uploads) # Immich-specific rate limit (higher limits for photo uploads)
resource "kubernetes_manifest" "middleware_immich_rate_limit" { resource "kubernetes_manifest" "middleware_immich_rate_limit" {
manifest = { manifest = {