[ci skip] Strip Authentik auth headers before forwarding to backend
Add strip-auth-headers Traefik middleware that removes X-authentik-* headers from requests before they reach the backend. Backends like iDRAC and TP-Link gateway break when receiving these extra headers.
This commit is contained in:
parent
30bc2e9386
commit
eef9d25874
3 changed files with 52 additions and 19 deletions
|
|
@ -33,6 +33,10 @@ variable "custom_content_security_policy" {
|
|||
default = null
|
||||
type = string
|
||||
}
|
||||
variable "strip_auth_headers" {
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
|
||||
resource "kubernetes_service" "proxied-service" {
|
||||
|
|
@ -67,6 +71,7 @@ resource "kubernetes_ingress_v1" "proxied-ingress" {
|
|||
var.custom_content_security_policy == null ? "traefik-csp-headers@kubernetescrd" : null,
|
||||
"traefik-crowdsec@kubernetescrd",
|
||||
var.protected ? "traefik-authentik-forward-auth@kubernetescrd" : null,
|
||||
var.strip_auth_headers ? "traefik-strip-auth-headers@kubernetescrd" : null,
|
||||
var.rybbit_site_id != null ? "${var.namespace}-rybbit-analytics-${var.name}@kubernetescrd" : null,
|
||||
var.custom_content_security_policy != null ? "${var.namespace}-custom-csp-${var.name}@kubernetescrd" : null,
|
||||
]))
|
||||
|
|
|
|||
|
|
@ -82,6 +82,7 @@ module "idrac" {
|
|||
port = 443
|
||||
tls_secret_name = var.tls_secret_name
|
||||
backend_protocol = "HTTPS"
|
||||
strip_auth_headers = true
|
||||
extra_annotations = {}
|
||||
depends_on = [kubernetes_namespace.reverse-proxy]
|
||||
}
|
||||
|
|
@ -97,6 +98,7 @@ module "tp-link-gateway" {
|
|||
backend_protocol = "HTTPS"
|
||||
depends_on = [kubernetes_namespace.reverse-proxy]
|
||||
protected = true
|
||||
strip_auth_headers = true
|
||||
extra_annotations = {}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -173,6 +173,32 @@ resource "kubernetes_manifest" "servers_transport_insecure" {
|
|||
depends_on = [helm_release.traefik]
|
||||
}
|
||||
|
||||
# Strip Authentik auth headers/cookies before forwarding to backend
|
||||
# Useful for backends (iDRAC, TP-Link) that break when receiving extra headers
|
||||
resource "kubernetes_manifest" "middleware_strip_auth_headers" {
|
||||
manifest = {
|
||||
apiVersion = "traefik.io/v1alpha1"
|
||||
kind = "Middleware"
|
||||
metadata = {
|
||||
name = "strip-auth-headers"
|
||||
namespace = kubernetes_namespace.traefik.metadata[0].name
|
||||
}
|
||||
spec = {
|
||||
headers = {
|
||||
customRequestHeaders = {
|
||||
"X-authentik-username" = ""
|
||||
"X-authentik-uid" = ""
|
||||
"X-authentik-email" = ""
|
||||
"X-authentik-name" = ""
|
||||
"X-authentik-groups" = ""
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
depends_on = [helm_release.traefik]
|
||||
}
|
||||
|
||||
# Immich-specific rate limit (higher limits for photo uploads)
|
||||
resource "kubernetes_manifest" "middleware_immich_rate_limit" {
|
||||
manifest = {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue