From 54b2e19a2619ea9b6e8a7e11282bd7c5786c9b8a Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Thu, 5 Jun 2025 18:35:38 +0200 Subject: [PATCH 1/2] providers/proxy: add option to override host header with property mappings Signed-off-by: Jens Langhammer --- .../outpost/proxyv2/application/claims.go | 1 + .../outpost/proxyv2/application/mode_proxy.go | 19 ++++++++++++------- .../add-secure-apps/providers/proxy/index.md | 14 ++++++++++++++ 3 files changed, 27 insertions(+), 7 deletions(-) diff --git a/internal/outpost/proxyv2/application/claims.go b/internal/outpost/proxyv2/application/claims.go index caf765b40009..2e3a79224729 100644 --- a/internal/outpost/proxyv2/application/claims.go +++ b/internal/outpost/proxyv2/application/claims.go @@ -3,6 +3,7 @@ package application type ProxyClaims struct { UserAttributes map[string]interface{} `json:"user_attributes"` BackendOverride string `json:"backend_override"` + HostHeader string `json:"host_header"` IsSuperuser bool `json:"is_superuser"` } diff --git a/internal/outpost/proxyv2/application/mode_proxy.go b/internal/outpost/proxyv2/application/mode_proxy.go index d987cd72b0cf..4555dc28ac8d 100644 --- a/internal/outpost/proxyv2/application/mode_proxy.go +++ b/internal/outpost/proxyv2/application/mode_proxy.go @@ -74,13 +74,18 @@ func (a *Application) proxyModifyRequest(ou *url.URL) func(req *http.Request) { r.URL.Scheme = ou.Scheme r.URL.Host = ou.Host claims := a.getClaimsFromSession(r) - if claims != nil && claims.Proxy != nil && claims.Proxy.BackendOverride != "" { - u, err := url.Parse(claims.Proxy.BackendOverride) - if err != nil { - a.log.WithField("backend_override", claims.Proxy.BackendOverride).WithError(err).Warning("failed parse user backend override") - } else { - r.URL.Scheme = u.Scheme - r.URL.Host = u.Host + if claims != nil && claims.Proxy != nil { + if claims.Proxy.BackendOverride != "" { + u, err := url.Parse(claims.Proxy.BackendOverride) + if err != nil { + a.log.WithField("backend_override", claims.Proxy.BackendOverride).WithError(err).Warning("failed parse user backend override") + } else { + r.URL.Scheme = u.Scheme + r.URL.Host = u.Host + } + } + if claims.Proxy.HostHeader != "" { + r.Host = claims.Proxy.HostHeader } } a.log.WithField("upstream_url", r.URL.String()).Trace("final upstream url") diff --git a/website/docs/add-secure-apps/providers/proxy/index.md b/website/docs/add-secure-apps/providers/proxy/index.md index 6b81f1af2085..09c6d23523a5 100644 --- a/website/docs/add-secure-apps/providers/proxy/index.md +++ b/website/docs/add-secure-apps/providers/proxy/index.md @@ -152,3 +152,17 @@ return { ``` Afterwards, edit the _Proxy provider_ and add this new mapping. The expression is only evaluated when the user logs into the application. + +## Host header:ak-version[2025.6.1] + +By default, the proxy provider will use forward the Host header used by the client to the upstream application. Starting with authentik 2025.6.1, it is possible to dynamically adjust the Host header with a property mapping. + +```python +return { + "ak_proxy": { + "host_header": "my-internal-host-header" + } +} +``` + +Afterwards, edit the _Proxy provider_ and add this new mapping. The expression is only evaluated when the user logs into the application. From 20b3ef585bbb6c0dc4ac2f15e0327a89a85012c0 Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Thu, 5 Jun 2025 21:29:49 +0200 Subject: [PATCH 2/2] reword questionable english Signed-off-by: Jens Langhammer --- website/docs/add-secure-apps/providers/proxy/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/docs/add-secure-apps/providers/proxy/index.md b/website/docs/add-secure-apps/providers/proxy/index.md index 09c6d23523a5..1110846b8f80 100644 --- a/website/docs/add-secure-apps/providers/proxy/index.md +++ b/website/docs/add-secure-apps/providers/proxy/index.md @@ -155,7 +155,7 @@ Afterwards, edit the _Proxy provider_ and add this new mapping. The expression i ## Host header:ak-version[2025.6.1] -By default, the proxy provider will use forward the Host header used by the client to the upstream application. Starting with authentik 2025.6.1, it is possible to dynamically adjust the Host header with a property mapping. +By default, the proxy provider will use forwarded Host header received from the client. Starting with authentik 2025.6.1, it is possible to dynamically adjust the Host header with a property mapping. ```python return {