outposts/proxy: fix traefik header regex to only match Remote- and X- headers to prevent websocket errors

closes #1969 Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2021-12-20 13:30:19 +01:00 · 2021-12-20 13:30:19 +01:00 · ef23a0da52
parent ba527e7141
commit ef23a0da52
4 changed files with 9 additions and 4 deletions
--- a/authentik/providers/proxy/controllers/k8s/traefik.py
+++ b/authentik/providers/proxy/controllers/k8s/traefik.py
@ -96,6 +96,11 @@ class TraefikMiddlewareReconciler(KubernetesObjectReconciler[TraefikMiddleware])
        super().reconcile(current, reference)
        if current.spec.forwardAuth.address != reference.spec.forwardAuth.address:
            raise NeedsUpdate()
+        if (
+            current.spec.forwardAuth.authResponseHeadersRegex
+            != reference.spec.forwardAuth.authResponseHeadersRegex
+        ):
+            raise NeedsUpdate()

    def get_reference_object(self) -> TraefikMiddleware:
        """Get deployment object for outpost"""
@ -111,7 +116,7 @@ class TraefikMiddlewareReconciler(KubernetesObjectReconciler[TraefikMiddleware])
                forwardAuth=TraefikMiddlewareSpecForwardAuth(
                    address=f"http://{self.name}.{self.namespace}:9000/akprox/auth/traefik",
                    authResponseHeaders=[],
-                    authResponseHeadersRegex="^.*$",
+                    authResponseHeadersRegex="^(Remote|X).*$",
                    trustForwardHeader=True,
                )
            ),
--- a/website/docs/providers/proxy/_traefik_compose.md
+++ b/website/docs/providers/proxy/_traefik_compose.md
@ -34,7 +34,7 @@ services:
      # `authentik-proxy` refers to the service name in the compose file.
      traefik.http.middlewares.authentik.forwardauth.address: http://authentik-proxy:9000/akprox/auth/traefik
      traefik.http.middlewares.authentik.forwardauth.trustForwardHeader: true
-      traefik.http.middlewares.authentik.forwardauth.authResponseHeadersRegex: ^.*$$
+      traefik.http.middlewares.authentik.forwardauth.authResponseHeadersRegex: ^(Remote|X).*$$
    restart: unless-stopped

  whoami:
--- a/website/docs/providers/proxy/_traefik_ingress.md
+++ b/website/docs/providers/proxy/_traefik_ingress.md
@ -9,7 +9,7 @@ spec:
  forwardAuth:
    address: http://outpost.company:9000/akprox/auth/traefik
    trustForwardHeader: true
-    authResponseHeadersRegex: ^.*$
+    authResponseHeadersRegex: ^(Remote|X).*$
 ```

 Add the following settings to your IngressRoute
--- a/website/docs/providers/proxy/_traefik_standalone.md
+++ b/website/docs/providers/proxy/_traefik_standalone.md
@ -5,7 +5,7 @@ http:
      forwardAuth:
        address: http://outpost.company:9000/akprox/auth/traefik
        trustForwardHeader: true
-        authResponseHeadersRegex: ^.*$
+        authResponseHeadersRegex: ^(Remote|X).*$
  routers:
    default-router:
      rule: "Host(`app.company`)"