From ef23a0da525238696ce306ae831aca32936022a3 Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Mon, 20 Dec 2021 13:30:19 +0100 Subject: [PATCH] outposts/proxy: fix traefik header regex to only match Remote- and X- headers to prevent websocket errors closes #1969 Signed-off-by: Jens Langhammer --- authentik/providers/proxy/controllers/k8s/traefik.py | 7 ++++++- website/docs/providers/proxy/_traefik_compose.md | 2 +- website/docs/providers/proxy/_traefik_ingress.md | 2 +- website/docs/providers/proxy/_traefik_standalone.md | 2 +- 4 files changed, 9 insertions(+), 4 deletions(-) diff --git a/authentik/providers/proxy/controllers/k8s/traefik.py b/authentik/providers/proxy/controllers/k8s/traefik.py index 9a0602ff3..81e082683 100644 --- a/authentik/providers/proxy/controllers/k8s/traefik.py +++ b/authentik/providers/proxy/controllers/k8s/traefik.py @@ -96,6 +96,11 @@ class TraefikMiddlewareReconciler(KubernetesObjectReconciler[TraefikMiddleware]) super().reconcile(current, reference) if current.spec.forwardAuth.address != reference.spec.forwardAuth.address: raise NeedsUpdate() + if ( + current.spec.forwardAuth.authResponseHeadersRegex + != reference.spec.forwardAuth.authResponseHeadersRegex + ): + raise NeedsUpdate() def get_reference_object(self) -> TraefikMiddleware: """Get deployment object for outpost""" @@ -111,7 +116,7 @@ class TraefikMiddlewareReconciler(KubernetesObjectReconciler[TraefikMiddleware]) forwardAuth=TraefikMiddlewareSpecForwardAuth( address=f"http://{self.name}.{self.namespace}:9000/akprox/auth/traefik", authResponseHeaders=[], - authResponseHeadersRegex="^.*$", + authResponseHeadersRegex="^(Remote|X).*$", trustForwardHeader=True, ) ), diff --git a/website/docs/providers/proxy/_traefik_compose.md b/website/docs/providers/proxy/_traefik_compose.md index 7061f87da..8455a7b0f 100644 --- a/website/docs/providers/proxy/_traefik_compose.md +++ b/website/docs/providers/proxy/_traefik_compose.md @@ -34,7 +34,7 @@ services: # `authentik-proxy` refers to the service name in the compose file. traefik.http.middlewares.authentik.forwardauth.address: http://authentik-proxy:9000/akprox/auth/traefik traefik.http.middlewares.authentik.forwardauth.trustForwardHeader: true - traefik.http.middlewares.authentik.forwardauth.authResponseHeadersRegex: ^.*$$ + traefik.http.middlewares.authentik.forwardauth.authResponseHeadersRegex: ^(Remote|X).*$$ restart: unless-stopped whoami: diff --git a/website/docs/providers/proxy/_traefik_ingress.md b/website/docs/providers/proxy/_traefik_ingress.md index da8ccbf76..f8a4783ce 100644 --- a/website/docs/providers/proxy/_traefik_ingress.md +++ b/website/docs/providers/proxy/_traefik_ingress.md @@ -9,7 +9,7 @@ spec: forwardAuth: address: http://outpost.company:9000/akprox/auth/traefik trustForwardHeader: true - authResponseHeadersRegex: ^.*$ + authResponseHeadersRegex: ^(Remote|X).*$ ``` Add the following settings to your IngressRoute diff --git a/website/docs/providers/proxy/_traefik_standalone.md b/website/docs/providers/proxy/_traefik_standalone.md index 1f0f555eb..1e64fa42e 100644 --- a/website/docs/providers/proxy/_traefik_standalone.md +++ b/website/docs/providers/proxy/_traefik_standalone.md @@ -5,7 +5,7 @@ http: forwardAuth: address: http://outpost.company:9000/akprox/auth/traefik trustForwardHeader: true - authResponseHeadersRegex: ^.*$ + authResponseHeadersRegex: ^(Remote|X).*$ routers: default-router: rule: "Host(`app.company`)"