Abort undefined subdomains when using wildcards and forward authorization

timelordx · April 27, 2026, 9:49pm

ParadoxImmobilizer:

auth.endpoint.internal {
    reverse_proxy authelia:9091
}

&(authelia) {
    forward_auth authelia:9091 {
        uri /api/verify?rd=https://auth.endpoint.internal/
        copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
    }
}


*.endpoint.internal {
    abort
}

srv1.endpoint.internal {
    invoke authelia
    respond "you are here"
}

If you want to take it a step further and also drop HTTP requests for undefined sites, you could do something like this:

{
	auto_https disable_redirects
}

auth.endpoint.internal {
    reverse_proxy authelia:9091
}

&(authelia) {
    forward_auth authelia:9091 {
        uri /api/verify?rd=https://auth.endpoint.internal/
        copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
    }
}

*.endpoint.internal {
    abort
}

srv1.endpoint.internal {
    invoke authelia
    respond "you are here"
}

http://srv1.endpoint.internal {
	redir https://srv1.endpoint.internal{uri} 308
}

http:// {
	abort
}

The only site left with HTTP, for HTTP-to-HTTPS redirect, is srv1.endpoint.internal. Everything else is HTTPS-only or dropped.

Some details here: