Dynamic reverse-proxying to output from forward_auth

1. The problem I’m having:

I’m trying to do a reverse- proxying to the output (url) of a forward_auth - check module. Beforehand, the oauth2- module is used to retrieve a token

2. Error messages and/or full log output:

The {return_url} (see below) - variable is never being set, I receive the error that this is not a valid url / missing the port :wink:

3. Caddy version:

2.8

4. How I installed and ran Caddy:

Canny is running within Docker Compose

a. System environment:

Docker- Environment

d. My complete Caddy config:

:8100 {
	# define forward auth for any path under `/`, if not more specific defined
	forward_auth / oauth2-check:4180 {
		uri /oauth2/auth
		copy_headers Authorization X-Auth-Request-User X-Auth-Request-Email X-Forwarded-Access-Token X-Auth-Request-Access-Token

		@error status 401
		handle_response @error {
			redir * /oauth2/sign_in?rd={scheme}://{host}{uri} 302
		}
	}
	# define `/oauth2/*` as specific endpoint, to avoid forward auth protection to be able to use service
	reverse_proxy /oauth2/* oauth2-check:4180 {
		header_up X-Real-IP {remote}
		header_up X-Forwarded-Proto https
	}
	# test- authentication
	forward_auth / test-check:4180 {
		uri /api/v1/test-auth
		copy_headers Authorization X-Auth-Request-User X-Auth-Request-Email X-Forwarded-Access-Token X-Auth-Request-Access-Token

		@error status 401
		handle_response @error {
			respond "Invalid test" 401
		}
	}
	reverse_proxy /api/v1/test-auth test-check:4181 {
		header_up X-Real-IP {remote}
		header_up X-Forwarded-Proto https
	}
	@missingTurl {
		header return_url *  # Match the presence of the "return_url" header
	}
    handle @missingTurl {
        # If return_url header is missing, set a default url header
        header return_url "default-backend.com:80"
    }
    # Reverse proxy using the value of the return_url header
    reverse_proxy / {
		to {return_url}
	}
}

Nobody an idea - or a hint, maybe? Thanks :slight_smile:

These lines seem suspicious

The matcher name says missing, but it matches for presence; and if it matches, you act as if the header is missing. You can match for header absence using !.

Path matches in Caddy are exact, unless you use astrisks. This means your comment (and assumption) in this part and elsewhere in the file is inaccurate.

I don’t see you copying the return_url header anywhere inside forward_auth. If it’s needed, copy it. You can also use the vars handler to set it in handle_response of successful responses, then use the var as the upstream address in reverse_proxy.