Trying to rewrite involving header

Help
1

1. The problem I’m having:

I am trying to setup Authentik to reverse proxy to Kavita Reader. Kavita Reader has a functionality where if the /login endpoint is hit with the query argument apiKey=USER_API_KEY, then you are automatically logged in. My goal is to have the API key of the user injected as an additional header by Authentik (currently X-Test-Key), then have Caddy rewrite the URL from / to login?apiKey=API_KEY.

The Authentik header injection part works, but the Caddy rewrite rule keeps seeing the value of the header as empty string. But, in the logs, it appears to be present.

2. Error messages and/or full log output:

Part 1: https://pastebin.com/stETyYcg
Part 2: https://pastebin.com/PckUQQnX

3. Caddy version:

v2.8.4 h1:q3pe0wpBj1OcHFZ3n/1nl4V4bxBrYoSoab7rL9BMYNk=

4. How I installed and ran Caddy:

a. System environment:

Docker-compose running on a Synology NAS

b. Command:

docker-compose up -d caddy

c. Service/unit/compose file:

With docker-compose:

  caddy:
    image: caddy:2
    container_name: caddy
    ports:
      - 443:443
      - 80:80
    restart: unless-stopped
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile
      - /volume1/media/docker/caddy/data:/data
      - /volume1/media/docker/caddy/config:/config
      - /volume1/homes/sean/helios.tailf6f70.ts.net.crt:/tailnet.crt
      - /volume1/homes/sean/helios.tailf6f70.ts.net.key:/tailnet.key
      - /volume1/homes/sean/swriddle.crt:/swriddle.crt
      - /volume1/homes/sean/swriddle.key:/swriddle.key

d. My complete Caddy config:

{
	debug
}

kavita.swriddle.com {
	tls /swriddle.crt /swriddle.key

	# Use forward authentication with Authentik to enforce group-based access
	forward_auth http://authserver:9000 {
		uri /outpost.goauthentik.io/auth/caddy

		# Copy headers to pass user info from Authentik to Caddy
		copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version X-Test-Key

		# Trust the correct IP ranges or IP addresses
		trusted_proxies private_ranges
	}

	@accessDenied {
		not header_regexp X-Authentik-Groups ^Kavita$|^Kavita\||\|Kavita$|\|Kavita\|
	}

	respond @accessDenied "Access denied" 403 {
		close
	}

	reverse_proxy /outpost.goauthentik.io/* http://authserver:9000

	@kavitaPath {
		path /
	}

	log {
		output stdout
	}

	rewrite @kavitaPath {path}login?apiKey={http.request.header.X-Test-Key}

	reverse_proxy http://kavita:5000
}

auth.swriddle.com {
	tls /swriddle.crt /swriddle.key
	reverse_proxy http://authserver:9000
}

5. Links to relevant resources:

Authentik: https://goauthentik.io
Kavita Reader auto-login: Frequently Asked Questions | Kavita Wiki

2

Howdy @tretonin, welcome to the Caddy community.

I want to take a peek at those logs - especially the debug logs to see the upstream roundtrip - but the links you provided appear to have expired.

Is it possible to add the logs here directly, in a code block?

1 Like
3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.