From a306cecb7339961563b44967b977bc0116a433ed Mon Sep 17 00:00:00 2001 From: "Jens L." Date: Fri, 6 Jun 2025 14:54:59 +0200 Subject: [PATCH] providers/proxy: add option to override host header with property mappings (#14927) --- .../outpost/proxyv2/application/claims.go | 1 + .../outpost/proxyv2/application/mode_proxy.go | 19 ++++++++++++------- .../add-secure-apps/providers/proxy/index.md | 14 ++++++++++++++ 3 files changed, 27 insertions(+), 7 deletions(-) diff --git a/internal/outpost/proxyv2/application/claims.go b/internal/outpost/proxyv2/application/claims.go index caf765b400..2e3a792247 100644 --- a/internal/outpost/proxyv2/application/claims.go +++ b/internal/outpost/proxyv2/application/claims.go @@ -3,6 +3,7 @@ package application type ProxyClaims struct { UserAttributes map[string]interface{} `json:"user_attributes"` BackendOverride string `json:"backend_override"` + HostHeader string `json:"host_header"` IsSuperuser bool `json:"is_superuser"` } diff --git a/internal/outpost/proxyv2/application/mode_proxy.go b/internal/outpost/proxyv2/application/mode_proxy.go index d987cd72b0..4555dc28ac 100644 --- a/internal/outpost/proxyv2/application/mode_proxy.go +++ b/internal/outpost/proxyv2/application/mode_proxy.go @@ -74,13 +74,18 @@ func (a *Application) proxyModifyRequest(ou *url.URL) func(req *http.Request) { r.URL.Scheme = ou.Scheme r.URL.Host = ou.Host claims := a.getClaimsFromSession(r) - if claims != nil && claims.Proxy != nil && claims.Proxy.BackendOverride != "" { - u, err := url.Parse(claims.Proxy.BackendOverride) - if err != nil { - a.log.WithField("backend_override", claims.Proxy.BackendOverride).WithError(err).Warning("failed parse user backend override") - } else { - r.URL.Scheme = u.Scheme - r.URL.Host = u.Host + if claims != nil && claims.Proxy != nil { + if claims.Proxy.BackendOverride != "" { + u, err := url.Parse(claims.Proxy.BackendOverride) + if err != nil { + a.log.WithField("backend_override", claims.Proxy.BackendOverride).WithError(err).Warning("failed parse user backend override") + } else { + r.URL.Scheme = u.Scheme + r.URL.Host = u.Host + } + } + if claims.Proxy.HostHeader != "" { + r.Host = claims.Proxy.HostHeader } } a.log.WithField("upstream_url", r.URL.String()).Trace("final upstream url") diff --git a/website/docs/add-secure-apps/providers/proxy/index.md b/website/docs/add-secure-apps/providers/proxy/index.md index 6b81f1af20..1110846b8f 100644 --- a/website/docs/add-secure-apps/providers/proxy/index.md +++ b/website/docs/add-secure-apps/providers/proxy/index.md @@ -152,3 +152,17 @@ return { ``` Afterwards, edit the _Proxy provider_ and add this new mapping. The expression is only evaluated when the user logs into the application. + +## Host header:ak-version[2025.6.1] + +By default, the proxy provider will use forwarded Host header received from the client. Starting with authentik 2025.6.1, it is possible to dynamically adjust the Host header with a property mapping. + +```python +return { + "ak_proxy": { + "host_header": "my-internal-host-header" + } +} +``` + +Afterwards, edit the _Proxy provider_ and add this new mapping. The expression is only evaluated when the user logs into the application.