From 45f1161fc1a113352efd3d6b604cdf6f4c8bcf9c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Kr=C3=BCger?= <valknar@pivoine.art>
Date: Sat, 15 Nov 2025 20:23:22 +0100
Subject: [PATCH] fix: add authRequestHeaders to Authelia ForwardAuth
 middleware
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Traefik needs to forward X-Forwarded-* headers to Authelia so it can
determine the target URL. Without these headers, Authelia returns
"failed to get target URL: missing host value" error.

Added authRequestHeaders configuration to forward:
- X-Forwarded-Method (HTTP method)
- X-Forwarded-Proto (HTTPS/HTTP)
- X-Forwarded-Host (target domain)
- X-Forwarded-Uri (target path)
- X-Forwarded-For (client IP)

This fixes the issue where services returned 401 without redirecting
to the Authelia login page.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 net/compose.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/compose.yaml b/net/compose.yaml
index a86b72a..946e56f 100644
--- a/net/compose.yaml
+++ b/net/compose.yaml
@@ -297,6 +297,7 @@ services:
       # ForwardAuth middleware for other services
       - 'traefik.http.middlewares.${NET_COMPOSE_PROJECT_NAME}-authelia.forwardAuth.address=http://net_authelia:9091/api/authz/forward-auth'
       - 'traefik.http.middlewares.${NET_COMPOSE_PROJECT_NAME}-authelia.forwardAuth.trustForwardHeader=true'
+      - 'traefik.http.middlewares.${NET_COMPOSE_PROJECT_NAME}-authelia.forwardAuth.authRequestHeaders=X-Forwarded-Method,X-Forwarded-Proto,X-Forwarded-Host,X-Forwarded-Uri,X-Forwarded-For'
       - 'traefik.http.middlewares.${NET_COMPOSE_PROJECT_NAME}-authelia.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email'
       - 'traefik.http.middlewares.${NET_COMPOSE_PROJECT_NAME}-authelia.forwardAuth.authResponseHeadersRegex=^Remote-'
       # Watchtower