From ee0ca7b5389851deef2443d9bc24018e6870f982 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Kr=C3=BCger?= <valknar@pivoine.art>
Date: Sat, 15 Nov 2025 20:17:11 +0100
Subject: [PATCH] fix: update Authelia ForwardAuth middleware configuration

- Use correct Authelia v4.38+ endpoint: /api/authz/forward-auth
- Use actual container name: net_authelia instead of authelia
- Add authResponseHeadersRegex for Remote-* headers
- Remove static redirect parameter, let Authelia handle it dynamically
---
 net/compose.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/compose.yaml b/net/compose.yaml
index 87ebb27..a86b72a 100644
--- a/net/compose.yaml
+++ b/net/compose.yaml
@@ -295,9 +295,10 @@ services:
       - 'traefik.http.services.${NET_COMPOSE_PROJECT_NAME}-authelia-web-secure.loadbalancer.server.port=9091'
       - 'traefik.docker.network=${NETWORK_NAME}'
       # ForwardAuth middleware for other services
-      - 'traefik.http.middlewares.${NET_COMPOSE_PROJECT_NAME}-authelia.forwardAuth.address=http://authelia:9091/api/verify?rd=https://${NET_AUTHELIA_TRAEFIK_HOST}'
+      - 'traefik.http.middlewares.${NET_COMPOSE_PROJECT_NAME}-authelia.forwardAuth.address=http://net_authelia:9091/api/authz/forward-auth'
       - 'traefik.http.middlewares.${NET_COMPOSE_PROJECT_NAME}-authelia.forwardAuth.trustForwardHeader=true'
       - 'traefik.http.middlewares.${NET_COMPOSE_PROJECT_NAME}-authelia.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email'
+      - 'traefik.http.middlewares.${NET_COMPOSE_PROJECT_NAME}-authelia.forwardAuth.authResponseHeadersRegex=^Remote-'
       # Watchtower
       - 'com.centurylinklabs.watchtower.enable=${WATCHTOWER_LABEL_ENABLE}'