ForwardAuth and Vouch Proxy using X-Forwarded-Host

I'm trying to get ForwardAuth to work with Vouch Proxy. For that I put an additional nginx proxy between the two. Reading the documentation of ForwardAuth I expect to get the originally requested Host as X-Forwarded-Host but instead I get forwardAuth.address.

version: '3.5'

services:
  vouch:
    image: voucher/vouch-proxy:alpine
    restart: always
    environment:
      - VOUCH_DOMAINS=$SSO_DOMAINS
      - OAUTH_PROVIDER=homeassistant
      - OAUTH_CLIENT_ID=https://$SSO_HOST
      - OAUTH_AUTH_URL=https://$HA_HOST/auth/authorize
      - OAUTH_CALLBACK_URL=https://$SSO_HOST/auth

  nginx:
    image: nginx:alpine
    restart: always
    volumes:
      - ./templates:/etc/nginx/templates
    environment:
      - SSO_HOST
    networks:
      - default
      - web
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.sso.rule=Host(`$SSO_HOST`)"
      - "traefik.http.routers.sso.tls=true"
      - "traefik.http.routers.sso.tls.certresolver=letsencrypt"
      - "traefik.http.middlewares.sso.forwardauth.address=https://$SSO_HOST/validate"

networks:
  web:
    external: true
server {
  listen 80;

  location = /validate {
    proxy_pass http://vouch:9090/validate;

    proxy_pass_request_body off;
    proxy_set_header Content-Length "";

    proxy_intercept_errors on;

    set $requested_url https://$http_x_forwarded_host$http_x_forwarded_uri;
    set $auth_resp_jwt $upstream_http_x_vouch_jwt;
    set $auth_resp_err $upstream_http_x_vouch_err;
    set $auth_resp_failcount $upstream_http_x_vouch_failcount;
  }

  error_page 401 = @error401;

  location @error401 {
    return 302 https://$SSO_HOST/login?url=$requested_url&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err;
  }

  location / {
    proxy_pass http://vouch:9090;
  }
}

This redirects to https://$SSO_HOST/login?url=$SSO_HOST. Which is not what I want.

I tried to illustrate the problem. Maybe I get an answer then?

1 Like