Pass "Remote-User" header from Authelia to Navidrome

Hello,

I am trying to pass the "Remote-User" header from Authelia to Navidrome

I read in Navidrome's documentation that I can forward the "Remote-User" header from my SSO application to bypass Navidrome's authentication.

When reverse proxy authentication is used, the verification is done by another system. By checking a specific HTTP header, Navidrome assumes you are already authenticated. This header can be configured via ReverseProxyUserHeader configuration option. By default the Remote-User header is used.

I assumed this is what the authResponseHeaders option is for however setting this option as seen below does not fix my issue. I'm not sure I understand the wording in the documentation:

The authResponseHeaders option is the list of headers to copy from the authentication server response and set on forwarded request, replacing any existing conflicting headers.

This makes me think that the selected headers will be passed on with the request for the initially requested page (eg. if I visit music.example.dev and get redirected to login.example.dev the selected headers will be passed to music.example.dev)

So my question ends up being, is my configuration incorrect or do I have to add an additional middleware to handle the headers specifically?

Config file (from nix but essentially the same as the File option):

{ config, ... }: {
  services.traefik = {
    enable = true;
    staticConfigOptions = {
      entryPoints = {
        web.address = ":80";
        websecure.address = ":443";
        websecure.http.tls.certResolver = "letsencrypt";
      };
      certificatesResolvers.letsencrypt.acme = {
        email = "user@example.com";
        storage = "/var/lib/traefik/acme.json";
        dnsChallenge = { provider = "route53"; };
      };
      log = {
        filePath = "/var/lib/traefik/traefik.log";
        level = "DEBUG";
      };
    };
    dynamicConfigOptions = {
      http.middlewares.authelia = {
        forwardauth = {
          address =
            "http://127.0.0.1:9091/api/verify?rd=https://login.example.dev/";
          trustForwardHeader = true;
          authResponseHeaders =
            [ "Remote-User" "Remote-Groups" "Remote-Name" "Remote-Email" ];
        };
      };

      http.routers.authelia = {
        rule = "Host(`login.example.dev`)";
        entryPoints = [ "websecure" ];
        tls.certresolver = "letsencrypt";
        service = "authelia";
      };
      http.services.authelia.loadBalancer.servers =
        [{ url = "http://127.0.0.1:9091"; }];
        
      http.routers.navidrome = {
        rule = "Host(`music.example.dev`)";
        entryPoints = [ "websecure" ];
        tls.certresolver = [ "letsencrypt" ];
        middlewares = "authelia";
        service = "navidrome";
      };
      http.services.navidrome.loadBalancer.servers =
        [{ url = "http://127.0.0.1:4533"; }];

    };
  };
}
1 Like