X-Forwarded-* Header Assistance #144

ZacharyACoon · 2023-09-25T23:23:33Z

ZacharyACoon
Sep 25, 2023

Services are often reverse proxied behind 1 or multiple load balancers that handle TLS termination and such.

https://media.example.com/
v (X-Forwarded-Proto: https, X-Forwarded-Host: media.example.com)
http://media.services.example.com/
v
jellyfin

Problem
SSO-Auth only sees the $host variable, so when it forwards the user to for example, keycloak, the request is
ohRSwp0Zdl_NwmevGafEks&code_challenge_method=S256&client_id=media.example.com&scope=openid%20profile&redirect_uri=http%3A%2F%2Fmedia.services.location.example.com%2Fjellyfin%2Fsso%2FOID%2Fredirect%2Fexample.com

Host: http://media.services.example.com
But that's not what the user needs to be redirected too...

:) Thanks in advance.

ZacharyACoon · 2023-09-25T23:23:45Z

ZacharyACoon
Sep 25, 2023
Author

I am testing to see if I can work around this by manually setting the $host variable sent to jellyfin...

proxy_set_header Scheme $scheme;
proxy_set_header Host $host;

0 replies

9p4 · 2023-09-26T00:01:26Z

9p4
Sep 26, 2023
Maintainer

This isn't a plugin issue. This is a configuration issue. Jellyfin/ASP manages the population of the forwarded host variables. It seems like you have two layers of reverse proxies? Does your second proxy trust incoming X-Forwarded headers? By default (for security reasons) they don't.

2 replies

ZacharyACoon Sep 26, 2023
Author

Yes, two layers. Site/TLS termination, then ServiceGroup Termination (media)

  proxy_set_header Host $host;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header X-Forwarded-Proto $scheme;
  proxy_set_header X-Forwarded-Protocol $scheme;
  proxy_set_header X-Forwarded-Host $http_host;

9p4 Sep 28, 2023
Maintainer

Does your second proxy trust incoming X-Forwarded headers?

ZacharyACoon · 2023-09-28T19:41:43Z

ZacharyACoon
Sep 28, 2023
Author

I believe so? ``` proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Protocol $scheme; proxy_set_header X-Forwarded-Host $http_host; ```

…

On Thu, Sep 28, 2023 at 8:10 AM 9p4 ***@***.***> wrote: Does your second proxy trust incoming X-Forwarded headers? — Reply to this email directly, view it on GitHub <#144 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AQVQTH2JBPTJVU2FHFMXMELX4WHOVANCNFSM6AAAAAA5G55Z3Y> . You are receiving this because you authored the thread.Message ID: ***@***.***>

2 replies

9p4 Sep 28, 2023
Maintainer

Can you add

proxy_set_header Forwarded $proxy_add_forwarded;

9p4 Sep 28, 2023
Maintainer

Also is the realip module enabled?

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

X-Forwarded-* Header Assistance #144

{{title}}

Replies: 3 comments 4 replies

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

X-Forwarded-* Header Assistance #144

ZacharyACoon Sep 25, 2023

Replies: 3 comments · 4 replies

ZacharyACoon Sep 25, 2023 Author

9p4 Sep 26, 2023 Maintainer

ZacharyACoon Sep 26, 2023 Author

9p4 Sep 28, 2023 Maintainer

ZacharyACoon Sep 28, 2023 Author

9p4 Sep 28, 2023 Maintainer

9p4 Sep 28, 2023 Maintainer

ZacharyACoon
Sep 25, 2023

Replies: 3 comments 4 replies

ZacharyACoon
Sep 25, 2023
Author

9p4
Sep 26, 2023
Maintainer

ZacharyACoon Sep 26, 2023
Author

9p4 Sep 28, 2023
Maintainer

ZacharyACoon
Sep 28, 2023
Author

9p4 Sep 28, 2023
Maintainer

9p4 Sep 28, 2023
Maintainer