From 0289eb34b9a1676741ce74207f2559623aa4111c Mon Sep 17 00:00:00 2001 From: Stavros Date: Thu, 18 Jun 2026 18:27:58 +0300 Subject: [PATCH 1/2] fix: remove auth request headers and add auth response headers in forward auth --- .gitignore | 32 +++++++++++++++--------------- internal/assets/docker-compose.yml | 10 +++++++++- 2 files changed, 25 insertions(+), 17 deletions(-) diff --git a/.gitignore b/.gitignore index e03c764..ef7edf4 100644 --- a/.gitignore +++ b/.gitignore @@ -1,21 +1,21 @@ # Runtipi Data -app-data -apps -backups -cache -data -logs -media -repos -state -traefik -user-config +/app-data +/apps +/backups +/cache +/data +/logs +/media +/repos +/state +/traefik +/user-config # CLI generated files -docker-compose.yml -VERSION -.env +/docker-compose.yml +/VERSION +/.env # Build out -runtipi-cli -main \ No newline at end of file +/runtipi-cli +/main diff --git a/internal/assets/docker-compose.yml b/internal/assets/docker-compose.yml index 3b0c2d2..fcd2d25 100644 --- a/internal/assets/docker-compose.yml +++ b/internal/assets/docker-compose.yml @@ -4,7 +4,7 @@ services: depends_on: runtipi: condition: service_healthy - image: traefik:v3.6.6 + image: traefik:v3.6.14 restart: unless-stopped ports: - ${NGINX_PORT:-80}:80 @@ -94,6 +94,14 @@ services: traefik.enable: true traefik.http.middlewares.redirect-to-https.redirectscheme.scheme: https traefik.http.middlewares.runtipi.forwardauth.address: ${RUNTIPI_FORWARD_AUTH_URL:-http://runtipi:3000/api/auth/traefik} + # authRequestHeaders could be added to use more strict headers for the forward auth request, + # but it could break some auth providers + # Recommended by authelia and authentik + traefik.http.middlewares.runtipi.forwardauth.trustForwardHeader: true + # Sane default + traefik.http.middlewares.runtipi.forwardauth.maxResponseBodySize: 8192 + # Headers below should work for authelia, tinyauth and authentik + traefik.http.middlewares.runtipi.forwardAuth.authResponseHeaders: authorization, remote-user, remote-groups, remote-name, remote-email, x-authentik-username, x-authentik-groups, x-authentik-entitlements, x-authentik-email, x-authentik-name, x-authentik-uid, x-authentik-jwt, x-authentik-meta-jwks, x-authentik-meta-outpost, x-authentik-meta-provider, x-authentik-meta-app, x-authentik-meta-version # ---- Dashboard ----- # traefik.http.services.dashboard.loadbalancer.server.port: 3000 From 1755453c473cee3578c9d596957f0ad8c2358791 Mon Sep 17 00:00:00 2001 From: Stavros Date: Thu, 18 Jun 2026 18:31:46 +0300 Subject: [PATCH 2/2] chore: fix typo --- internal/assets/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/assets/docker-compose.yml b/internal/assets/docker-compose.yml index fcd2d25..b4ae8d8 100644 --- a/internal/assets/docker-compose.yml +++ b/internal/assets/docker-compose.yml @@ -101,7 +101,7 @@ services: # Sane default traefik.http.middlewares.runtipi.forwardauth.maxResponseBodySize: 8192 # Headers below should work for authelia, tinyauth and authentik - traefik.http.middlewares.runtipi.forwardAuth.authResponseHeaders: authorization, remote-user, remote-groups, remote-name, remote-email, x-authentik-username, x-authentik-groups, x-authentik-entitlements, x-authentik-email, x-authentik-name, x-authentik-uid, x-authentik-jwt, x-authentik-meta-jwks, x-authentik-meta-outpost, x-authentik-meta-provider, x-authentik-meta-app, x-authentik-meta-version + traefik.http.middlewares.runtipi.forwardauth.authResponseHeaders: authorization, remote-user, remote-groups, remote-name, remote-email, x-authentik-username, x-authentik-groups, x-authentik-entitlements, x-authentik-email, x-authentik-name, x-authentik-uid, x-authentik-jwt, x-authentik-meta-jwks, x-authentik-meta-outpost, x-authentik-meta-provider, x-authentik-meta-app, x-authentik-meta-version # ---- Dashboard ----- # traefik.http.services.dashboard.loadbalancer.server.port: 3000