www/caddy: Add copy_headers selectpicker to Auth Provider tab. Authorization header added. (#4496)

2026-05-28 04:34:15 -04:00 · 2025-01-24 09:47:17 +01:00 · 2025-01-24 09:47:17 +01:00 · 7745e63d0f
commit 7745e63d0f
parent 3cec3a1071
5 changed files with 45 additions and 4 deletions
--- a/www/caddy/Makefile
+++ b/www/caddy/Makefile
@ -1,6 +1,5 @@
 PLUGIN_NAME=		caddy
-PLUGIN_VERSION=		1.8.0
-PLUGIN_REVISION=	2
+PLUGIN_VERSION=		1.8.1
 PLUGIN_DEPENDS=		caddy-custom
 PLUGIN_COMMENT=		Modern Reverse Proxy with Automatic HTTPS, Dynamic DNS and Layer4 Routing
 PLUGIN_MAINTAINER=	cedrik@pischem.com
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@ -13,6 +13,12 @@ DOC: https://docs.opnsense.org/manual/how-tos/caddy.html
 Plugin Changelog
 ================

+1.8.1
+
+* Add: Optional "Authorization" header to forward_auth (opnsense/plugins/issues/4488)
+* Add: Persistent banner notification if custom imports are used (opnsense/plugins/issues/4244)
+* Cleanup: Implement reusable grid template in views (opnsense/plugins/pull/4454)
+
 1.8.0

 * Build: Update Caddy to version 2.9.x and update dependencies (opnsense/plugins/issues/4437)
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
@ -227,6 +227,13 @@
            <type>text</type>
            <help><![CDATA[Enter the URI of the authz api endpoint.]]></help>
        </field>
+        <field>
+            <id>caddy.general.AuthCopyHeaders</id>
+            <label>Copy Headers</label>
+            <type>select_multiple</type>
+            <style>selectpicker</style>
+            <help><![CDATA[If nothing is selected, the correct default headers for the chosen provider will be used. If you change the default, you must select the required headers manually. "copy_headers" is a list of HTTP header fields to copy from the response to the original request, when the request has a success status code.]]></help>
+        </field>
    </tab>
    <activetab>general-settings</activetab>
 </form>
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@ -167,6 +167,27 @@
                <Mask>/^(\/.*)?$/u</Mask>
                <ValidationMessage>Please enter a valid 'URI' that starts with '/'.</ValidationMessage>
            </AuthToUri>
+            <AuthCopyHeaders type="OptionField">
+                <Multiple>Y</Multiple>
+                <OptionValues>
+                    <Authorization>Authorization</Authorization>
+                    <Remote-User>Remote-User</Remote-User>
+                    <Remote-Groups>Remote-Groups</Remote-Groups>
+                    <Remote-Name>Remote-Name</Remote-Name>
+                    <Remote-Email>Remote-Email</Remote-Email>
+                    <X-Authentik-Username>X-Authentik-Username</X-Authentik-Username>
+                    <X-Authentik-Groups>X-Authentik-Groups</X-Authentik-Groups>
+                    <X-Authentik-Email>X-Authentik-Email</X-Authentik-Email>
+                    <X-Authentik-Name>X-Authentik-Name</X-Authentik-Name>
+                    <X-Authentik-Uid>X-Authentik-Uid</X-Authentik-Uid>
+                    <X-Authentik-Jwt>X-Authentik-Jwt</X-Authentik-Jwt>
+                    <X-Authentik-Meta-Jwks>X-Authentik-Meta-Jwks</X-Authentik-Meta-Jwks>
+                    <X-Authentik-Meta-Outpost>X-Authentik-Meta-Outpost</X-Authentik-Meta-Outpost>
+                    <X-Authentik-Meta-Provider>X-Authentik-Meta-Provider</X-Authentik-Meta-Provider>
+                    <X-Authentik-Meta-App>X-Authentik-Meta-App</X-Authentik-Meta-App>
+                    <X-Authentik-Meta-Version>X-Authentik-Meta-Version</X-Authentik-Meta-Version>
+                </OptionValues>
+            </AuthCopyHeaders>
        </general>
        <reverseproxy>
            <reverse type="ArrayField">
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeAuthProvider
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeAuthProvider
@ -12,7 +12,11 @@
    {% if generalSettings.AuthToUri %}
        uri {{ generalSettings.AuthToUri|default("") }}
    {% endif %}
-    copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
+    {% if generalSettings.AuthCopyHeaders|default("") == "" %}
+        copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
+    {% else %}
+        copy_headers {{ generalSettings.AuthCopyHeaders.split(',') | join(' ') }}
+    {% endif %}
    }
 {% elif generalSettings.AuthProvider == 'authentik' %}
    reverse_proxy /outpost.goauthentik.io/* {{ auth_url }} {
@ -24,6 +28,10 @@
    {% if generalSettings.AuthToUri %}
        uri {{ generalSettings.AuthToUri|default("") }}
    {% endif %}
-    copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
+    {% if generalSettings.AuthCopyHeaders|default("") == "" %}
+        copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
+    {% else %}
+       copy_headers {{ generalSettings.AuthCopyHeaders.split(',') | join(' ') }}
+    {% endif %}
    }
 {% endif %}