Hello,
I am trying to pass the “Remote-User” header from Authelia to Navidrome
I read in Navidrome’s documentation that I can forward the “Remote-User” header from my SSO application to bypass Navidrome’s authentication.
When reverse proxy authentication is used, the verification is done by another system. By checking a specific HTTP header, Navidrome assumes you are already authenticated. This header can be configured via
ReverseProxyUserHeader
configuration option. By default theRemote-User
header is used.
I assumed this is what the authResponseHeaders
option is for however setting this option as seen below does not fix my issue. I’m not sure I understand the wording in the documentation:
The
authResponseHeaders
option is the list of headers to copy from the authentication server response and set on forwarded request, replacing any existing conflicting headers.
This makes me think that the selected headers will be passed on with the request for the initially requested page (eg. if I visit music.example.dev
and get redirected to login.example.dev
the selected headers will be passed to music.example.dev
)
So my question ends up being, is my configuration incorrect or do I have to add an additional middleware to handle the headers specifically?
Config file (from nix but essentially the same as the File option):
{ config, ... }: {
services.traefik = {
enable = true;
staticConfigOptions = {
entryPoints = {
web.address = ":80";
websecure.address = ":443";
websecure.http.tls.certResolver = "letsencrypt";
};
certificatesResolvers.letsencrypt.acme = {
email = "[email protected]";
storage = "/var/lib/traefik/acme.json";
dnsChallenge = { provider = "route53"; };
};
log = {
filePath = "/var/lib/traefik/traefik.log";
level = "DEBUG";
};
};
dynamicConfigOptions = {
http.middlewares.authelia = {
forwardauth = {
address =
"http://127.0.0.1:9091/api/verify?rd=https://login.example.dev/";
trustForwardHeader = true;
authResponseHeaders =
[ "Remote-User" "Remote-Groups" "Remote-Name" "Remote-Email" ];
};
};
http.routers.authelia = {
rule = "Host(`login.example.dev`)";
entryPoints = [ "websecure" ];
tls.certresolver = "letsencrypt";
service = "authelia";
};
http.services.authelia.loadBalancer.servers =
[{ url = "http://127.0.0.1:9091"; }];
http.routers.navidrome = {
rule = "Host(`music.example.dev`)";
entryPoints = [ "websecure" ];
tls.certresolver = [ "letsencrypt" ];
middlewares = "authelia";
service = "navidrome";
};
http.services.navidrome.loadBalancer.servers =
[{ url = "http://127.0.0.1:4533"; }];
};
};
}