How to get Remote-Groups header with caddy and lldap #472
Description
I run tinyauth with lldap and caddy as reverse proxy.
Everything seems to work but I don't get the Remote-Groups header in my protected app.
# docker-compose.yaml
---
tinyauth:
container_name: tinyauth
image: ghcr.io/steveiliop56/tinyauth:v4
env_file:
- /opt/docker/services/tinyauth/tinyauth.env
volumes:
- /opt/docker/services/tinyauth/data:/data
- /opt/docker/services/tinyauth/users_file:/tinyauth/users_file
restart: unless-stopped
depends_on:
lldap:
condition: service_started
networks:
- webserver
- auth
lldap:
container_name: lldap
image: lldap/lldap:stable
env_file:
- /opt/docker/services/lldap/lldap.env
volumes:
- /opt/docker/services/lldap/data:/data
restart: unless-stopped
networks:
- webserver
- auth
networks:
auth:
name: auth# tinyauth.env
APP_URL=http://auth.sub.domain.ch
DATABASE_PATH=/data/tinyauth.db
USERS_FILE=/tinyauth/users_file
LDAP_ADDRESS=ldap://lldap:3890
LDAP_BIND_DN=uid=tinyauth,ou=people,dc=auth,dc=sub,dc=domain,dc=ch
LDAP_BIND_PASSWORD=tinypasswd
LDAP_BASE_DN=dc=auth,dc=sub,dc=domain,dc=ch
LDAP_SEARCH_FILTER=(uid=%s)
LDAP_INSECURE=true# lldap.env
UID=1000
GID=1000
TZ=Europe/Zurich
LLDAP_JWT_SECRET="<redacted>"
LLDAP_KEY_SEED="<redacted>"
LLDAP_LDAP_BASE_DN=dc=auth,dc=sub,dc=domain,dc=ch
LLDAP_LDAP_USER_PASS=ldappass# Caddyfile
http://auth.sub.domain.ch {
reverse_proxy tinyauth:3000
log
}
http://ldap.sub.domain.ch {
reverse_proxy lldap:17170
log
}
http://app.sub.domain.ch {
forward_auth tinyauth:3000 {
uri /api/auth/caddy
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
copy_headers Remote-*
}
reverse_proxy fastapiapp:3333
}I created a user in lldap and assigned it to a group I created. I expect taht I get all groups a user is assigned to in lldap via the Remote-Groups header. Is that a misconception?
Awesome project btw 🤩
Edit:
These are all the headers I get in my fastapi app
{
"host": "app.sub.domain.ch",
"user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv: 145.0) Gecko/20100101 Firefox/145.0",
"accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"accept-encoding": "gzip, deflate",
"accept-language": "de,en-US;q=0.7,en;q=0.3",
"cookie": "ph_phc_2gbpy3JPtDC6hHrQy35yMxMci1NY0fD1sttGTcPjwVf_posthog=%7B%22distinct_id%22%3A%2201999486-a926-70dd-a0c0-eb64dd91bac3%22%2C%22%24device_id%22%3A%2201999486-a926-70dd-a0c0-eb64dd91bac3%22%2C%22%24user_state%22%3A%22anonymous%22%2C%22%24sesid%22%3A%5B1763632594982%2C%22019aa0b1-c026-7ef4-8de6-372856d9d17c%22%2C1763632594982%5D%2C%22%24client_session_props%22%3A%7B%22sessionId%22%3A%22019aa0b1-c026-7ef4-8de6-372856d9d17c%22%2C%22props%22%3A%7B%22initialPathName%22%3A%22%2Fde%22%2C%22referringDomain%22%3A%22%24direct%22%7D%7D%2C%22%24session_recording_enabled_server_side%22%3Afalse%2C%22%24session_recording_network_payload_capture%22%3A%7B%22capturePerformance%22%3Afalse%7D%2C%22%24autocapture_disabled_server_side%22%3Afalse%2C%22%24active_feature_flags%22%3A%5B%5D%2C%22%24enabled_feature_flags%22%3A%7B%7D%2C%22%24feature_flag_payloads%22%3A%7B%7D%7D; tinyauth-session-9b0a6487=7e8b3885-5e07-4c64-b653-499f6b90507d",
"priority": "u=0, i",
"referer": "http://auth.sub.domain.ch/",
"remote-email": "User1@sub.domain.ch",
"remote-name": "User1",
"remote-user": "User1",
"upgrade-insecure-requests": "1",
"via": "1.1 Caddy",
"x-forwarded-for": "192.168.3.105",
"x-forwarded-host": "app.sub.domain.ch",
"x-forwarded-proto": "http",
}