outposts/proxy: add X-Forwarded-Host since Host now gets changed by the proxy

closes #2284

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

internal/outpost/proxyv2/application/mode_proxy.go

@@ -73,6 +73,7 @@ func (a *Application) configureProxy() error {
 
 func (a *Application) proxyModifyRequest(ou *url.URL) func(req *http.Request) {
 	return func(r *http.Request) {
+		r.Header.Set("X-Forwarded-Host", r.Host)
 		claims, _ := a.getClaims(r)
 		r.URL.Scheme = ou.Scheme
 		r.URL.Host = ou.Host

internal/outpost/proxyv2/application/mode_proxy_test.go

@@ -19,6 +19,7 @@ func TestProxy_ModifyRequest(t *testing.T) {
 	}
 	a.proxyModifyRequest(u)(req)
 
+	assert.Equal(t, "frontend", req.Header.Get("X-Forwarded-Host"))
 	assert.Equal(t, "/foo", req.URL.Path)
 	assert.Equal(t, "backend:8012", req.URL.Host)
 	assert.Equal(t, "backend:8012", req.Host)

website/docs/providers/proxy/proxy.md

@@ -46,6 +46,12 @@ Besides these user-specific headers, some application specific headers are also
 
     The authentik outpost's version.
 
+### Only in proxy mode
+
+- X-Forwarded-Host:
+
+    The original Host header sent by the client. This is set as the `Host` header is set to the host of the configured backend.
+
 ## HTTPS
 
 The outpost listens on both 9000 for HTTP and 9443 for HTTPS.

website/docs/releases/v2022.1.md

@@ -23,6 +23,8 @@ This release mostly removes legacy fields and features that have been deprecated
   - X-Forwarded-Preferred-Username, use `X-authentik-username`
   - X-Forwarded-User, use `X-authentik-uid`
 
+  The proxy now also sets the host header based on what is configured as upstream in the proxy provider. The original Host is forwarded as `X-Forwarded-Host`.
+
   Additionally, the header requirements for nginx have changed. Either a `X-Original-URL` or `X-Original-URI` header are now required. See the [*Proxy provider*](../providers/proxy/forward_auth) documentation for updated snippets.
 
 - API: