feat: support HTTP redirect for forward authentication middleware in Traefik (#368)

* feat: support HTTP redirect for forward authentication middleware in Traefik * fix(docs): fix my terrible merge Signed-off-by: Jason Cameron <jasoncameron.all@gmail.com> * chore: fix typo in docs Signed-off-by: Jason Cameron <jasoncameron.all@gmail.com> * fix(ci): add forwardauth Signed-off-by: Jason Cameron <jasoncameron.all@gmail.com> * chore: improve doc, target must be a space * chore: changelog * fix: validate X-Forwarded headers and check redirect domain * chore: refactor error handling * fix(doc): cookie traefik * fix: tests merge * Update docs/docs/admin/environments/traefik.mdx Co-authored-by: Henri Vasserman <henv@hot.ee> Signed-off-by: Xe Iaso <me@xeiaso.net> --------- Signed-off-by: Jason Cameron <git@jasoncameron.dev> Signed-off-by: Jason Cameron <jasoncameron.all@gmail.com> Signed-off-by: Xe Iaso <me@xeiaso.net> Co-authored-by: Jason Cameron <git@jasoncameron.dev> Co-authored-by: Jason Cameron <jasoncameron.all@gmail.com> Co-authored-by: Xe Iaso <me@xeiaso.net> Co-authored-by: Henri Vasserman <henv@hot.ee>
2025-08-13 02:59:45 +02:00 · 2025-08-13 02:59:45 +02:00 · a8b7b2ad7b
commit a8b7b2ad7b
parent 87651f9506
9 changed files with 128 additions and 87 deletions
--- a/internal/headers.go
+++ b/internal/headers.go
@ -153,7 +153,7 @@ func computeXFFHeader(remoteAddr string, origXFFHeader string, pref XFFComputePr
 	// generally they'd be expected to do these two things on
 	// their own end to find the first non-spoofed IP
 	for i := len(origForwardedList) - 1; i >= 0; i-- {
-		segmentIP, err := netip.ParseAddr(origForwardedList[i])
+		segmentIP, err := netip.ParseAddr(strings.TrimSpace(origForwardedList[i]))
 		if err != nil {
 			// can't assess this element, so the remainder of the chain
 			// can't be trusted. not a fatal error, since anyone can