docs: header consistency (#5266)

api/openapi.yml

@@ -155,7 +155,7 @@ paths:
           example: '{{ $.Domain | default "example.com" }}'
           schema:
             type: string
-        - name: X-Forwarded-Uri
+        - name: X-Forwarded-URI
           in: header
           description: Redirection URL (URI)
           required: false
@@ -1494,7 +1494,7 @@ components:
       schema:
         type: string
     forwardedURIParam:
-      name: X-Forwarded-Uri
+      name: X-Forwarded-URI
       in: header
       description: Redirection URL (URI)
       required: true

docs/content/en/integration/proxies/caddy.md

@@ -230,7 +230,7 @@ nextcloud.example.com {
                 rewrite "/api/authz/forward-auth?authelia_url=https://auth.example.com/"
 
                 header_up X-Forwarded-Method {method}
-                header_up X-Forwarded-Uri {uri}
+                header_up X-Forwarded-URI {uri}
 
                 ## If the auth request:
                 ##   1. Responds with a status code IN the 200-299 range.

docs/content/en/integration/proxies/introduction.md

@@ -28,6 +28,29 @@ bootstrapping *Authelia*.
 
 See [support](support.md) for support information.
 
+### Required Headers
+
+__Authelia__ itself requires the following headers are set when secured behind a reverse proxy:
+
+* Scheme Detection:
+  * Default: [X-Forwarded-Proto] (header)
+  * Fallback: TLS (listening socket state)
+* Host Detection:
+  * Default: [X-Forwarded-Host] (header)
+  * Fallback: [Host] (header)
+* Path Detection:
+  * Default: X-Forwarded-URI (header)
+  * Fallback: [Start Line] Request Target (start line)
+* Remote IP:
+  * Default: [X-Forwarded-For]
+  * Fallback: TCP source IP
+
+[Host]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Host
+[Start Line]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Messages#start_line
+[X-Forwarded-For]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For
+[X-Forwarded-Proto]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto
+[X-Forwarded-Host]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host
+
 ## Integration Implementation
 
 Authelia is capable of being integrated into many proxies due to the decisions regarding the implementation. We handle
@@ -41,12 +64,14 @@ your reverse proxy. The headers we rely on at the authz endpoints are as follows
 
 * [X-Forwarded-Proto](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto)
 * [X-Forwarded-Host](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host)
-* X-Forwarded-Uri
+* X-Forwarded-URI
 * [X-Forwarded-For](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For)
 * X-Forwarded-Method / X-Original-Method
 * X-Original-URL
 
-The specifics however are dictated by the specific [Authorization Implementation](../../reference/guides/proxy-authorization.md) used.
+The specifics however are dictated by the specific
+[Authorization Implementation](../../reference/guides/proxy-authorization.md) used. Please refer to the specific
+implementation you're using.
 
 ### User Identification
 

docs/content/en/integration/proxies/nginx.md

@@ -350,7 +350,7 @@ use cases.
 
 The following is an example `proxy.conf`. The important directives include the `real_ip` directives which you should read
 [Trusted Proxies](#trusted-proxies) section to understand, or set the `X-Forwarded-Proto`, `X-Forwarded-Host`,
-`X-Forwarded-Uri`, and `X-Forwarded-For` headers.
+`X-Forwarded-URI`, and `X-Forwarded-For` headers.
 
 ##### Standard Variant
 
@@ -363,7 +363,7 @@ proxy_set_header Host $host;
 proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
 proxy_set_header X-Forwarded-Proto $scheme;
 proxy_set_header X-Forwarded-Host $http_host;
-proxy_set_header X-Forwarded-Uri $request_uri;
+proxy_set_header X-Forwarded-URI $request_uri;
 proxy_set_header X-Forwarded-Ssl on;
 proxy_set_header X-Forwarded-For $remote_addr;
 proxy_set_header X-Real-IP $remote_addr;
@@ -408,7 +408,7 @@ proxy_set_header Host $host;
 proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
 proxy_set_header X-Forwarded-Proto $scheme;
 proxy_set_header X-Forwarded-Host $http_host;
-proxy_set_header X-Forwarded-Uri $request_uri;
+proxy_set_header X-Forwarded-URI $request_uri;
 proxy_set_header X-Forwarded-Ssl on;
 proxy_set_header X-Forwarded-For $remote_addr;
 ```
@@ -539,7 +539,7 @@ location /internal/authelia/authz/basic {
     proxy_set_header X-Forwarded-Method $request_method;
     proxy_set_header X-Forwarded-Proto $scheme;
     proxy_set_header X-Forwarded-Host $http_host;
-    proxy_set_header X-Forwarded-Uri $request_uri;
+    proxy_set_header X-Forwarded-URI $request_uri;
     proxy_set_header X-Forwarded-For $remote_addr;
     proxy_set_header Content-Length "";
     proxy_set_header Connection "";

internal/handlers/const_test.go

@@ -21,7 +21,7 @@ var (
 
 const (
 	testXOriginalMethod = "X-Original-Method"
-	testXOriginalUrl    = "X-Original-Url"
+	testXOriginalUrl    = "X-Original-URL"
 	testBypass          = "bypass"
 	testWithoutAccept   = "WithoutAccept"
 	testWithXHRHeader   = "WithXHRHeader"

internal/handlers/handler_authz_impl_forwardauth_test.go

@@ -240,7 +240,7 @@ func (s *ForwardAuthAuthzSuite) TestShouldHandleMissingHostDeny() {
 			mock.Ctx.Request.Header.Set("X-Forwarded-Method", method)
 			mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedProto, "https")
 			mock.Ctx.Request.Header.Del(fasthttp.HeaderXForwardedHost)
-			mock.Ctx.Request.Header.Set("X-Forwarded-Uri", "/")
+			mock.Ctx.Request.Header.Set("X-Forwarded-URI", "/")
 			mock.Ctx.Request.Header.Set(fasthttp.HeaderAccept, "text/html; charset=utf-8")
 
 			authz.Handler(mock.Ctx)
@@ -395,7 +395,7 @@ func (s *ForwardAuthAuthzSuite) TestShouldHandleInvalidURLForCVE202132637() {
 					mock.Ctx.Request.Header.Set("X-Forwarded-Method", method)
 					mock.Ctx.Request.Header.SetBytesKV([]byte(fasthttp.HeaderXForwardedProto), tc.scheme)
 					mock.Ctx.Request.Header.SetBytesKV([]byte(fasthttp.HeaderXForwardedHost), tc.host)
-					mock.Ctx.Request.Header.Set("X-Forwarded-Uri", tc.path)
+					mock.Ctx.Request.Header.Set("X-Forwarded-URI", tc.path)
 					mock.Ctx.Request.Header.Set(fasthttp.HeaderAccept, "text/html; charset=utf-8")
 
 					authz.Handler(mock.Ctx)
@@ -560,7 +560,7 @@ func setRequestForwardAuth(ctx *middlewares.AutheliaCtx, method string, targetUR
 	if targetURI != nil {
 		ctx.Request.Header.Set(fasthttp.HeaderXForwardedProto, targetURI.Scheme)
 		ctx.Request.Header.Set(fasthttp.HeaderXForwardedHost, targetURI.Host)
-		ctx.Request.Header.Set("X-Forwarded-Uri", targetURI.Path)
+		ctx.Request.Header.Set("X-Forwarded-URI", targetURI.Path)
 	}
 
 	setRequestXHRValues(ctx, accept, xhr)

internal/handlers/handler_authz_impl_legacy_test.go

@@ -60,7 +60,7 @@ func (s *LegacyAuthzSuite) TestShouldHandleAllMethodsDeny() {
 					mock.Ctx.Request.Header.Set("X-Forwarded-Method", method)
 					mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedProto, pairURI.TargetURI.Scheme)
 					mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedHost, pairURI.TargetURI.Host)
-					mock.Ctx.Request.Header.Set("X-Forwarded-Uri", pairURI.TargetURI.Path)
+					mock.Ctx.Request.Header.Set("X-Forwarded-URI", pairURI.TargetURI.Path)
 					mock.Ctx.Request.Header.Set(fasthttp.HeaderAccept, "text/html; charset=utf-8")
 
 					authz.Handler(mock.Ctx)
@@ -108,7 +108,7 @@ func (s *LegacyAuthzSuite) TestShouldHandleAllMethodsOverrideAutheliaURLDeny() {
 					mock.Ctx.Request.Header.Set("X-Forwarded-Method", method)
 					mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedProto, pairURI.TargetURI.Scheme)
 					mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedHost, pairURI.TargetURI.Host)
-					mock.Ctx.Request.Header.Set("X-Forwarded-Uri", pairURI.TargetURI.Path)
+					mock.Ctx.Request.Header.Set("X-Forwarded-URI", pairURI.TargetURI.Path)
 					mock.Ctx.Request.Header.Set(fasthttp.HeaderAccept, "text/html; charset=utf-8")
 
 					authz.Handler(mock.Ctx)
@@ -151,7 +151,7 @@ func (s *LegacyAuthzSuite) TestShouldHandleAllMethodsMissingAutheliaURLBypassSta
 					mock.Ctx.Request.Header.Set("X-Forwarded-Method", method)
 					mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedProto, targetURI.Scheme)
 					mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedHost, targetURI.Host)
-					mock.Ctx.Request.Header.Set("X-Forwarded-Uri", targetURI.Path)
+					mock.Ctx.Request.Header.Set("X-Forwarded-URI", targetURI.Path)
 					mock.Ctx.Request.Header.Set(fasthttp.HeaderAccept, "text/html; charset=utf-8")
 
 					authz.Handler(mock.Ctx)
@@ -183,7 +183,7 @@ func (s *LegacyAuthzSuite) TestShouldHandleAllMethodsMissingAutheliaURLOneFactor
 					mock.Ctx.Request.Header.Set("X-Forwarded-Method", method)
 					mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedProto, targetURI.Scheme)
 					mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedHost, targetURI.Host)
-					mock.Ctx.Request.Header.Set("X-Forwarded-Uri", targetURI.Path)
+					mock.Ctx.Request.Header.Set("X-Forwarded-URI", targetURI.Path)
 					mock.Ctx.Request.Header.Set(fasthttp.HeaderAccept, "text/html; charset=utf-8")
 
 					authz.Handler(mock.Ctx)
@@ -213,7 +213,7 @@ func (s *LegacyAuthzSuite) TestShouldHandleAllMethodsRDAutheliaURLOneFactorStatu
 					mock.Ctx.Request.Header.Set("X-Forwarded-Method", method)
 					mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedProto, targetURI.Scheme)
 					mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedHost, targetURI.Host)
-					mock.Ctx.Request.Header.Set("X-Forwarded-Uri", targetURI.Path)
+					mock.Ctx.Request.Header.Set("X-Forwarded-URI", targetURI.Path)
 					mock.Ctx.Request.Header.Set(fasthttp.HeaderAccept, "text/html; charset=utf-8")
 					mock.Ctx.Request.SetRequestURI("/api/verify?rd=https%3A%2F%2Fauth.example.com")
 
@@ -263,7 +263,7 @@ func (s *LegacyAuthzSuite) TestShouldHandleAllMethodsXHRDeny() {
 							mock.Ctx.Request.Header.Set("X-Forwarded-Method", method)
 							mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedProto, pairURI.TargetURI.Scheme)
 							mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedHost, pairURI.TargetURI.Host)
-							mock.Ctx.Request.Header.Set("X-Forwarded-Uri", pairURI.TargetURI.Path)
+							mock.Ctx.Request.Header.Set("X-Forwarded-URI", pairURI.TargetURI.Path)
 
 							if x {
 								mock.Ctx.Request.Header.Set(fasthttp.HeaderAccept, "text/html; charset=utf-8")
@@ -311,7 +311,7 @@ func (s *LegacyAuthzSuite) TestShouldHandleInvalidMethodCharsDeny() {
 					mock.Ctx.Request.Header.Set("X-Forwarded-Method", method)
 					mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedProto, targetURI.Scheme)
 					mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedHost, targetURI.Host)
-					mock.Ctx.Request.Header.Set("X-Forwarded-Uri", targetURI.Path)
+					mock.Ctx.Request.Header.Set("X-Forwarded-URI", targetURI.Path)
 					mock.Ctx.Request.Header.Set(fasthttp.HeaderAccept, "text/html; charset=utf-8")
 
 					authz.Handler(mock.Ctx)
@@ -338,7 +338,7 @@ func (s *LegacyAuthzSuite) TestShouldHandleMissingHostDeny() {
 			mock.Ctx.Request.Header.Set("X-Forwarded-Method", method)
 			mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedProto, "https")
 			mock.Ctx.Request.Header.Del(fasthttp.HeaderXForwardedHost)
-			mock.Ctx.Request.Header.Set("X-Forwarded-Uri", "/")
+			mock.Ctx.Request.Header.Set("X-Forwarded-URI", "/")
 			mock.Ctx.Request.Header.Set(fasthttp.HeaderAccept, "text/html; charset=utf-8")
 
 			authz.Handler(mock.Ctx)
@@ -370,7 +370,7 @@ func (s *LegacyAuthzSuite) TestShouldHandleAllMethodsAllow() {
 					mock.Ctx.Request.Header.Set("X-Forwarded-Method", method)
 					mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedProto, targetURI.Scheme)
 					mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedHost, targetURI.Host)
-					mock.Ctx.Request.Header.Set("X-Forwarded-Uri", targetURI.Path)
+					mock.Ctx.Request.Header.Set("X-Forwarded-URI", targetURI.Path)
 					mock.Ctx.Request.Header.Set(fasthttp.HeaderAccept, "text/html; charset=utf-8")
 
 					authz.Handler(mock.Ctx)
@@ -454,7 +454,7 @@ func (s *LegacyAuthzSuite) TestShouldHandleAllMethodsAllowXHR() {
 					mock.Ctx.Request.Header.Set("X-Forwarded-Method", method)
 					mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedProto, targetURI.Scheme)
 					mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedHost, targetURI.Host)
-					mock.Ctx.Request.Header.Set("X-Forwarded-Uri", targetURI.Path)
+					mock.Ctx.Request.Header.Set("X-Forwarded-URI", targetURI.Path)
 					mock.Ctx.Request.Header.Set(fasthttp.HeaderAccept, "text/html; charset=utf-8")
 
 					authz.Handler(mock.Ctx)
@@ -613,7 +613,7 @@ func (s *LegacyAuthzSuite) TestShouldHandleInvalidURLForCVE202132637() {
 					mock.Ctx.Request.Header.Set("X-Forwarded-Method", method)
 					mock.Ctx.Request.Header.SetBytesKV([]byte(fasthttp.HeaderXForwardedProto), tc.scheme)
 					mock.Ctx.Request.Header.SetBytesKV([]byte(fasthttp.HeaderXForwardedHost), tc.host)
-					mock.Ctx.Request.Header.Set("X-Forwarded-Uri", tc.path)
+					mock.Ctx.Request.Header.Set("X-Forwarded-URI", tc.path)
 					mock.Ctx.Request.Header.Set(fasthttp.HeaderAccept, "text/html; charset=utf-8")
 
 					authz.Handler(mock.Ctx)

internal/middlewares/authelia_context.go

@@ -166,7 +166,7 @@ func (ctx *AutheliaCtx) GetXForwardedHost() (host []byte) {
 	return host
 }
 
-// XForwardedURI returns the content of the X-Forwarded-Uri header.
+// XForwardedURI returns the content of the X-Forwarded-URI header.
 func (ctx *AutheliaCtx) XForwardedURI() (host []byte) {
 	return ctx.Request.Header.PeekBytes(headerXForwardedURI)
 }

internal/server/template_test.go

@@ -71,7 +71,7 @@ func TestShouldTemplateOpenAPI(t *testing.T) {
 
 	mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedProto, "https")
 	mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedHost, "example.com")
-	mock.Ctx.Request.Header.Set("X-Forwarded-Uri", "/api/openapi.yml")
+	mock.Ctx.Request.Header.Set("X-Forwarded-URI", "/api/openapi.yml")
 
 	handler(mock.Ctx)