akanealw/caddy-proxy-manager
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

Add excluded paths support for forward auth (fixes #108)

Browse Source 
Allow users to exclude specific paths from Authentik/CPM forward auth
protection. When excluded_paths is set, all paths require authentication
EXCEPT the excluded ones — useful for apps like Navidrome that need
/share/* and /rest/* to bypass auth.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
fuomag9
2026-04-17 10:11:24 +02:00
parent 390840dbd9
commit 8f4c24119e
8 changed files with 376 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
app/(dashboard)/proxy-hosts/actions.ts
View File

@@ -77,6 +77,7 @@ function parseAuthentikConfig(formData: FormData): ProxyHostAuthentikInput | und
const copyHeaders = parseCsv(formData.get("authentik_copy_headers"));
const trustedProxies = parseCsv(formData.get("authentik_trusted_proxies"));
const protectedPaths = parseCsv(formData.get("authentik_protected_paths"));
const excludedPaths = parseCsv(formData.get("authentik_excluded_paths"));
const setHostHeader = formData.has("authentik_set_host_header_present")
? parseCheckbox(formData.get("authentik_set_host_header"))
: undefined;
@@ -103,6 +104,9 @@ function parseAuthentikConfig(formData: FormData): ProxyHostAuthentikInput | und
if (protectedPaths.length > 0 || formData.has("authentik_protected_paths")) {
result.protectedPaths = protectedPaths;
}
if (excludedPaths.length > 0 || formData.has("authentik_excluded_paths")) {
result.excludedPaths = excludedPaths;
}
if (setHostHeader !== undefined) {
result.setOutpostHostHeader = setHostHeader;
}
@@ -122,6 +126,7 @@ function parseCpmForwardAuthConfig(formData: FormData): CpmForwardAuthInput | un
: false
: undefined;
const protectedPaths = parseCsv(formData.get("cpm_forward_auth_protected_paths"));
const excludedPaths = parseCsv(formData.get("cpm_forward_auth_excluded_paths"));
const result: CpmForwardAuthInput = {};
if (enabledValue !== undefined) {
@@ -130,6 +135,9 @@ function parseCpmForwardAuthConfig(formData: FormData): CpmForwardAuthInput | un
if (protectedPaths.length > 0 || formData.has("cpm_forward_auth_protected_paths")) {
result.protected_paths = protectedPaths.length > 0 ? protectedPaths : null;
}
if (excludedPaths.length > 0 || formData.has("cpm_forward_auth_excluded_paths")) {
result.excluded_paths = excludedPaths.length > 0 ? excludedPaths : null;
}
return Object.keys(result).length > 0 ? result : undefined;
}

1
app/api/v1/openapi.json/route.ts
View File

@@ -1448,6 +1448,7 @@ const spec = {
trustedProxies: { type: "array", items: { type: "string" }, example: ["private_ranges"] },
setOutpostHostHeader: { type: "boolean" },
protectedPaths: { type: ["array", "null"], items: { type: "string" }, description: "Paths to protect (null = all)" },
excludedPaths: { type: ["array", "null"], items: { type: "string" }, description: "Paths to exclude from auth (bypassed while rest is protected)" },
},
},
LoadBalancerConfig: {