From b2183bf856ff2e10efa9816194ad4d6a0ec749e9 Mon Sep 17 00:00:00 2001
From: fuomag9 <1580624+fuomag9@users.noreply.github.com>
Date: Wed, 19 Nov 2025 20:06:15 +0100
Subject: [PATCH] Fix Authentik outpost callback by preserving original Host
 header

The outpost route now preserves the original request host (e.g., email.fuo.fi)
instead of changing it to the upstream host. This allows Authentik to properly
construct redirect URLs after processing authentication callbacks.
---
 src/lib/caddy.ts | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/lib/caddy.ts b/src/lib/caddy.ts
index 5faacc6f..542507aa 100644
--- a/src/lib/caddy.ts
+++ b/src/lib/caddy.ts
@@ -368,11 +368,13 @@ function buildProxyRoutes(
         ]
       };
 
+      // For the outpost route (callbacks), always preserve the original Host header
+      // so Authentik knows which domain to redirect back to after authentication
       if (authentik.setOutpostHostHeader) {
         outpostHandler.headers = {
           request: {
             set: {
-              Host: ["{http.reverse_proxy.upstream.host}"]
+              Host: ["{http.request.host}"]
             }
           }
         };