The forward_auth directive only exists in Caddyfile syntax, not JSON config.
This fix converts Authentik authentication to use the underlying reverse_proxy
handler with proper configuration:
- Replace forward_auth handler with reverse_proxy
- Convert "private_ranges" keyword to actual CIDR blocks for JSON config
- Parse upstream URL to extract host:port for dial field (removing http://)
- Add handle_response block to copy Authentik headers on 2xx status
- Preserve X-Forwarded-Method and X-Forwarded-Uri headers
Fixes error: "unknown module: http.handlers.forward_auth"
Fixes error: "invalid IP address: 'private_ranges'"
Fixes error: "lookup /hostname: no such host" (dial with URL scheme)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
f079860007