currently i am working on my HomeLab infrastructure. Unfortunately, I ran into a problem that I can’t solve.
The following components are affected
- Nginx Proxy Manager
- Authentik
- Dashy
My goal is to have all my services in one UI with a single authentication-flow. Dashy has the ability to show different services inside the dashboard ui. That works fine as long as I set the X-Frame-Options "ALLOW-FROM URL" and Content-Security-Policy "frame-ancestors URL" in Nginx Proxy Manager.
Unfortunately, however, Authentik now seems to override the X-Frame options and ignore changes in the proxy manager. And because Authentik is always addressed via a redirect before the first call of a service, I can’t load an application within an IFrame.
Now to my question:
- How do I give Authentik to understand that it should allow SAMEORIGIN or ALLOW FROM if it ignores the nginx configuration. Is there an Option that let me set headers for Authentik?
2
Answers
There was hardly ever much support for ALLOW-FROM, today it is only relevant for an evironment that still runs IE11, see https://caniuse.com/?search=allow-from
All modern browsers support CSP frame-ancestors and with that directive present would ignore X-Frame-Options. If you are successful in setting CSP frame-ancestors you could ignore X-Frame-Options fully.
were you able to make any progress on this issue. In the same boat but using Organizr.
Best