-
-
Notifications
You must be signed in to change notification settings - Fork 68
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
question: API Key in Authorization: Bearer header #321
Comments
I think it can be solved with two Caddies behind each other. The first copies the API token from the I have checked with httpbin that the X-Api-Token header is set correctly with this
This version: '3'
services:
httpbin:
image: mccutchen/go-httpbin
command: ['/bin/go-httpbin', '-port', '8080']
reverse_proxy:
image: caddy
depends_on:
- httpbin
volumes:
- ./Caddyfile:/etc/caddy/Caddyfile
ports:
- "8000:80" And this command: curl -H "Authorization: Bearer 123456789" -c -U http://localhost:8000/headers Response: {
"headers": {
"Accept": [
"*/*"
],
"Accept-Encoding": [
"gzip"
],
"Authorization": [
"Bearer 123456789"
],
"Host": [
"localhost:8000"
],
"User-Agent": [
"curl/8.4.0"
],
"X-Api-Key": [
"123456789"
],
"X-Forwarded-For": [
"172.25.0.1"
],
"X-Forwarded-Host": [
"localhost:8000"
],
"X-Forwarded-Proto": [
"http"
]
}
} Maybe it even works by just protecting the specific route with caddy-security in the same single Caddy, but I am unsure if the header values are copied early enough. Haven't tried it, yet, with caddy-security, though. |
If I understand correctly, the API key can be passed via the X-Api-Key header.
I would like to be able to use the Authorization: Bearer header, instead or in addition to that.
The rationale is, that I could use Caddy with Caddy Security as an API Gateway for a self-hosted OpenAI API compatible Rest API (eg. as provided by Ollama). This would be immediately usable by the large number of clients, such as OpenWebUI. The OpenAI API uses
Authorization: Bearer
.As per the discussion in issue 116 the following config makes auth with header
X-Api-Key
possible:On the other hand, Token validation can be activated with
Authorization: Bearer
with this config:curl --insecure -H "Authorization: Bearer JWT_TOKEN" -v https://localhost:8443/myapp
Is there a way to "merge" the two or set one header based on the other to achieve the following?
curl --insecure -H "Authorization: Bearer API_KEY" -v https://localhost:8443/myapp
The text was updated successfully, but these errors were encountered: