SSO Login

[cweiland]

Version : 0.17.0 Using authentik as sso provider. Everytime I try to do sso I have an error "no valid Host header found and external_host config option is not set"

http:
  listen: '[::]:8888'
  external_port: null
  certificate: /data/tls.certificate.pem
  key: /data/tls.key.pem
  trust_x_forwarded_headers: true
  session_max_age: 30m
  cookie_max_age: 1day
  sni_certificates: []

No external_host set or whitlisting

I have tried curl with headers options to forge "X-Forwarded-{Host,Proto,Port}" and "Host" to @warpgate/api/sso/providers/***/start?next=%2F endpoint Without success

But I don't have this error in v0.16.0

I don't have any ideas :( Please help

[rohkaemper]

You have to set the external Port too...

http:
  listen: '[::]:8888'      # internal port stays the same
  external_port: 443 # if you are running behind reverse proxy.
  certificate: /data/tls.certificate.pem
  key: /data/tls.key.pem
  trust_x_forwarded_headers: true
  session_max_age: 30m
  cookie_max_age: 1day
  sni_certificates: []

My SSO Provider looks like this...

sso_providers:
  - name: authentik
    label: Authentik
    auto_create_users: true
    provider:
      type: custom
      client_id: <yourID>
      client_secret: <yourSecret>
      issuer_url: https://<yourURI>/application/o/warpgate/
      scopes: ["email", "profile"]

For simplicity I changed redirect Regex in Authentik's Warpgate Provider to .*

This should work... If not feel free to ask again.

[cweiland]

Same error :(

http:
  listen: '[::]:8888'
  external_port: 443
  certificate: /data/tls.certificate.pem
  key: /data/tls.key.pem
  trust_x_forwarded_headers: true
  session_max_age: 30m
  cookie_max_age: 1day
  sni_certificates: []

I'm using pangolin as reverse proxy and authentik as IDP

curl -kv -H "Host: warpgate.*********" -H "X-Forwarded-Host: warpgate.*****" -H "X-Forwarded-Proto: https" -H "X-Forwarded-Port: 443"  https://warpgate.*******/@warpgate/api/sso/providers/*****/start?next=%2F
[...]
> GET /@warpgate/api/sso/providers/****/start?next=%2F HTTP/2
> Host: warpgate****
> User-Agent: curl/8.14.1
> Accept: */*
> X-Forwarded-Host: warpgate****
> X-Forwarded-Proto: https
> X-Forwarded-Port: 443
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Request completely sent off
< HTTP/2 500
< content-type: text/plain; charset=utf-8
< date: Mon, 17 Nov 2025 12:25:41 GMT
< set-cookie: p_sticky=c58e105059398333; Path=/; HttpOnly; Secure
< content-length: 71
<
* Connection #0 to host warpgate**** left intact
no valid Host header found and `external_host` config option is not set

[rohkaemper]

Did you set external_host?

external_host: warpgate.your.domain

Maybe your pangoling config denies access to warpgate? Did you set it to authenticated for your auth provider?

[cweiland]

External host is mandatory ? If not I prefer X-Forwarded-*. Also, I have the same error with

curl -kv --resolve warpgate.***:8888:192.168.**.** -H "Host: warpgate.***" -H "X-Forwarded-Host: warpgate.***" -H "X-Forwarded-Proto: https" -H "X-Forwarded-Port: 443"  https://192.168.**.**:8888/@warpgate/api/sso/providers/***/start?next=%2F
or
curl -kv --resolve warpgate.***:443:192.168.**.** -H "Host: warpgate.***" -H "X-Forwarded-Host: warpgate.***" -H "X-Forwarded-Proto: https" -H "X-Forwarded-Port: 443"  https://192.168.**.**:8888/@warpgate/api/sso/providers/***/start?next=%2F

[rohkaemper]

Hm. I guess than the developers have to help. Never forged the headers myself and did set it up to work with external_host etc.

[joseluisgonzalezca]

Same error here!

After logging in using Authentik, the redirect is not correctly handled. My config file has the external_host option set and I've also configured my HAProxy to send the Host header.

EDIT: Maybe related to https://github.com/warp-tech/warpgate/commit/d0fb7ea1963d16e9ed6b57d24f62e630b004fd55? @Eugeny

[rohkaemper]

I've described my Setup in this Issue: https://github.com/warp-tech/warpgate/issues/1543#issuecomment-3574611139

Maybe it helps?!

[amelie-atx]

Same error here

I use apache proxypass Part of my apache conf :

    SSLProxyEngine On
    ProxyTimeout 60
    ProxyPreserveHost On
    SSLProxyVerify none
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerName off
    SSLProxyProtocol all -SSLv2 -SSLv3
    ProxyPass / https://127.0.0.1:8888/
    ProxyPassReverse / https://127.0.0.1:8888/
    RequestHeader set X-Forwarded-Proto "https"

In warpgateconf, I don't have external_host and trust_x_forwarded_headers is set to true

Was working in 0.16.0 but broken in 0.17.0 Tried to add external_host but I still have the error

In the log there is :

Request failed method=GET url=/@warpgate/api/sso/providers/google/start?next=%2F%40warpgate%23%2F error=no valid Host header found and `external_host` config option is not set

[baaaaast]

Hello ! I have the same issue in 0.17.0 : "no valid Host header found and external_host config option is not set"

It seems that headers are no longer taken into account to determine its external hostname.

[GarageDeveloper]

Without any proxy in front of warpgate, same problem here. It looks like the Host header is not used at all and it maybe related to commit d0fb7ea in warpgate-protocol-http/src/api/sso_provider_detail.rs:

         let mut return_url = config.construct_external_url(
-            Some(req),
+            None,
             provider_config.return_domain_whitelist.as_deref(),
         )?;

construct_external_url is always called with None instead of the request. In this case construct_external_url will never be able to identify the host unless external_host is set as it is not aware of the request.