[BUG] authelia with h3/quic does not work

[arajczy]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

Hi,

This issue might be with authelia but if I enable h3/quic on site that uses authelia it sends 500 Internal Server Error to the client. Using h3/quic with basic auth or using h2 with authelia are working fine, though.

This is what I get at the server side in the error.log:
2025/07/24 11:43:18 [error] 797#797: *111 auth request unexpected status: 400 while sending to client, client: ***, server: arajczy.com, request: "GET /dok/ HTTP/3.0"

Can someone check it pls?

Great Thanks

Expected Behavior

No response

Steps To Reproduce

enable listen :443 quic reuseport default_server; and listen [::]:443 quic reuseport default_server; in the server block

Environment

- OS: AlmaLinux release 10.0
- How docker service was installed: podman-5.4.0-12.el10_0.src.rpm from the appstream repo

CPU architecture

x86-64

Docker creation

[Unit]
Description=Webserver Container
Wants=network-online.target
After=network-online.target

[Container]
AddCapability=NET_ADMIN
ContainerName=webserver
EnvironmentFile=webserver.env
HostName=webserver
Image=lscr.io/linuxserver/swag:latest
Mount=type=volume,src=webserver.volume,dst=/config
Network=pasta:-T,auto,-U,auto
Notify=conmon
PublishPort=8008:80/tcp
PublishPort=8009:443/tcp
PublishPort=8009:443/udp
Timezone=local

[Service]
Restart=on-failure
TimeoutStopSec=70

[Install]
WantedBy=default.target
~

Container logs

[migrations] started
[migrations] 01-nginx-site-confs-default: skipped
[migrations] 02-swag-old-certbot-paths: skipped
[migrations] done
usermod: no changes
───────────────────────────────────────

      ██╗     ███████╗██╗ ██████╗
      ██║     ██╔════╝██║██╔═══██╗
      ██║     ███████╗██║██║   ██║
      ██║     ╚════██║██║██║   ██║
      ███████╗███████║██║╚██████╔╝
      ╚══════╝╚══════╝╚═╝ ╚═════╝

   Brought to you by linuxserver.io
───────────────────────────────────────

To support the app dev(s) visit:
Certbot: https://supporters.eff.org/donate/support-work-on-certbot

To support LSIO projects visit:
https://www.linuxserver.io/donate/

───────────────────────────────────────
GID/UID
───────────────────────────────────────

User UID:    911
User GID:    911
───────────────────────────────────────
Linuxserver.io version: 4.1.1-ls396
Build-date: 2025-07-20T15:09:43+00:00
───────────────────────────────────────

using keys found in /config/keys
Variables set:
PUID=
PGID=
TZ=
URL=arajczy.com
SUBDOMAINS=wildcard
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=false
VALIDATION=dns
CERTPROVIDER=
DNSPLUGIN=cloudflare
EMAIL=
STAGING=

Using Let's Encrypt as the cert provider
SUBDOMAINS entered, processing
Wildcard cert for arajczy.com will be requested
No e-mail address entered or address invalid
dns validation via cloudflare plugin is selected
Certificate exists; parameters unchanged; starting nginx
The cert does not expire within the next day. Letting the cron script handle the renewal attempts overnight (2:08am).
[custom-init] No custom files found, skipping...
[ls.io-init] done.
Server ready

[arajczy]

based on the recommendation in authelia/authelia#7146 I have replaced the variable $http_host to $host:

from:

proxy_set_header X-Original-URL $scheme://$http_host$request_uri;

to:

proxy_set_header X-Original-URL $scheme://$host$request_uri;

after this it is working.

[pentago]

I would check if this breaks websocket connections in devtools for apps like sonarr/bazarr..

[drizuid]

authelia neither supports http3 nor http2; it sounds like the nginx http3 doesn't properly fallback, which is out of our hands and one of the major reasons we disable http3 by default.

[dgrzjohn]

I would check if this breaks websocket connections in devtools for apps like sonarr/bazarr..

I'm not seeing any errors in the console, and in devtools in Chrome for Sonarr, Radarr, Jellyfin, The Lounge, Audiobookshelf all show Status 101 for their websocket connections. All other connections show protocol h3. Let me know if there's something else I should check. Bazarr doesn't seem to be creating one, but no errors either.

I've been running this change (everything suggested by LSIO in the readme + $http_host to $host) in my home environment since 7/21 and haven't experienced any new errors or seen anything in my nginx error.log.

[pentago]

I've been running this change (everything suggested by LSIO in the readme + $http_host to $host) in my home environment since 7/21 and haven't experienced any new errors or seen anything in my nginx error.log.

I'm not sure how same config can yield such a different outcome for both of us.
Would you be kind posting output (preferably redacted) of docker exec -it swag nginx -T command to some pastebin and share with us here to try debug things?

[dgrzjohn]

If there's a specific config file you'd like to see I'll share it, but I only made the changes stated above. My configs have very limited changes otherwise, but I don't feel like redacting everything. I did notice in the other discussion you were attempting to disable some listeners, I did add all listeners to every proxy-conf (including authelia) as well as the default as stated in the readme.

[LinuxServer-CI]

This issue has been automatically marked as stale because it has not had recent activity. This might be due to missing feedback from OP. It will be closed if no further activity occurs. Thank you for your contributions.

[aerz]

I can confirm this (#578 (comment)) fixes the Authelia errors:

# navidrome using subfolder
time="2025-09-10T19:34:46+02:00" level=error msg="Target URL does not appear to have a relevant session cookies configuration" error="unable to retrieve session cookie domain provider: no configured session cookie domain matches the url 'https:///music/app/assets/index-B3wIDoCy.css'" method=GET path=/api/authz/auth-request remote_ip=x.x.x.x target_url="https:///music/app/assets/index-B3wIDoCy.css"

Also, I use a single reuseport in default.conf because swag log throws a duplication configuration error. This may be off-topic for this issue, but these two changes make QUIC/HTTP3 work with Swag+Authelia.

2025/09/10 18:48:25 [emerg] 1152#1152: duplicate listen options for 0.0.0.0:443 in /config/nginx/site-confs/default.conf:70

server {
  listen 443 quic reuseport default_server;
  listen [::]:443 quic default_server;
  ...
}

[LinuxServer-CI]

This issue has been automatically marked as stale because it has not had recent activity. This might be due to missing feedback from OP. It will be closed if no further activity occurs. Thank you for your contributions.