From 291f12e5ea1bb88ff2bddcfc5e27afb5f2c34a0f Mon Sep 17 00:00:00 2001
From: Toby Chui <tobychui@users.noreply.github.com>
Date: Sat, 19 Apr 2025 08:44:22 +0800
Subject: [PATCH 1/3] Update README.md

Added community maintained section contact list
---
 README.md | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/README.md b/README.md
index ccabdc2..53ffc97 100644
--- a/README.md
+++ b/README.md
@@ -195,6 +195,16 @@ Loopback web SSH connections, by default, are disabled. This means that if you a
 ./zoraxy -sshlb=true
 ```
 
+## Community Maintained Sections
+
+Some section of Zoraxy are contributed by our amazing community and if you have any issues regarding those sections, it would be more efficient if you can tag them directly when creating an issue report.
+
+Authelia Support added by @7brend7
+Authentik Support added by @JokerQyou
+Docker Container List by @eyerrock
+
+Thank you so much for your contributions!
+
 ## Sponsor This Project
 
 If you like the project and want to support us, please consider a donation. You can use the links below

From 72b100aab04d9c1f48133f470c023cecca3bedf6 Mon Sep 17 00:00:00 2001
From: Toby Chui <tobychui@users.noreply.github.com>
Date: Sat, 19 Apr 2025 08:45:57 +0800
Subject: [PATCH 2/3] Update README.md

Fixed contributor list format
---
 README.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 53ffc97..0d17eb7 100644
--- a/README.md
+++ b/README.md
@@ -199,9 +199,9 @@ Loopback web SSH connections, by default, are disabled. This means that if you a
 
 Some section of Zoraxy are contributed by our amazing community and if you have any issues regarding those sections, it would be more efficient if you can tag them directly when creating an issue report.
 
-Authelia Support added by @7brend7
-Authentik Support added by @JokerQyou
-Docker Container List by @eyerrock
+- Authelia Support added by [@7brend7](https://github.com/7brend7)
+- Authentik Support added by [@JokerQyou](https://github.com/JokerQyou)
+- Docker Container List by [@eyerrock](https://github.com/eyerrock)
 
 Thank you so much for your contributions!
 

From 4f026e8c07a1678956fec9663423b2be7864ab9f Mon Sep 17 00:00:00 2001
From: James Elliott <james-d-elliott@users.noreply.github.com>
Date: Mon, 21 Apr 2025 12:57:59 +1000
Subject: [PATCH 3/3] fix(authelia): original headers

This fixes the original headers imparted to authelia.
---
 src/mod/auth/sso/authelia/authelia.go | 54 ++++++++++++++++++++-------
 1 file changed, 41 insertions(+), 13 deletions(-)

diff --git a/src/mod/auth/sso/authelia/authelia.go b/src/mod/auth/sso/authelia/authelia.go
index 075e97f..d86f374 100644
--- a/src/mod/auth/sso/authelia/authelia.go
+++ b/src/mod/auth/sso/authelia/authelia.go
@@ -3,9 +3,10 @@ package authelia
 import (
 	"encoding/json"
 	"errors"
-	"fmt"
+	"net"
 	"net/http"
 	"net/url"
+	"strings"
 
 	"imuslab.com/zoraxy/mod/database"
 	"imuslab.com/zoraxy/mod/info/logger"
@@ -93,25 +94,20 @@ func (ar *AutheliaRouter) HandleAutheliaAuth(w http.ResponseWriter, r *http.Requ
 		protocol = "https"
 	}
 
-	autheliaBaseURL := protocol + "://" + ar.options.AutheliaURL
-	//Remove tailing slash if any
-	if autheliaBaseURL[len(autheliaBaseURL)-1] == '/' {
-		autheliaBaseURL = autheliaBaseURL[:len(autheliaBaseURL)-1]
+	autheliaURL := &url.URL{
+		Scheme: protocol,
+		Host:   ar.options.AutheliaURL,
 	}
 
 	//Make a request to Authelia to verify the request
-	req, err := http.NewRequest("POST", autheliaBaseURL+"/api/verify", nil)
+	req, err := http.NewRequest("POST", autheliaURL.JoinPath("api", "verify").String(), nil)
 	if err != nil {
 		ar.options.Logger.PrintAndLog("Authelia", "Unable to create request", err)
 		w.WriteHeader(401)
 		return errors.New("unauthorized")
 	}
 
-	scheme := "http"
-	if r.TLS != nil {
-		scheme = "https"
-	}
-	req.Header.Add("X-Original-URL", fmt.Sprintf("%s://%s", scheme, r.Host))
+	originalURL := rOriginalHeaders(r, req)
 
 	// Copy cookies from the incoming request
 	for _, cookie := range r.Cookies() {
@@ -127,10 +123,42 @@ func (ar *AutheliaRouter) HandleAutheliaAuth(w http.ResponseWriter, r *http.Requ
 	}
 
 	if resp.StatusCode != 200 {
-		redirectURL := autheliaBaseURL + "/?rd=" + url.QueryEscape(scheme+"://"+r.Host+r.URL.String()) + "&rm=" + r.Method
-		http.Redirect(w, r, redirectURL, http.StatusSeeOther)
+		redirectURL := autheliaURL.JoinPath()
+
+		query := redirectURL.Query()
+
+		query.Set("rd", originalURL.String())
+		query.Set("rm", r.Method)
+
+		http.Redirect(w, r, redirectURL.String(), http.StatusSeeOther)
 		return errors.New("unauthorized")
 	}
 
 	return nil
 }
+
+func rOriginalHeaders(r, req *http.Request) *url.URL {
+	if r.RemoteAddr != "" {
+		before, _, _ := strings.Cut(r.RemoteAddr, ":")
+
+		if ip := net.ParseIP(before); ip != nil {
+			req.Header.Set("X-Forwarded-For", ip.String())
+		}
+	}
+
+	originalURL := &url.URL{
+		Scheme:  "http",
+		Host:    r.Host,
+		Path:    r.URL.Path,
+		RawPath: r.URL.RawPath,
+	}
+
+	if r.TLS != nil {
+		originalURL.Scheme = "https"
+	}
+
+	req.Header.Add("X-Forwarded-Method", r.Method)
+	req.Header.Add("X-Original-URL", originalURL.String())
+
+	return originalURL
+}