Apache proxy with oauth

v2: Troubleshooting
1

Hi All,
I'm very drawn to SilverBullet, I have a feeling it will be just the right tool for me. However I'm struggling with setting up the right authentication flow with Apache and Rauthy.

I have Rauthy doing oauth for all my tools, works beautlfully with Forgejo e.g. or it has replaced my Apache basic auth. on some simple stuff. However with SilverBullet I cannot make it work.

The main tldr is that: SilverBullet will swallow the access issues and won't forward to the auth site, so I get a blank page.

I understand in Apache I have to let he worker and client/* through:

<LocationMatch "^/(service_worker\.js|\.client/.*)$">
    AuthType None
    Require all granted
    Satisfy Any

    ProxyPass http://127.0.0.1:3001
    ProxyPassReverse http://127.0.0.1:3001
    Header set Cache-Control "no-cache, no-store, must-revalidate"
</LocationMatch>


<Location "/">
    AuthType openid-connect
    Require valid-user
    ProxyPass http://127.0.0.1:3001/
    ProxyPassReverse http://127.0.0.1:3001/
</Location>

I'm using port 3001. The firs time I start Firefox, it forwards to Rauthy, I can log in and come back authenticated. Works like a charm. If I however exit Firefox, and restart it, I go the SB page, it only shows a bland screen. Apache log clearly shows, that the worker gets through, but the actual content I get 401 -- which is warranted, but I would expect to be sent to the auth page again.

188.36.210.155 - - [05/Mar/2026:20:27:40 +0100] "GET /.fs/Library/Std/Config.md HTTP/1.1" 401 1078 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:148.0) Gecko/20100101 Firefox/148.0"
188.36.210.155 - - [05/Mar/2026:20:27:40 +0100] "GET /.fs/CONFIG.md HTTP/1.1" 401 4032 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:148.0) Gecko/20100101 Firefox/148.0"
188.36.210.155 - - [05/Mar/2026:20:27:41 +0100] "GET /service_worker.js HTTP/1.1" 200 28534 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:148.0) Gecko/20100101 Firefox/148.0"

I was hoping someone figured out how to make this work! All help would be appreciated!

Cheers,
Szabolcs

2

I don’t know much about Apache, but beside sending a 401, does (or can it be configured to) also send a redirect header? Otherwise SB doesn’t really know where to send the user to authenticate.

What do you see in your browser JavaScript logs when this happens?

3

I did look into this a bit deeper. So the issue is a fundamental challenge (as I understand) of progressive web apps and modern external auth. providers working together. Instead of full page reloads, where a redirect is easy, a service worker fetches resources in the background. The browsers will do sub-resource requests, not navigation requests, and if it gets a 401 for a resource, that won't result in a redirection to the auth provider.

Solving this requires logic in the application to differentiate (in fetch() requests) between the resource being offline and being unauthorized (Error 401) has to trigger a full page reload (window.location.reload()) to trigger the redirect -- not to fail silently into a blank screen.

Nginx and Authalia is a special case of forward authentication designed to solve such proxying challanges. SB and Authalia (I believe) wouldn't work with Apache, and SB + Nginx wouldn't work with Rauthy or other modern OIDC providers (again: I believe), only if this handling of auth errors is implemented in SilverBullet.

Again: I might be missing something, but this is my current understanding :slight_smile: