Messages

Hey,

thank your for the reply. I got it now worky partly, so i can access my proxied Domains secure by Authentik from outside my lan.

But there are two things i'm still struggeling.

1. Bypass with API. I'm used to work with Authelia and was able to set bypass rules with API Keys for Vaultwarden and notifiarr but i don't get it working with Caddy and Authentik

2. How can i access my proxied domain in Lan ?

br

Schubdog

For #1, go to Applications -> Providers ->  (edit the application proxy prorivider for the app you want to bypass api) -> Advanced protocol settings -> Unauthenticated Paths, and then add the api path to the "Unauthenticated Paths" field.

For example:
Unauthenticated Paths:  */api/.*

For #2, not sure I follow 100% here.  Maybe add local dns entries to point to your wan ip? 

Hey,

sorry for dropping in, but could you give me more Feedback on how you got Authentik running with Caddy ? I'm struggeling to get it running with setting Authentik as Forward Auth.

br
Schubdog

Happy to help if I can.  Are you having issues with the authentik config or the caddy Auth Provider config?

Caddy Auth Provider config:
 Forward Auth Provider: Authentik
 Protocol: http://
 Forward Auth Domain: ip or domain of host running authentik
 Forward Auth Port: 9000
 Forward Auth URI: /outpost.goauthentik.io/auth/caddy
 Copy Headers: Select any headers you need to forward. Most my stuff needs the X-Authentik-Username, X-Authentik-Groups and X-Authentik-Email headers

I think the auth port and uri are default and should work unless you changed them when configuring authentik.  You can verify by going to Applications -> Providers in authentik, select the forward auth provider for your app and then click on the "Caddy(Standalone)" section under the setup section.  You will see the # forward authentication to outpost snippet with the needed port and uri. Mine looks like this...

Code Select Expand

# forward authentication to outpost
        forward_auth http://outpost.company:9000 {
            uri /outpost.goauthentik.io/auth/caddy

High level Authentik config:
Create a new application and proxy provider (I typically use the wizard and then tweak if needed after)

Application:
Nothing of note to call out here

Provider:
Select 'Proxy Provider'
Choose the 'implicit' Authorization flow
Select the "Forward auth (single application) box
Add the url of the app you want to forward auth to

Outposts:
Edit the authentik Embedded Outpost
Pick your application on the left and add it to the outpost with the >
Save

Caddy Handler:
When configuring the handler enable advanced mode, upper left, and tick the 'Forward Auth' setting

Hey good to know you got it to work with Authentik.

Yeah I just got to be careful with how much to include and caddy-security seems to have some history.

Totally understand!  Admittedly, I was not aware of the caddy-security plugin history.

Hey good to know you got it to work with Authentik.

Yeah I just got to be careful with how much to include and caddy-security seems to have some history.

Admitedly, I was not aware of the history with the caddy-security plugin but dug this up... https://github.com/greenpau/caddy-security/issues/349.  Dropping it here for future reference/context.  Totally get the need to keep the risk profile low w/ the included caddy build. All good!

Hey there,

I will not add the caddy security package or make it configurable in the GUI. I suggest you use forward_auth instead with the supported Auth Providers in the plugin.

https://docs.opnsense.org/manual/how-tos/caddy.html#forward-auth

This method is more lightweight and flexible and there are no known issues.

All good, I'm currently using Organizr and the caddy-security plugin for my forward_auth needs so I figured it wouldn't hurt to ask.  I've got Authentik running now and although it's a bit overkill for my homelab needs it does the trick.  Thanks again for making this happen!

I'm so stoked for this plugin!  I'm migrating from pfSense and caddy running in docker and I currently rely pretty heavily on the caddy-security, https://github.com/greenpau/caddy-security, plugin. Would you consider adding this module in the caddy build included here?  Not sure if there is a formal request route for this or not so let me know.  I've added the caddy-security module myself w/ the add-package param but I'm guessing it will get nuked with the next update.

Also, I'm doing some snippet imports in the global block due to my use of caddy-security and there is no method to import custom configs before the global block.  I added an 'import /usr/local/etc/caddy/caddy.d/*.snippet' line above the global block in the auto generated "DO NOT EDIT THIS FILE" Caddyfile to work around this but I suspect that will get nuked at some point as well. I'm betting I'm probably no where near best practice here so no sweat if it doesn't make sense but if there are use cases to load custom configs/snippets ahead of the global block it would be cool to have an import line included in the auto generated Caddyfile.

Can't express how grateful I am for this... awesome work!