Tutorial: Caddy (Reverse Proxy) + Let's Encrypt Certificates + Dynamic DNS

Started by Monviech (Cedrik), February 09, 2024, 01:31:44 PM

Previous topic - Next topic
Print
Go Down Pages 1 ... 17 18 19
User actions
February 03, 2025, 05:09:21 AM #270
Quote from: Monviech (Cedrik) on January 31, 2025, 05:15:27 PMHey good to know you got it to work with Authentik.

Yeah I just got to be careful with how much to include and caddy-security seems to have some history.

Totally understand!  Admittedly, I was not aware of the caddy-security plugin history.
Quote from: Monviech (Cedrik) on January 31, 2025, 05:15:27 PMHey good to know you got it to work with Authentik.

Yeah I just got to be careful with how much to include and caddy-security seems to have some history.


Admitedly, I was not aware of the history with the caddy-security plugin but dug this up... https://github.com/greenpau/caddy-security/issues/349.  Dropping it here for future reference/context.  Totally get the need to keep the risk profile low w/ the included caddy build. All good!
February 09, 2025, 08:39:16 PM #271
Quote from: smoofus on January 31, 2025, 04:31:27 PM
Quote from: Monviech (Cedrik) on January 19, 2025, 06:29:36 AMHey there,

I will not add the caddy security package or make it configurable in the GUI. I suggest you use forward_auth instead with the supported Auth Providers in the plugin.

https://docs.opnsense.org/manual/how-tos/caddy.html#forward-auth

This method is more lightweight and flexible and there are no known issues.


All good, I'm currently using Organizr and the caddy-security plugin for my forward_auth needs so I figured it wouldn't hurt to ask.  I've got Authentik running now and although it's a bit overkill for my homelab needs it does the trick.  Thanks again for making this happen!

Hey,

sorry for dropping in, but could you give me more Feedback on how you got Authentik running with Caddy ? I'm struggeling to get it running with setting Authentik as Forward Auth.

br
Schubdog
February 13, 2025, 05:54:40 AM #272
Quote from: schubdog on February 09, 2025, 08:39:16 PMHey,

sorry for dropping in, but could you give me more Feedback on how you got Authentik running with Caddy ? I'm struggeling to get it running with setting Authentik as Forward Auth.

br
Schubdog

Happy to help if I can.  Are you having issues with the authentik config or the caddy Auth Provider config?

Caddy Auth Provider config:
 Forward Auth Provider: Authentik
 Protocol: http://
 Forward Auth Domain: ip or domain of host running authentik
 Forward Auth Port: 9000
 Forward Auth URI: /outpost.goauthentik.io/auth/caddy
 Copy Headers: Select any headers you need to forward. Most my stuff needs the X-Authentik-Username, X-Authentik-Groups and X-Authentik-Email headers

I think the auth port and uri are default and should work unless you changed them when configuring authentik.  You can verify by going to Applications -> Providers in authentik, select the forward auth provider for your app and then click on the "Caddy(Standalone)" section under the setup section.  You will see the # forward authentication to outpost snippet with the needed port and uri. Mine looks like this...

Code Select
# forward authentication to outpost
        forward_auth http://outpost.company:9000 {
            uri /outpost.goauthentik.io/auth/caddy

High level Authentik config:
Create a new application and proxy provider (I typically use the wizard and then tweak if needed after)

Application:
Nothing of note to call out here

Provider:
Select 'Proxy Provider'
Choose the 'implicit' Authorization flow
Select the "Forward auth (single application) box
Add the url of the app you want to forward auth to

Outposts:
Edit the authentik Embedded Outpost
Pick your application on the left and add it to the outpost with the >
Save

Caddy Handler:
When configuring the handler enable advanced mode, upper left, and tick the 'Forward Auth' setting


February 13, 2025, 07:06:28 AM #273
copy headers can be left empty, the needed headers are added automatically by the template generation. Its just for additional headers like "Authorization" when Authentik sends a Basic Auth Header for example.
Hardware:
DEC740
February 13, 2025, 10:14:29 PM #274
Hey,

thank your for the reply. I got it now worky partly, so i can access my proxied Domains secure by Authentik from outside my lan.

But there are two things i'm still struggeling.

1. Bypass with API. I'm used to work with Authelia and was able to set bypass rules with API Keys for Vaultwarden and notifiarr but i don't get it working with Caddy and Authentik

2. How can i access my proxied domain in Lan ?

br

Schubdog
February 14, 2025, 03:50:42 AM #275
Quote from: schubdog on February 13, 2025, 10:14:29 PMHey,

thank your for the reply. I got it now worky partly, so i can access my proxied Domains secure by Authentik from outside my lan.

But there are two things i'm still struggeling.

1. Bypass with API. I'm used to work with Authelia and was able to set bypass rules with API Keys for Vaultwarden and notifiarr but i don't get it working with Caddy and Authentik

2. How can i access my proxied domain in Lan ?

br

Schubdog

For #1, go to Applications -> Providers ->  (edit the application proxy prorivider for the app you want to bypass api) -> Advanced protocol settings -> Unauthenticated Paths, and then add the api path to the "Unauthenticated Paths" field.

For example:
Unauthenticated Paths:  */api/.*

For #2, not sure I follow 100% here.  Maybe add local dns entries to point to your wan ip? 
Print
Go Up Pages 1 ... 17 18 19
User actions