caddy-docker-proxy
caddy-docker-proxy copied to clipboard
lucaslorentz
Help to convert a snippet to labels
I have the following snippet I would like to convert to labels (it works well when in the Caddyfile):
(authenticate-with-authelia) {
@forceAuth {
not header x-authelia-whitelist XXX
}
forward_auth @forceAuth authelia:9091 {
uri /api/verify?rd=https://authelia.swtk.eu/
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
trusted_proxies private_ranges
}
}
I tried to convert it to labels in Caddy's docker-compose (I did several versions, all failed):
caddy: (authenticate-with-authelia)
[email protected]: header x-authelia-token XXX
caddy.authenticate-with-authelia.forward_auth: "@forceAuth authelia:9091"
caddy.authenticate-with-authelia.forward_auth.uri: /api/verify?rd=https://authelia.swtk.eu/
caddy.authenticate-with-authelia.forward_auth.copy_headers: Remote-User Remote-Groups Remote-Name Remote-Email
caddy.authenticate-with-authelia.forward_auth.trusted_proxies: private_ranges
When restarting Caddy, I get for each service that does an import authenticate-with-caddy an error message telling me that the authenticate-with-authelia directive is not recognized.
Since it is not possible to debug snippets via the JSON configuration (they are merged at startup) I have no way to see how it is translated, and I suppose that there is an error in the translation.
You need to keep the parentheses in the labels as well.
Ah! I followed the docs.
caddy: (encode)
caddy.encode: zstd gzip
↓
(encode) {
encode zstd gzip
}
and
caddy_0: (snippet)
caddy_0.tls: internal
caddy_1: site-a.com
caddy_1.import: snippet
caddy_2: site-b.com
caddy_2.import: snippet
↓
(snippet) {
tls internal
}
site_a {
import snippet
}
site_b {
import snippet
}
I will check this out as soon as I see our election results in France :)
You need to keep the parentheses in the labels as well.
Unfortunately this does not change the error
hey @wsw70 where you able to make authelia work at the end ?
Authelia is working fine. What I could not (and still cannot) make work was the snippet in the labels.
i am super curious as to how you made Authelia work without that snippet/label part.. i am trying to make it work with Caddy Docker Proxy and struggling, let me know if there is a way you could help (between french :) )
as for the conversion I get something like that, but cannot properly test it as i am struggling to make it work :
# Define trusted_proxy_list snippet without active trusted_proxies
caddy_0: (trusted_proxy_list)
# auth.domain.ltd
caddy_1: auth.domain.ltd
caddy_1.reverse_proxy: "{{authelia 9091}}"
caddy_1.reverse_proxy.import: trusted_proxy_list
# site.domain.ltd site to protect
caddy_2: site.domain.ltd
caddy_2.forward_auth: authelia:9091
caddy_2.forward_auth.uri: /api/authz/forward-auth
caddy_2.forward_auth.copy_headers: Remote-User Remote-Groups Remote-Email Remote-Name
caddy_2.forward_auth.import: trusted_proxy_list
caddy_2.reverse_proxy: "{{scrapper 80}}"
caddy_2.reverse_proxy.import: trusted_proxy_list
i am super curious as to how you made Authelia work without that snippet/label part.. i am trying to make it work with Caddy Docker Proxy and struggling, let me know if there is a way you could help (between french :) )
I am not sure I understand. I do use the snippet but it is defined in the main Caddyfile. I wanted to get rid of that main configuration file and do everything through the labels. This is not a showstopper though.
wasnt able to make it work, so i used Authentik and besides some few config left it works good...
i used Authentik
Looks really cool. It is a more complicated (and probably - complete) system compared to Authelia, though. Good luck!
I'm using Authelia with caddy-docker-proxy successfully.
These are the relevant labels in the Docker Compose config of my Caddy container:
caddy_90: (secure)
caddy_90.forward_auth: '{args[0]} authelia:9091'
caddy_90.forward_auth.uri: /api/verify?rd=https://auth.example.com
caddy_90.forward_auth.copy_headers: Remote-User Remote-Groups Remote-Name Remote-Email
(The 90 suffix is because I have multiple global configs/snippets etc. and I want to order them specifically. You can leave it off)
And then for each container I want to proxy and put behind Authelia
caddy: my-app.example.com
caddy.reverse_proxy: "{{upstreams 8080}}"
caddy.import: secure *
Obviously you should change the domain and port
Thank you for this @DonDebonair - helped me out with a solid working example there.
Can you please help me out with another question about this config - What labels do I need to add If I want to bypass certain paths in my-app.example.com ? For e.g if I have my-app.example.com/publicurls/test1.html and my-app.example.com/publicurls/test2.html, and I want to skip authelia authentication checks for everything under the my-app.example.com/publicurls/ path, what labels can help me do that ? I would still like for everything else in my-app.example.com to be authenticated.
TIA for any suggestions, cheers !
@accforgithubtest you wouldn't set labels for it. Instead, you'd have to make changes to your Authelia config to skip certain paths.
caddy_90.forward_auth: '{args[0]} authelia:9091'
@DonDebonair thanks for the sample.
Is {args[0]} really needed there? Im not using authelia but something similar, and works just fine without it with your setup. Wondering why you added it.
The args are used so you can specify exactly what you want to forward auth for. In the example this is secure * so it uses forward Auth for everything (*)
