plugins
plugins copied to clipboard
opnsense
caddy forward auth
Caddy - General Settings - Auth when attempting to fill in the headers, a combo box is provided that DOES NOT support input. The combo box is empty and no input is allowed... so cant use this.
I am trying to setup authentik and caddy for forward auth a number of services that do not currently support oauth2. This appears to me to be an ideal solution, if only I can use it.
Is there a guide around that shows how to set this up for authentik ?
I am on the latest opnsense
Thank you for creating an issue. Since the ticket doesn't seem to be using one of our templates, we're marking this issue as low priority until further notice.
For more information about the policies for this repository, please read https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md for further details.
The easiest option to gain traction is to close this ticket and open a new one using one of our templates.
You do not have to input any headers there, standard headers are used by default. The dropdown is just for additional headers you create in "Reverse Proxy - Headers", they are not necessary, just for specific usecases like setting an "Authentication" header for very specific requirements.
https://github.com/opnsense/plugins/blob/2da22da18bb43783b27d2d522787c9dfe64b188b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeAuthProvider#L41-L52
ahh yes, I can see that now... diagnostics does show the headers being passed.
I have not been able to get forward auth to work at all... sad to say (with authentik)
In fact turning this feature on, causes opnsense to spin badly, and ultimately becomes unstable with "swap out of space errors". Perhaps my authentik config is lacking, as the doco is very brief, and not sure I got it right.
Not sure how to proceed, so going to think about this some more.
There have been a few reports in the forum with people who got it working. Search for posts
If somehow your opnsense swap gets full it probably means you accidentally build a reverse proxy loop which will eat up all your RAM before caddy crashes. Be careful not to build infinite loops.
thanks... will do.
What is the correct uri of the Forward Auth item on the settings page... is it ? /api/authz/forward-auth/
I dont know anything about forward auth, sorry. Best try the opnsense forum.
thanks... will do.
What is the correct uri of the Forward Auth item on the settings page... is it ? /api/authz/forward-auth/
that depends on your auth provider. for Authentik it's "/outpost.goauthentik.io/auth/caddy"
reading your posts again it seems you use authentik. depending on the web-app you want to authenticate to (for example an app with http basic auth) you may have to select "Authorization" in copy header field of auth provider tab in caddy settings. You have to previously add Authorization as header up in reverse proxy tab.
@caplam I'm trying to follow your steps for getting Portainer working with Authentik and OPNSense Caddy Plugin. When you add Authorization as header up, what values are you using for "Header Type" and "Header Value" ?
I’m on vacation and my Opnsense is down due to disk full so can’t Check my config. But for using authentik to authenticate portainer you have to use oauth2. If i remember correctly this is well explained in authentiks docs. Doing that you don’t forward auth from caddy to authentik. You simply reverse proxy from caddy to portainer and the landing page on portainer brings you to authentik.