Auth and redirection


(Paul Poloskov) #1

Hello everyone,

I’ve been trying to solve the task that seemed simple at the beginning but I stuck.
I have a small home server with few services running and use caddy primarily as reverse-proxy. What I’m trying to achieve is caddy to redirect unauthorised users to login page and then back to the page they were requesting.
For example:

  1. User requests https://myserver.com/sonarr
  2. User unauthorised? https://myserver.com/login and then if everything is ok https://myserver.com/sonarr
  3. User authorised? https://myserver.com/sonarr

I was trying to solve it using login plugin and reath plugin with loginsrv as service:

reauth {
path /sonarr
failure redirect target=https://srv.com/login
upstream url=https://srv.com/login
}
proxy /login loginsrv:8080/login {
transparent
}
proxy /sonarr sonarr:8080 {
transparent
}

However it keeps redirecting me to login page after successful auth.
I would appreciate any help!


(Matthew Fay) #2

Sounds like your /login endpoint isn’t able to authenticate Caddy’s request. When you ping /sonarr, Caddy pings /login with basic auth, redirecting on failure.

What are you using for auth? Basic, cookies, JWT?


(Magikstm) #3

Did you try loginsrv as a caddy plugin?

https://caddyserver.com/docs/http.login

Reauth wouldn’t be needed.

Which authentification provider do you wish to use?


(Rmoriz) #4

I don’t know about OP’s needs but as far as I understand we both would love to see an nginx-like “auth_request” implementation in Caddy.

IMHO https://github.com/bitly/oauth2_proxy which works best with “auth_request” is IMHO the default auth-provider solution out there right now.

While loginsrv integrates directly in caddy (awesome) it lacks most of the backends of oauth2_proxy including scope limitation (for example: When using GitHub as auth backend you want to limit access to users of a specific ORG).


(Paul Poloskov) #5

Yes, I did. Loginsrv is unable to redirect to originally requested URL. For example, if I request /sonarr it redirects to /login firstly and after successful auth it redirects to /
So I have to request /sonarr once again.


(Paul Poloskov) #6

I will be more than happy with basic, however I’d like to use custom login form, not browser window. All my services use no authentication, and what I’m trying to archive is to have auth frontend to protect them alltogether.


(Magikstm) #7

Did you try loginsrv with redirect as well as redirect-query-parameter?

It was added recently and should be available in a future release.

Ref: https://github.com/tarent/loginsrv/issues/45


(Paul Poloskov) #8

Thank you @magikstm
Yes, it works. I’m not very happy with requested url transferred openly as login page parameter, but my original question is solved indeed.