Auth-request redux

1. Caddy version (caddy version):

2.3.0

2. How I run Caddy:

my.site.ngo {
reverse_proxy app:80
}

a. System environment:

docker-compose

b. Command:


c. Service/unit/compose file:

caddy:
    image: caddy:2.3.0
    expose:
      - "80"
      - "443"
    ports:
      - 80:80
      - 443:443
    volumes:
      - $PWD/caddy2/Caddyfile:/etc/caddy/Caddyfile:ro```

3. The problem I’m having:

Revisiting https://caddy.community/t/caddy-v2-support-auth-request-like-mode-that-nginx-has/7678:

Is there a way to:

  • get request /abc/def/
  • forward request (or headers) to auth_app:81/auth/
  • if 200, continue to reverse proxy to full_app:82/xyz/def/
  • if not 200, go to 403

In nginx, it’d be something like:

location /abc/ {
  auth_request auth_app:81/auth/
  error_page 403 /login_error_handler/?upon_success=$request_uri
  proxy_pass full_app:82/xyz

With Caddyfile, I can only see as far as:

site.ngo {
   reverse_proxy full_app:82/xyz
} 

4. Error messages and/or full log output:

5. What I already tried:

It looked like there was a belief that this would be fun and easy in Caddy v2 support "auth-request" like mode that nginx has?

The alternative of the recommended plugin introduces its own auth / account / rbac system. It seems like a large dependency and unclear how to have it instead use the app-defined account system. In general, while interesting as an idea, not a clear fit for using an app’s auth. In contrast, nginx’s auth_request is a quite thin separation of concerns, but I couldn’t map it to Caddy’s directives.

Have recommendations changed here for using Caddy to do surface-level auth checks that reuse internal routes? I’m thinking the simplest path is we can implement an internal redirection service to mimic what a plugin might do…

6. Links to relevant resources:

Please don’t forget to persist /data as well, else you risk losing data and hitting ACME rate limits! See Docker Hub

You don’t need these if you already have ports defined. See the docker-compose example in the Docker Hub docs.

Unfortunately, there’s nothing built-in for this (there’s been some discussion about it in this issue), but someone’s written a plugin that may do what you need:

Take a look at the Caddyfile in the repo. You config might look like this:

site.ngo {
	route {
		extauth {
			endpoint http://auth_app:81/auth/
			copy-request-header Authorization
			copy-response-header X-Token
			set-header X-Original-Uri {uri}
			set-header X-Original-Method {method}
		}
		reverse_proxy http://full_app:82
	}
}

What’s unfortunate is it doesn’t seem to return an error, unlike the basicauth handler, so it doesn’t seem quite possible to redirect on auth failure. You can request that feature on github.

To build Caddy with that plugin, follow these instructions:

You’d run this xcaddy command:

xcaddy build --with github.com/trusch/caddy-extauth

This topic was automatically closed after 30 days. New replies are no longer allowed.