Authelia, forward_auth and internal TLS

monotux · June 20, 2023, 9:45pm

1. The problem I’m having:

I’m trying to configure Caddy to use TLS (using a self-signed certificate) for forward_auth to Authelia.

I terminate ACME TLS in Caddy (auth.example.com), but from Caddy I’d like to use internal TLS as well. My authelia instance has it’s own internal FQDN (auth.home.arpa) and it’s own certificate for that FQDN.

In the image below I’d like to authenticate with Grafana (grafana.example.com).

If it matters, both Authelia and Grafana are proxied by their own Caddy instances.

caddy-autherlia

2. Error messages and/or full log output:

My authelia instance listens to auth.home.arpa and not auth.example.com, and authelia throws the following error.

I don’t know how to configure Caddy to send the right headers to authelia for this to work.

jun 20 23:19:49 atomic conmon[1060880]: time="2023-06-20T23:19:49+02:00" level=error msg="Target URL https://auth.home.arpa:443/favicon.ico is not under the protected domain example.com" method=GET path=/api/verify remote_ip=172.19.142.2 stack="github.com/authelia/authelia/v4/internal/handlers/handler_verify.go:459 VerifyGET.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/bridge.go:54       (*BridgeBuilder).Build.func1.1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:16      SecurityHeaders.func1\ngithub.com/fasthttp/router@v1.4.14/router.go:427                        (*Router).Handler\ngithub.com/valyala/fasthttp@v1.43.0/http.go:154                         (*Response).StatusCode\ngithub.com/valyala/fasthttp@v1.43.0/server.go:2338                      (*Server).serveConn\ngithub.com/valyala/fasthttp@v1.43.0/workerpool.go:224                   (*workerPool).workerFunc\ngithub.com/valyala/fasthttp@v1.43.0/workerpool.go:196                   (*workerPool).getCh.func1\nruntime/asm_amd64.s:1594                                                goexit"

3. Caddy version:

# podman exec -it caddy sh
/srv # caddy version
v2.6.4 h1:2hwYqiRwk1tf3VruhMpLcYTg+11fCdr8S3jhNAdnPy8=

4. How I installed and ran Caddy:

Podman and systemd.

a. System environment:

Ubuntu 22.04, Podman

b. Command:

c. Service/unit/compose file:

N/A

d. My complete Caddy config:

# https://github.com/caddyserver/caddy/issues/5244
auth.example.com {
  reverse_proxy https://auth.home.arpa {
    trusted_proxies 172.16.0.5
    header_up Host {upstream_hostport}
    # Authelia use Host for redirect URL instead of X-Forwarded-Host for some reasons
    # header_up Host {http.request.header.X-Forwarded-Host}

    # We don't want to change some of the X-Forwarded-*, or use trusted_proxies instead
    # header_up X-Forwarded-Host {http.request.header.X-Forwarded-Host} 
    # header_up X-Forwarded-Proto {http.request.header.X-Forwarded-Proto}

    transport http {
      tls
      tls_trusted_ca_certs /config/root_ca.crt
    }
  }
}

grafana.example.com {
  forward_auth https://auth.home.arpa {
    header_up Host auth.example.com
    # header_up Host  {upstream_hostport} # only require for HTTPS upstream
    transport http {
      tls
      tls_trusted_ca_certs /config/root_ca.crt
    }  
    uri /api/verify?rd=https://auth.example.com
    copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
  }
  reverse_proxy grafana.home.arpa:3000
}

5. Links to relevant resources:

francislavoie · June 20, 2023, 11:24pm

This sounds more like a question for Authelia than Caddy.

I think the second line here is probably more correct. The Host header should match the hostname of the certificate being requested.

monotux · June 21, 2023, 7:33am

I’ll test with upstream_hostport again, and read up on authelia again.

Thanks for your reply!

system · July 21, 2023, 7:34am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.