Authelia, forward_auth and internal TLS

1. The problem I’m having:

I’m trying to configure Caddy to use TLS (using a self-signed certificate) for forward_auth to Authelia.

I terminate ACME TLS in Caddy (, but from Caddy I’d like to use internal TLS as well. My authelia instance has it’s own internal FQDN ( and it’s own certificate for that FQDN.

In the image below I’d like to authenticate with Grafana (

If it matters, both Authelia and Grafana are proxied by their own Caddy instances.


2. Error messages and/or full log output:

My authelia instance listens to and not, and authelia throws the following error.

I don’t know how to configure Caddy to send the right headers to authelia for this to work.

jun 20 23:19:49 atomic conmon[1060880]: time="2023-06-20T23:19:49+02:00" level=error msg="Target URL is not under the protected domain" method=GET path=/api/verify remote_ip= stack=" VerifyGET.func1\       (*BridgeBuilder).Build.func1.1\      SecurityHeaders.func1\                        (*Router).Handler\                         (*Response).StatusCode\                      (*Server).serveConn\                   (*workerPool).workerFunc\                   (*workerPool).getCh.func1\nruntime/asm_amd64.s:1594                                                goexit"

3. Caddy version:

# podman exec -it caddy sh
/srv # caddy version
v2.6.4 h1:2hwYqiRwk1tf3VruhMpLcYTg+11fCdr8S3jhNAdnPy8=

4. How I installed and ran Caddy:

Podman and systemd.

a. System environment:

Ubuntu 22.04, Podman

b. Command:

c. Service/unit/compose file:


d. My complete Caddy config:

# {
  reverse_proxy {
    header_up Host {upstream_hostport}
    # Authelia use Host for redirect URL instead of X-Forwarded-Host for some reasons
    # header_up Host {http.request.header.X-Forwarded-Host}

    # We don't want to change some of the X-Forwarded-*, or use trusted_proxies instead
    # header_up X-Forwarded-Host {http.request.header.X-Forwarded-Host} 
    # header_up X-Forwarded-Proto {http.request.header.X-Forwarded-Proto}

    transport http {
      tls_trusted_ca_certs /config/root_ca.crt
} {
  forward_auth {
    header_up Host
    # header_up Host  {upstream_hostport} # only require for HTTPS upstream
    transport http {
      tls_trusted_ca_certs /config/root_ca.crt
    uri /api/verify?rd=
    copy_headers Remote-User Remote-Groups Remote-Name Remote-Email

5. Links to relevant resources:

This sounds more like a question for Authelia than Caddy.

I think the second line here is probably more correct. The Host header should match the hostname of the certificate being requested.

I’ll test with upstream_hostport again, and read up on authelia again.

Thanks for your reply!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.