1. The problem I’m having:
I’m trying to configure Caddy to use TLS (using a self-signed certificate) for forward_auth to Authelia.
I terminate ACME TLS in Caddy (auth.example.com), but from Caddy I’d like to use internal TLS as well. My authelia instance has it’s own internal FQDN (auth.home.arpa) and it’s own certificate for that FQDN.
In the image below I’d like to authenticate with Grafana (grafana.example.com).
If it matters, both Authelia and Grafana are proxied by their own Caddy instances.
2. Error messages and/or full log output:
My authelia instance listens to auth.home.arpa
and not auth.example.com
, and authelia throws the following error.
I don’t know how to configure Caddy to send the right headers to authelia for this to work.
jun 20 23:19:49 atomic conmon[1060880]: time="2023-06-20T23:19:49+02:00" level=error msg="Target URL https://auth.home.arpa:443/favicon.ico is not under the protected domain example.com" method=GET path=/api/verify remote_ip=172.19.142.2 stack="github.com/authelia/authelia/v4/internal/handlers/handler_verify.go:459 VerifyGET.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/bridge.go:54 (*BridgeBuilder).Build.func1.1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:16 SecurityHeaders.func1\ngithub.com/fasthttp/router@v1.4.14/router.go:427 (*Router).Handler\ngithub.com/valyala/fasthttp@v1.43.0/http.go:154 (*Response).StatusCode\ngithub.com/valyala/fasthttp@v1.43.0/server.go:2338 (*Server).serveConn\ngithub.com/valyala/fasthttp@v1.43.0/workerpool.go:224 (*workerPool).workerFunc\ngithub.com/valyala/fasthttp@v1.43.0/workerpool.go:196 (*workerPool).getCh.func1\nruntime/asm_amd64.s:1594 goexit"
3. Caddy version:
# podman exec -it caddy sh
/srv # caddy version
v2.6.4 h1:2hwYqiRwk1tf3VruhMpLcYTg+11fCdr8S3jhNAdnPy8=
4. How I installed and ran Caddy:
Podman and systemd.
a. System environment:
Ubuntu 22.04, Podman
b. Command:
c. Service/unit/compose file:
N/A
d. My complete Caddy config:
# https://github.com/caddyserver/caddy/issues/5244
auth.example.com {
reverse_proxy https://auth.home.arpa {
trusted_proxies 172.16.0.5
header_up Host {upstream_hostport}
# Authelia use Host for redirect URL instead of X-Forwarded-Host for some reasons
# header_up Host {http.request.header.X-Forwarded-Host}
# We don't want to change some of the X-Forwarded-*, or use trusted_proxies instead
# header_up X-Forwarded-Host {http.request.header.X-Forwarded-Host}
# header_up X-Forwarded-Proto {http.request.header.X-Forwarded-Proto}
transport http {
tls
tls_trusted_ca_certs /config/root_ca.crt
}
}
}
grafana.example.com {
forward_auth https://auth.home.arpa {
header_up Host auth.example.com
# header_up Host {upstream_hostport} # only require for HTTPS upstream
transport http {
tls
tls_trusted_ca_certs /config/root_ca.crt
}
uri /api/verify?rd=https://auth.example.com
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
}
reverse_proxy grafana.home.arpa:3000
}