Authelia redirects to itself / forward_auth

1. Output of caddy version:

v2.5.2 (docker image caddy:latest)

2. How I run Caddy:

a. System environment:

b. Command:

the standard cmd from the caddy:latest image
invoked by docker with:

sudo docker-compose up

c. Service/unit/compose file:

docker-compose.yml:

version: "3.9"
services:
  authelia:
    image: authelia/authelia
    container_name: authelia
    volumes:
      - ./authelia:/config
    restart: unless-stopped
    healthcheck:
      disable: true
    environment:
      - TZ=Europe/Berlin
        #    networks:
        #      - auth
        #      - session
  redis:
    image: redis:alpine
    container_name: redis
    volumes:
      - ./redis:/data
        #    networks:
        #      - session
    restart: unless-stopped
    environment:
      - TZ=Europe/Berlin
  proxy:
    image: caddy:latest
    container_name: proxy
    volumes:
      - ./caddy/data:/data
      - ./caddy/config:/config
      - ./caddy/Caddyfile:/etc/caddy/Caddyfile
      - ./caddy/site:/srv
        #    networks:
        #      #- auth
        #      - serve
    ports:
      - 80:80
      - 443:443

d. My complete Caddy config:

{
    debug
}

*.localhost, localhost {
    tls internal

    @authelia host auth.localhost
    @website host website.localhost

    handle @authelia {
        reverse_proxy authelia:9091
    }

    handle @website {
        forward_auth authelia:9091 {
            uri /api/verify?rd=https://auth.localhost
            copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
        }
        respond "Application: website. User: {header.Remote-User}. Groups: {header.Remote-Groups}. Body: {http.request.body}."
    }
}

3. The problem I’m having:

Hi,

i am trying to use caddy and authelia to secure a not (yet) existing website.
When i go to the to be secured subdomain, i get redirected to authelia.
After a successfull login authelia redirects to the aforementioned website,
but gets redirected back to authelia as is not authorized to
access that page.

I am a bit stumped on how to go about this.
If you like, i will provide the docker logs,
or i can create a repo on github for this littel “PoC”

It’s a little late, so i won’t go into more detail today,
but if need be, i am willing to read and learn and dive into the caddy code.

Please give me your wisdom,
Best, Birger Möllering

4. Error messages and/or full log output:

Paste logs/commands/output here.
USE THE PREVIEW PANE TO MAKE SURE IT LOOKS NICELY FORMATTED.

5. What I already tried:

6. Links to relevant resources:

You should set up your config like this instead – there’s no benefit in your case to set it up with a wildcard:

auth.localhost {
	reverse_proxy authelia:9091
}

website.localhost {
	forward_auth authelia:9091 {
		uri /api/verify?rd=https://auth.localhost
		copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
	}
	respond "Application: website. User: {header.Remote-User}. Groups: {header.Remote-Groups}. Body: {http.request.body}."
}

That said, it’s unclear what’s going wrong without evidence of the requests from your logs or example curl -v requests which show what happens.

1 Like

Hi francislavoie,

i changed the caddyfile to use wildcard certificates because i thought it might be cross origin domain problems or something.
i changed it back to the code you provided!

Below is the authentication with authelia copied to curl:
curl command:

curl 'https://auth.localhost/api/firstfactor' -X POST -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:104.0) Gecko/20100101 Firefox/104.0' -H 'Accept: application/json, text/plain, */*' -H 'Accep
t-Language: de,en-US;q=0.7,en;q=0.3' -H 'Accept-Encoding: gzip, deflate, br' -H 'Referer: https://auth.localhost/?rd=https%3A%2F%2Fwebsite.localhost%2F&rm=GET' -H 'Content-Type: application/json' -H 'Origin: https
://auth.localhost' -H 'Connection: keep-alive' -H 'Sec-Fetch-Dest: empty' -H 'Sec-Fetch-Mode: cors' -H 'Sec-Fetch-Site: same-origin' --data-raw '{"username":"authelia","password":"authelia","keepMeLoggedIn":false,
"targetURL":"https://website.localhost/","requestMethod":"GET"}' -vk

output:

Note: Unnecessary use of -X or --request, POST is already inferred.
*   Trying ::1:443...
* Connected to auth.localhost (::1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: [NONE]
*  start date: Sep 22 10:04:01 2022 GMT
*  expire date: Sep 22 22:04:01 2022 GMT
*  issuer: CN=Caddy Local Authority - ECC Intermediate
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* Using Stream ID: 1 (easy handle 0x5594514d4e80)
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> POST /api/firstfactor HTTP/2
> Host: auth.localhost
> user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:104.0) Gecko/20100101 Firefox/104.0
> accept: application/json, text/plain, */*
> accept-language: de,en-US;q=0.7,en;q=0.3
> accept-encoding: gzip, deflate, br
> referer: https://auth.localhost/?rd=https%3A%2F%2Fwebsite.localhost%2F&rm=GET
> content-type: application/json
> origin: https://auth.localhost
> connection: keep-alive
> sec-fetch-dest: empty
> sec-fetch-mode: cors
> sec-fetch-site: same-origin
> content-length: 131
> 
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* We are completely uploaded and fine
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
< HTTP/2 200 
< cache-control: no-store
< content-security-policy: default-src 'none';
< content-type: application/json; charset=utf-8
< date: Thu, 22 Sep 2022 10:23:28 GMT
< permissions-policy: interest-cohort=()
< pragma: no-cache
< referrer-policy: strict-origin-when-cross-origin
< server: Caddy
< set-cookie: authelia_session=jik77eww!bRova3wqYkBWP8hJNF*E$-j; expires=Thu, 22 Sep 2022 11:23:27 GMT; domain=localhost; path=/; HttpOnly; secure; SameSite=Lax
< x-content-type-options: nosniff
< x-frame-options: SAMEORIGIN
< x-xss-protection: 1; mode=block
< content-length: 64
< 
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Connection #0 to host auth.localhost left intact
{"status":"OK","data":{"redirect":"https://website.localhost/"}}

These logs show one roundtrip:
website.localhost → auth.localhost → login …

docker logs cmd:

sudo docker-compose logs|grep -v redis|sed -r "s/\x1B\[([0-9]{1,3}(;[0-9]{1,2})?)?[mGK]//g" > logs

logs:

authelia    | time="2022-09-22T13:05:15+02:00" level=info msg="Authelia v4.36.8 is starting"
authelia    | time="2022-09-22T13:05:15+02:00" level=info msg="Log severity set to debug"
authelia    | time="2022-09-22T13:05:15+02:00" level=info msg="Storage schema is being checked for updates"
authelia    | time="2022-09-22T13:05:15+02:00" level=info msg="Storage schema is already up to date"
authelia    | time="2022-09-22T13:05:15+02:00" level=debug msg="The NTP startup check was skipped due to there being no configured 2FA access control rules"
authelia    | time="2022-09-22T13:05:15+02:00" level=info msg="Initializing server for non-TLS connections on '[::]:9091' path '/'"
authelia    | time="2022-09-22T13:05:29+02:00" level=debug msg="Check authorization of subject username= groups= ip=172.25.0.1 and object https://website.localhost/ (method GET)."
authelia    | time="2022-09-22T13:05:29+02:00" level=info msg="Access to https://website.localhost/ (method GET) is not authorized to user <anonymous>, responding with status code 302 with location redirect to https://auth.localhost?rd=https%3A%2F%2Fwebsite.localhost%2F&rm=GET" method=GET path=/api/verify remote_ip=172.25.0.1
authelia    | time="2022-09-22T13:05:32+02:00" level=debug msg="Mark 1FA authentication attempt made by user 'authelia'" method=POST path=/api/firstfactor remote_ip=172.25.0.1
authelia    | time="2022-09-22T13:05:32+02:00" level=debug msg="Successful 1FA authentication attempt made by user 'authelia'" method=POST path=/api/firstfactor remote_ip=172.25.0.1
authelia    | time="2022-09-22T13:05:33+02:00" level=debug msg="Check authorization of subject username=authelia groups=admins,dev ip=172.25.0.1 and object https://website.localhost/ (method GET)."
authelia    | time="2022-09-22T13:05:33+02:00" level=debug msg="Required level for the URL https://website.localhost/ is 1" method=POST path=/api/firstfactor remote_ip=172.25.0.1
authelia    | time="2022-09-22T13:05:33+02:00" level=debug msg="Redirection URL https://website.localhost/ is safe" method=POST path=/api/firstfactor remote_ip=172.25.0.1
authelia    | time="2022-09-22T13:05:34+02:00" level=debug msg="Check authorization of subject username= groups= ip=172.25.0.1 and object https://website.localhost/ (method GET)."
authelia    | time="2022-09-22T13:05:34+02:00" level=info msg="Access to https://website.localhost/ (method GET) is not authorized to user <anonymous>, responding with status code 302 with location redirect to https://auth.localhost?rd=https%3A%2F%2Fwebsite.localhost%2F&rm=GET" method=GET path=/api/verify remote_ip=172.25.0.1
proxy       | {"level":"info","ts":1663844715.7061408,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
proxy       | {"level":"warn","ts":1663844715.7069356,"msg":"Caddyfile input is not formatted; run the 'caddy fmt' command to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":2}
proxy       | {"level":"info","ts":1663844715.7076247,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
proxy       | {"level":"info","ts":1663844715.7077763,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
proxy       | {"level":"info","ts":1663844715.7077904,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
proxy       | {"level":"info","ts":1663844715.7078538,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc0001ec070"}
proxy       | {"level":"info","ts":1663844715.7093775,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
proxy       | {"level":"info","ts":1663844715.7100809,"logger":"tls","msg":"finished cleaning storage units"}
proxy       | {"level":"warn","ts":1663844715.7207587,"logger":"pki.ca.local","msg":"installing root certificate (you might be prompted for password)","path":"storage:pki/authorities/local/root.crt"}
proxy       | {"level":"info","ts":1663844715.7210422,"msg":"define JAVA_HOME environment variable to use the Java trust"}
proxy       | {"level":"info","ts":1663844715.7210543,"msg":"Warning: \"certutil\" is not available, install \"certutil\" with \"apt install libnss3-tools\" or \"yum install nss-tools\" and try again"}
proxy       | {"level":"info","ts":1663844715.752084,"msg":"certificate installed properly in linux trusts"}
proxy       | {"level":"debug","ts":1663844715.7522502,"logger":"http","msg":"starting server loop","address":"[::]:443","http3":false,"tls":true}
proxy       | {"level":"debug","ts":1663844715.7523139,"logger":"http","msg":"starting server loop","address":"[::]:80","http3":false,"tls":false}
proxy       | {"level":"info","ts":1663844715.7523217,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["auth.localhost","website.localhost"]}
proxy       | {"level":"warn","ts":1663844715.7528799,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [auth.localhost]: no OCSP server specified in certificate","identifiers":["auth.localhost"]}
proxy       | {"level":"debug","ts":1663844715.752891,"logger":"tls.cache","msg":"added certificate to cache","subjects":["auth.localhost"],"expiration":1663884241,"managed":true,"issuer_key":"local","hash":"9b5476303e6c92d602a2e3cf13edfd03e662e6d8b3357d4af94772754d00d2f8","cache_size":1,"cache_capacity":10000}
proxy       | {"level":"warn","ts":1663844715.753115,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [website.localhost]: no OCSP server specified in certificate","identifiers":["website.localhost"]}
proxy       | {"level":"debug","ts":1663844715.753124,"logger":"tls.cache","msg":"added certificate to cache","subjects":["website.localhost"],"expiration":1663884241,"managed":true,"issuer_key":"local","hash":"cc270bf318e50153e1070f36364b9b33aaa5ca816ba3eb1246b49bc44983aac0","cache_size":2,"cache_capacity":10000}
proxy       | {"level":"info","ts":1663844715.7532136,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
proxy       | {"level":"info","ts":1663844715.7532275,"msg":"serving initial configuration"}
proxy       | {"level":"debug","ts":1663844729.5278096,"logger":"tls.handshake","msg":"choosing certificate","identifier":"website.localhost","num_choices":1}
proxy       | {"level":"debug","ts":1663844729.527828,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"website.localhost","subjects":["website.localhost"],"managed":true,"issuer_key":"local","hash":"cc270bf318e50153e1070f36364b9b33aaa5ca816ba3eb1246b49bc44983aac0"}
proxy       | {"level":"debug","ts":1663844729.527833,"logger":"tls.handshake","msg":"matched certificate in cache","subjects":["website.localhost"],"managed":true,"expiration":1663884241,"hash":"cc270bf318e50153e1070f36364b9b33aaa5ca816ba3eb1246b49bc44983aac0"}
proxy       | {"level":"debug","ts":1663844729.533488,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"authelia:9091","total_upstreams":1}
proxy       | {"level":"debug","ts":1663844729.5360177,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"authelia:9091","duration":0.00245598,"request":{"remote_ip":"172.25.0.1","remote_port":"56170","proto":"HTTP/2.0","method":"GET","host":"website.localhost","uri":"/api/verify?rd=https://auth.localhost","headers":{"Accept-Language":["de,en-US;q=0.7,en;q=0.3"],"Sec-Fetch-Mode":["navigate"],"Sec-Fetch-User":["?1"],"X-Forwarded-Proto":["https"],"X-Forwarded-Method":["GET"],"Sec-Fetch-Site":["none"],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64; rv:104.0) Gecko/20100101 Firefox/104.0"],"Te":["trailers"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8"],"X-Forwarded-Uri":["/"],"Upgrade-Insecure-Requests":["1"],"X-Forwarded-Host":["website.localhost"],"Sec-Fetch-Dest":["document"],"X-Forwarded-For":["172.25.0.1"],"Accept-Encoding":["gzip, deflate, br"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"website.localhost"}},"headers":{"Date":["Thu, 22 Sep 2022 11:05:29 GMT"],"Content-Length":["96"],"X-Xss-Protection":["1; mode=block"],"Location":["https://auth.localhost/?rd=https%3A%2F%2Fwebsite.localhost%2F&rm=GET"],"Set-Cookie":[],"Content-Type":["text/html; charset=utf-8"],"X-Content-Type-Options":["nosniff"],"Referrer-Policy":["strict-origin-when-cross-origin"],"Permissions-Policy":["interest-cohort=()"],"X-Frame-Options":["SAMEORIGIN"]},"status":302}
proxy       | {"level":"debug","ts":1663844729.5433886,"logger":"tls.handshake","msg":"choosing certificate","identifier":"auth.localhost","num_choices":1}
proxy       | {"level":"debug","ts":1663844729.5434098,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"auth.localhost","subjects":["auth.localhost"],"managed":true,"issuer_key":"local","hash":"9b5476303e6c92d602a2e3cf13edfd03e662e6d8b3357d4af94772754d00d2f8"}
proxy       | {"level":"debug","ts":1663844729.5434158,"logger":"tls.handshake","msg":"matched certificate in cache","subjects":["auth.localhost"],"managed":true,"expiration":1663884241,"hash":"9b5476303e6c92d602a2e3cf13edfd03e662e6d8b3357d4af94772754d00d2f8"}
proxy       | {"level":"debug","ts":1663844729.5495615,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"authelia:9091","total_upstreams":1}
proxy       | {"level":"debug","ts":1663844729.5506928,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"authelia:9091","duration":0.001065725,"request":{"remote_ip":"172.25.0.1","remote_port":"56178","proto":"HTTP/2.0","method":"GET","host":"auth.localhost","uri":"/?rd=https%3A%2F%2Fwebsite.localhost%2F&rm=GET","headers":{"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8"],"Upgrade-Insecure-Requests":["1"],"Sec-Fetch-Site":["none"],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64; rv:104.0) Gecko/20100101 Firefox/104.0"],"X-Forwarded-For":["172.25.0.1"],"X-Forwarded-Proto":["https"],"Accept-Language":["de,en-US;q=0.7,en;q=0.3"],"Te":["trailers"],"X-Forwarded-Host":["auth.localhost"],"Sec-Fetch-User":["?1"],"Accept-Encoding":["gzip, deflate, br"],"Sec-Fetch-Dest":["document"],"Sec-Fetch-Mode":["navigate"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"auth.localhost"}},"headers":{"Referrer-Policy":["strict-origin-when-cross-origin"],"Permissions-Policy":["interest-cohort=()"],"Content-Security-Policy":["default-src 'self'; frame-src 'none'; object-src 'none'; style-src 'self' 'nonce-W7RlzcgWSn4ovJbMZtdVCsZC02zdctCH'; frame-ancestors 'none'; base-uri 'self'"],"Content-Length":["986"],"X-Frame-Options":["SAMEORIGIN"],"Content-Type":["text/html; charset=utf-8"],"X-Content-Type-Options":["nosniff"],"X-Xss-Protection":["1; mode=block"],"Date":["Thu, 22 Sep 2022 11:05:29 GMT"]},"status":200}
proxy       | {"level":"debug","ts":1663844729.5999603,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"authelia:9091","total_upstreams":1}
proxy       | {"level":"debug","ts":1663844729.6004534,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"authelia:9091","duration":0.000408666,"request":{"remote_ip":"172.25.0.1","remote_port":"56178","proto":"HTTP/2.0","method":"GET","host":"auth.localhost","uri":"/static/js/index.535ae5b0.js","headers":{"Accept-Language":["de,en-US;q=0.7,en;q=0.3"],"X-Forwarded-For":["172.25.0.1"],"Te":["trailers"],"Sec-Fetch-Site":["same-origin"],"Accept":["*/*"],"Sec-Fetch-Dest":["script"],"Sec-Fetch-Mode":["cors"],"Accept-Encoding":["gzip, deflate, br"],"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["auth.localhost"],"If-None-Match":["edf95e63455c8cf1fec9f933977c32c8cf6a0f7d"],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64; rv:104.0) Gecko/20100101 Firefox/104.0"],"Referer":["https://auth.localhost/?rd=https%3A%2F%2Fwebsite.localhost%2F&rm=GET"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"auth.localhost"}},"headers":{"Date":["Thu, 22 Sep 2022 11:05:29 GMT"],"Etag":["edf95e63455c8cf1fec9f933977c32c8cf6a0f7d"],"Cache-Control":["public, max-age=0, must-revalidate"]},"status":304}
proxy       | {"level":"debug","ts":1663844729.600615,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"authelia:9091","total_upstreams":1}
proxy       | {"level":"debug","ts":1663844729.6008675,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"authelia:9091","duration":0.000203327,"request":{"remote_ip":"172.25.0.1","remote_port":"56178","proto":"HTTP/2.0","method":"GET","host":"auth.localhost","uri":"/static/css/index.40feef90.css","headers":{"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["auth.localhost"],"Accept-Encoding":["gzip, deflate, br"],"If-None-Match":["a3fdddaf0dd2a1fc35a9328a1d1e8c60fdd7c8b8"],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64; rv:104.0) Gecko/20100101 Firefox/104.0"],"Referer":["https://auth.localhost/?rd=https%3A%2F%2Fwebsite.localhost%2F&rm=GET"],"Accept-Language":["de,en-US;q=0.7,en;q=0.3"],"Te":["trailers"],"X-Forwarded-For":["172.25.0.1"],"Sec-Fetch-Dest":["style"],"Sec-Fetch-Mode":["no-cors"],"Sec-Fetch-Site":["same-origin"],"Accept":["text/css,*/*;q=0.1"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"auth.localhost"}},"headers":{"Date":["Thu, 22 Sep 2022 11:05:29 GMT"],"Etag":["a3fdddaf0dd2a1fc35a9328a1d1e8c60fdd7c8b8"],"Cache-Control":["public, max-age=0, must-revalidate"]},"status":304}
proxy       | {"level":"debug","ts":1663844729.7353618,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"authelia:9091","total_upstreams":1}
proxy       | {"level":"debug","ts":1663844729.7356784,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"authelia:9091","duration":0.000279915,"request":{"remote_ip":"172.25.0.1","remote_port":"56178","proto":"HTTP/2.0","method":"GET","host":"auth.localhost","uri":"/locales/en/portal.json","headers":{"Sec-Fetch-Dest":["empty"],"Accept":["*/*"],"If-None-Match":["6a683aa1046d700c748f9f7327d12cf98b59145f"],"Accept-Language":["de,en-US;q=0.7,en;q=0.3"],"X-Forwarded-For":["172.25.0.1"],"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["auth.localhost"],"Sec-Fetch-Site":["same-origin"],"Accept-Encoding":["gzip, deflate, br"],"Referer":["https://auth.localhost/?rd=https%3A%2F%2Fwebsite.localhost%2F&rm=GET"],"Sec-Fetch-Mode":["cors"],"Te":["trailers"],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64; rv:104.0) Gecko/20100101 Firefox/104.0"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"auth.localhost"}},"headers":{"Date":["Thu, 22 Sep 2022 11:05:29 GMT"],"Etag":["6a683aa1046d700c748f9f7327d12cf98b59145f"],"Cache-Control":["public, max-age=0, must-revalidate"]},"status":304}
proxy       | {"level":"debug","ts":1663844729.7828736,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"authelia:9091","total_upstreams":1}
proxy       | {"level":"debug","ts":1663844729.7833078,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"authelia:9091","duration":0.000348247,"request":{"remote_ip":"172.25.0.1","remote_port":"56178","proto":"HTTP/2.0","method":"GET","host":"auth.localhost","uri":"/locales/de/portal.json","headers":{"X-Forwarded-For":["172.25.0.1"],"X-Forwarded-Proto":["https"],"Te":["trailers"],"Sec-Fetch-Dest":["empty"],"If-None-Match":["ec120e4bf1e55bd7d2cb7257ceebd55d0224a2d0"],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64; rv:104.0) Gecko/20100101 Firefox/104.0"],"Accept-Encoding":["gzip, deflate, br"],"Referer":["https://auth.localhost/?rd=https%3A%2F%2Fwebsite.localhost%2F&rm=GET"],"X-Forwarded-Host":["auth.localhost"],"Accept-Language":["de,en-US;q=0.7,en;q=0.3"],"Sec-Fetch-Mode":["cors"],"Sec-Fetch-Site":["same-origin"],"Accept":["*/*"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"auth.localhost"}},"headers":{"Etag":["ec120e4bf1e55bd7d2cb7257ceebd55d0224a2d0"],"Cache-Control":["public, max-age=0, must-revalidate"],"Date":["Thu, 22 Sep 2022 11:05:29 GMT"]},"status":304}
proxy       | {"level":"debug","ts":1663844729.8238416,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"authelia:9091","total_upstreams":1}
proxy       | {"level":"debug","ts":1663844729.8245692,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"authelia:9091","duration":0.000451956,"request":{"remote_ip":"172.25.0.1","remote_port":"56178","proto":"HTTP/2.0","method":"GET","host":"auth.localhost","uri":"/api/state","headers":{"Referer":["https://auth.localhost/?rd=https%3A%2F%2Fwebsite.localhost%2F&rm=GET"],"Sec-Fetch-Mode":["cors"],"Accept-Language":["de,en-US;q=0.7,en;q=0.3"],"Sec-Fetch-Site":["same-origin"],"Te":["trailers"],"Accept":["application/json, text/plain, */*"],"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["auth.localhost"],"Accept-Encoding":["gzip, deflate, br"],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64; rv:104.0) Gecko/20100101 Firefox/104.0"],"Sec-Fetch-Dest":["empty"],"X-Forwarded-For":["172.25.0.1"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"auth.localhost"}},"headers":{"Content-Type":["application/json; charset=utf-8"],"Referrer-Policy":["strict-origin-when-cross-origin"],"Permissions-Policy":["interest-cohort=()"],"X-Frame-Options":["SAMEORIGIN"],"Pragma":["no-cache"],"Date":["Thu, 22 Sep 2022 11:05:29 GMT"],"Content-Length":["92"],"X-Content-Type-Options":["nosniff"],"X-Xss-Protection":["1; mode=block"],"Cache-Control":["no-store"],"Content-Security-Policy":["default-src 'none';"]},"status":200}
proxy       | {"level":"debug","ts":1663844732.9763188,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"authelia:9091","total_upstreams":1}
proxy       | {"level":"debug","ts":1663844734.0276163,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"authelia:9091","duration":1.05120907,"request":{"remote_ip":"172.25.0.1","remote_port":"56178","proto":"HTTP/2.0","method":"POST","host":"auth.localhost","uri":"/api/firstfactor","headers":{"Content-Length":["131"],"Sec-Fetch-Mode":["cors"],"X-Forwarded-Host":["auth.localhost"],"X-Forwarded-For":["172.25.0.1"],"Sec-Fetch-Dest":["empty"],"Sec-Fetch-Site":["same-origin"],"Accept-Language":["de,en-US;q=0.7,en;q=0.3"],"Te":["trailers"],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64; rv:104.0) Gecko/20100101 Firefox/104.0"],"Referer":["https://auth.localhost/?rd=https%3A%2F%2Fwebsite.localhost%2F&rm=GET"],"Accept":["application/json, text/plain, */*"],"Accept-Encoding":["gzip, deflate, br"],"Content-Type":["application/json"],"Origin":["https://auth.localhost"],"X-Forwarded-Proto":["https"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"auth.localhost"}},"headers":{"Content-Type":["application/json; charset=utf-8"],"Content-Length":["64"],"X-Content-Type-Options":["nosniff"],"Set-Cookie":[],"Date":["Thu, 22 Sep 2022 11:05:33 GMT"],"Referrer-Policy":["strict-origin-when-cross-origin"],"Permissions-Policy":["interest-cohort=()"],"X-Frame-Options":["SAMEORIGIN"],"X-Xss-Protection":["1; mode=block"],"Pragma":["no-cache"],"Cache-Control":["no-store"],"Content-Security-Policy":["default-src 'none';"]},"status":200}
proxy       | {"level":"debug","ts":1663844734.067691,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"authelia:9091","total_upstreams":1}
proxy       | {"level":"debug","ts":1663844734.0691383,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"authelia:9091","duration":0.001397931,"request":{"remote_ip":"172.25.0.1","remote_port":"56170","proto":"HTTP/2.0","method":"GET","host":"website.localhost","uri":"/api/verify?rd=https://auth.localhost","headers":{"X-Forwarded-Host":["website.localhost"],"Te":["trailers"],"Sec-Fetch-Site":["cross-site"],"Sec-Fetch-Dest":["document"],"X-Forwarded-For":["172.25.0.1"],"Sec-Fetch-User":["?1"],"X-Forwarded-Method":["GET"],"Accept-Encoding":["gzip, deflate, br"],"Upgrade-Insecure-Requests":["1"],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64; rv:104.0) Gecko/20100101 Firefox/104.0"],"X-Forwarded-Uri":["/"],"Referer":["https://auth.localhost/"],"Sec-Fetch-Mode":["navigate"],"X-Forwarded-Proto":["https"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8"],"Accept-Language":["de,en-US;q=0.7,en;q=0.3"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"website.localhost"}},"headers":{"Date":["Thu, 22 Sep 2022 11:05:33 GMT"],"X-Content-Type-Options":["nosniff"],"Location":["https://auth.localhost/?rd=https%3A%2F%2Fwebsite.localhost%2F&rm=GET"],"X-Frame-Options":["SAMEORIGIN"],"X-Xss-Protection":["1; mode=block"],"Set-Cookie":[],"Content-Type":["text/html; charset=utf-8"],"Content-Length":["96"],"Referrer-Policy":["strict-origin-when-cross-origin"],"Permissions-Policy":["interest-cohort=()"]},"status":302}
proxy       | {"level":"debug","ts":1663844734.074249,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"authelia:9091","total_upstreams":1}
proxy       | {"level":"debug","ts":1663844734.0746028,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"authelia:9091","duration":0.000318459,"request":{"remote_ip":"172.25.0.1","remote_port":"56178","proto":"HTTP/2.0","method":"GET","host":"auth.localhost","uri":"/?rd=https%3A%2F%2Fwebsite.localhost%2F&rm=GET","headers":{"Sec-Fetch-Site":["cross-site"],"X-Forwarded-Proto":["https"],"Accept-Encoding":["gzip, deflate, br"],"Sec-Fetch-User":["?1"],"Te":["trailers"],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64; rv:104.0) Gecko/20100101 Firefox/104.0"],"Accept-Language":["de,en-US;q=0.7,en;q=0.3"],"Referer":["https://auth.localhost/"],"X-Forwarded-For":["172.25.0.1"],"X-Forwarded-Host":["auth.localhost"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8"],"Upgrade-Insecure-Requests":["1"],"Sec-Fetch-Dest":["document"],"Sec-Fetch-Mode":["navigate"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"auth.localhost"}},"headers":{"X-Frame-Options":["SAMEORIGIN"],"X-Content-Type-Options":["nosniff"],"Permissions-Policy":["interest-cohort=()"],"Content-Length":["986"],"Content-Security-Policy":["default-src 'self'; frame-src 'none'; object-src 'none'; style-src 'self' 'nonce-2glf8yrYfeAKq9sbsD3EuFUSHgWEq79U'; frame-ancestors 'none'; base-uri 'self'"],"Date":["Thu, 22 Sep 2022 11:05:33 GMT"],"Content-Type":["text/html; charset=utf-8"],"Referrer-Policy":["strict-origin-when-cross-origin"],"X-Xss-Protection":["1; mode=block"]},"status":200}
proxy       | {"level":"debug","ts":1663844734.1358938,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"authelia:9091","total_upstreams":1}
proxy       | {"level":"debug","ts":1663844734.1359959,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"authelia:9091","total_upstreams":1}
proxy       | {"level":"debug","ts":1663844734.1361737,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"authelia:9091","duration":0.000241823,"request":{"remote_ip":"172.25.0.1","remote_port":"56178","proto":"HTTP/2.0","method":"GET","host":"auth.localhost","uri":"/static/js/index.535ae5b0.js","headers":{"Accept-Encoding":["gzip, deflate, br"],"Referer":["https://auth.localhost/?rd=https%3A%2F%2Fwebsite.localhost%2F&rm=GET"],"Te":["trailers"],"Accept-Language":["de,en-US;q=0.7,en;q=0.3"],"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["auth.localhost"],"Accept":["*/*"],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64; rv:104.0) Gecko/20100101 Firefox/104.0"],"Sec-Fetch-Dest":["script"],"Sec-Fetch-Mode":["cors"],"Sec-Fetch-Site":["same-origin"],"X-Forwarded-For":["172.25.0.1"],"If-None-Match":["edf95e63455c8cf1fec9f933977c32c8cf6a0f7d"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"auth.localhost"}},"headers":{"Date":["Thu, 22 Sep 2022 11:05:33 GMT"],"Etag":["edf95e63455c8cf1fec9f933977c32c8cf6a0f7d"],"Cache-Control":["public, max-age=0, must-revalidate"]},"status":304}
proxy       | {"level":"debug","ts":1663844734.1363778,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"authelia:9091","duration":0.000319926,"request":{"remote_ip":"172.25.0.1","remote_port":"56178","proto":"HTTP/2.0","method":"GET","host":"auth.localhost","uri":"/static/css/index.40feef90.css","headers":{"Accept-Encoding":["gzip, deflate, br"],"Sec-Fetch-Site":["same-origin"],"Te":["trailers"],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64; rv:104.0) Gecko/20100101 Firefox/104.0"],"Accept-Language":["de,en-US;q=0.7,en;q=0.3"],"If-None-Match":["a3fdddaf0dd2a1fc35a9328a1d1e8c60fdd7c8b8"],"Sec-Fetch-Dest":["style"],"Sec-Fetch-Mode":["no-cors"],"Accept":["text/css,*/*;q=0.1"],"Referer":["https://auth.localhost/?rd=https%3A%2F%2Fwebsite.localhost%2F&rm=GET"],"X-Forwarded-For":["172.25.0.1"],"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["auth.localhost"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"auth.localhost"}},"headers":{"Date":["Thu, 22 Sep 2022 11:05:33 GMT"],"Etag":["a3fdddaf0dd2a1fc35a9328a1d1e8c60fdd7c8b8"],"Cache-Control":["public, max-age=0, must-revalidate"]},"status":304}
proxy       | {"level":"debug","ts":1663844734.2880182,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"authelia:9091","total_upstreams":1}
proxy       | {"level":"debug","ts":1663844734.28802,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"authelia:9091","total_upstreams":1}
proxy       | {"level":"debug","ts":1663844734.2884989,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"authelia:9091","duration":0.000419392,"request":{"remote_ip":"172.25.0.1","remote_port":"56178","proto":"HTTP/2.0","method":"GET","host":"auth.localhost","uri":"/locales/de/portal.json","headers":{"Sec-Fetch-Mode":["cors"],"If-None-Match":["ec120e4bf1e55bd7d2cb7257ceebd55d0224a2d0"],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64; rv:104.0) Gecko/20100101 Firefox/104.0"],"Accept-Language":["de,en-US;q=0.7,en;q=0.3"],"Referer":["https://auth.localhost/?rd=https%3A%2F%2Fwebsite.localhost%2F&rm=GET"],"Accept-Encoding":["gzip, deflate, br"],"Te":["trailers"],"X-Forwarded-For":["172.25.0.1"],"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["auth.localhost"],"Accept":["*/*"],"Sec-Fetch-Dest":["empty"],"Sec-Fetch-Site":["same-origin"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"auth.localhost"}},"headers":{"Date":["Thu, 22 Sep 2022 11:05:33 GMT"],"Etag":["ec120e4bf1e55bd7d2cb7257ceebd55d0224a2d0"],"Cache-Control":["public, max-age=0, must-revalidate"]},"status":304}
proxy       | {"level":"debug","ts":1663844734.2885628,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"authelia:9091","duration":0.000409315,"request":{"remote_ip":"172.25.0.1","remote_port":"56178","proto":"HTTP/2.0","method":"GET","host":"auth.localhost","uri":"/locales/en/portal.json","headers":{"Referer":["https://auth.localhost/?rd=https%3A%2F%2Fwebsite.localhost%2F&rm=GET"],"X-Forwarded-For":["172.25.0.1"],"X-Forwarded-Proto":["https"],"Te":["trailers"],"If-None-Match":["6a683aa1046d700c748f9f7327d12cf98b59145f"],"Accept-Encoding":["gzip, deflate, br"],"Accept-Language":["de,en-US;q=0.7,en;q=0.3"],"Sec-Fetch-Mode":["cors"],"Sec-Fetch-Site":["same-origin"],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64; rv:104.0) Gecko/20100101 Firefox/104.0"],"Accept":["*/*"],"Sec-Fetch-Dest":["empty"],"X-Forwarded-Host":["auth.localhost"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"auth.localhost"}},"headers":{"Date":["Thu, 22 Sep 2022 11:05:33 GMT"],"Etag":["6a683aa1046d700c748f9f7327d12cf98b59145f"],"Cache-Control":["public, max-age=0, must-revalidate"]},"status":304}
proxy       | {"level":"debug","ts":1663844734.3254857,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"authelia:9091","total_upstreams":1}
proxy       | {"level":"debug","ts":1663844734.325898,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"authelia:9091","duration":0.000386532,"request":{"remote_ip":"172.25.0.1","remote_port":"56178","proto":"HTTP/2.0","method":"GET","host":"auth.localhost","uri":"/api/state","headers":{"Sec-Fetch-Dest":["empty"],"X-Forwarded-For":["172.25.0.1"],"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["auth.localhost"],"Sec-Fetch-Mode":["cors"],"Accept":["application/json, text/plain, */*"],"Referer":["https://auth.localhost/?rd=https%3A%2F%2Fwebsite.localhost%2F&rm=GET"],"Accept-Language":["de,en-US;q=0.7,en;q=0.3"],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64; rv:104.0) Gecko/20100101 Firefox/104.0"],"Accept-Encoding":["gzip, deflate, br"],"Sec-Fetch-Site":["same-origin"],"Te":["trailers"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"auth.localhost"}},"headers":{"Referrer-Policy":["strict-origin-when-cross-origin"],"Pragma":["no-cache"],"Cache-Control":["no-store"],"Content-Security-Policy":["default-src 'none';"],"Date":["Thu, 22 Sep 2022 11:05:33 GMT"],"X-Content-Type-Options":["nosniff"],"Permissions-Policy":["interest-cohort=()"],"X-Frame-Options":["SAMEORIGIN"],"X-Xss-Protection":["1; mode=block"],"Content-Type":["application/json; charset=utf-8"],"Content-Length":["92"]},"status":200}

Somehow the information about who i am gets lost it seems.
Is it because of the localhost shenanigans?

Gonna loop in @james_d_elliott here.

I think this has to do with cross-domain cookies. Weirdly though, I never see a value in Set-Cookie in that last set of logs. Looks okay with curl though.

thats the reason, i tried to use a wildcard certificate …
i thought it might have something to do with “localhost”,
because localhost is something different for my browser
than for the docker container…

I am done for today, but If you have no better idea,
my next attempt would be to record the traffic on
the network bridge somehow.

I looked at the traffic on the network bridge and
found out that authelia sends Set-Cookie instructions repeatedly,
but caddy never sends a cookie back to authelia.

I know that i had cookies from auth.localhost in the browser,
the only idea that i have why would be because of the wildcard certificate …
as after deleting the cookie, no new ones are set in the browser.
I am pretty sure, that caddy scraps them.

Edit:
I had no cookies before, but now firefox has an entry for cookies from auth.localhost
with 0 cookies, wich is weird…
When not using a wildcard certificate, the browser does not create empty cookie entries!

I think i will build my own caddy image and
try to find out what’s going on.

Edit2:
When the caddy pki creates certificates,
those certificates are for the domain in the Caddyfile
with the ip that the dns will return for that domain i suspect.
(or is there no ip inside the certificate?)
When using localhost, the ip inside the certificate should
therefore mismatch.
When i have time later, i will try to supply a selfsigned certificate,
without that mismatch.

I just looked at the certificates that are installed by caddy automatically,
and they are bound to domains not ips.

It seems, this has nothing todo with certificates.

The next step will be to look inside the caddy source what is happening.

Could you share your Authelia config too, please? :innocent:

Hi @IndeedNotJames,

I believe i used this authelia/config.template.yml at master · authelia/authelia · GitHub as a template

Because the file is to big and i hit the character limit, i cleaned it up of allmost all comments.
(and i didn’t test it afterwards, but i only removed lines with leading comment and empty lines)
Btw. i removed redis a while ago and am only using the most basic configuration options
to remove room for error and for network hygiene.

My smaller configuration.yml

theme: light
 
jwt_secret: a_very_important_secret 

default_redirection_url: https://website.localhost/

default_2fa_method: ""

server:

  host: 0.0.0.0

  port: 9091

  path: ""

  enable_pprof: false

  enable_expvars: false

  disable_healthcheck: false

  tls:
    key: ""

    certificate: ""

    client_certificates: []

  headers:

    csp_template: ""

log:
  level: debug

telemetry:

  metrics:
    enabled: false

    address: tcp://0.0.0.0:9959

totp:

  disable: true

  issuer: authelia.com

  algorithm: sha1

  digits: 6

  period: 30

  skew: 1

  secret_size: 32

webauthn:

  disable: true

  timeout: 60s

  display_name: Authelia

  attestation_conveyance_preference: indirect

  user_verification: preferred

duo_api:
  disable: true
  hostname: api-123456789.example.com
  integration_key: ABCDEF

  secret_key: 1234567890abcdefghifjkl
  enable_self_enrollment: false

ntp:

  address: "time.cloudflare.com:123"

  version: 4

  max_desync: 3s

  disable_startup_check: false

  disable_failure: false

authentication_backend:

  password_reset:

    disable: true

    custom_url: ""

  refresh_interval: 5m

  file:
    path: /config/users_database.yml
    password:
      algorithm: argon2id
      iterations: 3
      key_length: 32
      salt_length: 16
      memory: 1024
      parallelism: 8

password_policy:

  standard:
    enabled: false

    min_length: 8

    max_length: 0

    require_uppercase: true

    require_lowercase: true

    require_number: true

    require_special: true

  zxcvbn:
    enabled: false

    min_score: 3

access_control:

  default_policy: deny

  rules:

    - domain: 'website.localhost'
      subject:
      - 'user:authelia'
      - 'group:admins'
      policy: one_factor

session:

  name: authelia_session

  domain: localhost

  same_site: lax

  secret: insecure_session_secret

  expiration: 1h

  inactivity: 5m

  remember_me_duration: 1M

regulation:

  max_retries: 3

  find_time: 2m

  ban_time: 5m

storage:

  encryption_key: you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this

  local:
    path: /config/db.sqlite3

notifier:

  disable_startup_check: false

  filesystem:
    filename: /config/notification.txt

...

I found the problem, and i should have read the curl response better
it clearly tries to set a cookie, just as @francislavoie says!

The Firefox javascript console told me, what the problem is!
The authelia_session cookie was rejected due to an invalid domain (localhost)

valid domains need TWO dots in them!

for a cookie for localhost to stick, the domain=localhost part needs to be omitted entirely.
Wich is not a desireable solution.

So this is neither a caddy nor a authelia problem xD

Edit:
By far the easiest solution is to regard “localhost” as the toplevel domain,
like .com or .net or .org … and invent another domain wich i just called “domain” here.

So “website.localhost” becomes “website.domain.localhost”
and “auth.localhost” becomes “auth.domain.localhost”

Btw. i found this solution myself, by trying it out of a hunch, and was
actually surprised that it worked, as there are only far more complex
solutions on the www!

2 Likes

You could use a DuckDNS domain or something, and have it resolve to 127.0.0.1. That would work just fine too (just remember to set tls internal in your Caddyfile to make it use Caddy’s internal CA for signing certs).

I had success with a far easier solution wich requires nothing external to the project !!

i just used localhost as the top level domain.
This required a domain name, wich for the ease of use i just named “domain”
So i just had to edit the Caddyfile and the authelia configuration.yml and replace:

website.localhost → website.domain.localhost
auth.localhost → auth.domain.localhost

And it works like a charm !

A bummer you can’t have 2 solutions :slight_smile:
I will just edit the other solution

3 Likes