Basic Auth across multiple subdomains

Help
1

Hello, hope you’re all doing well.

I’m not sure how to format a Caddyfile for what I want, or if what I want is even possible currently.
I have a number of web apps running on a single server, on different ports.
I have Caddy set up as a transparent reverse proxy, giving each app a subdomain.

Ideally, I’d like to emulate Single Sign-On with basicauth - that is, once a user authenticates using basicauth at one subdomain, they won’t be prompted to reauthenticate at any other subdomain.

This can be done with Apache, as this StackOverflow answer details.

I was looking at basicauth Realms as a possible solution, but I’m not sure what the syntax for subdomains as realms would be, or if it would work.

Here’s a sample Caddyfile for what I have currently, without basicauth:

Caddyfile 
www.vopeful.xyz, vopeful.xyz {
    tls hello@vopeful.com
    proxy / localhost:8088 {
    }
}

app1.vopeful.xyz {
    tls hello@vopeful.com
    proxy / localhost:2222 {
        transparent
    }
}

app2.vopeful.xyz {
    tls hello@vopeful.com
    proxy / localhost:2435 {
        transparent
    }
}

app3.vopeful.xyz {
    tls hello@vopeful.com
    proxy / localhost:8765 {
        transparent
    }
}

app4.vopeful.xyz {
    tls hello@vopeful.com
    proxy / localhost:5643 {
        transparent
    }
}

app5.vopeful.xyz {
    tls hello@vopeful.com
    proxy / localhost:6665 {
        transparent
    }
}

app6.vopeful.xyz {
    tls hello@vopeful.com
    proxy / localhost:6666 {
        transparent
    }
}

app7.vopeful.xyz {
    tls hello@vopeful.com
    proxy / localhost:7777 {
        transparent
    }
}

Thank you in advance for any pointers you can provide!

2

As far as I know, and supported by the StackOverflow link you’ve provided, this is not possible with basic auth, not even for Apache.

The answers on StackOverflow actually suggest using http digest auth instead.

I don’t believe Caddy has this functionality yet, but here’s an open issue here and an open pull request here you can look into.

3

loginsrv (a Caddy plugin) can do single sign-on for multiple subdomains.

Unsure it fits all your specs as I don’t use proxies with it.

See: GitHub - tarent/loginsrv: JWT login microservice with plugable backends such as OAuth2, Google, Github, htpasswd, osiam, ..

4

The relevant Caddy plugin is http.login - combine with http.jwt.

Also see further documentation.

Might work pretty well, actually. Don’t see why it wouldn’t play nice with a proxy.

5

Correct, sorry for the poor phrasing on my part. Thanks for the links, I will give these a look when I have some free time.

This looks extremely promising, thank you both! Will hopefully have more time to experiment throughout the week, but I’ll make sure to report back with a working config if I’m successful.