1. The problem I’m having:
I’m encountering a 401 Unauthorized error for all my domains except auth.laniecarmelo.tech. I’m using Caddy as a reverse proxy in front of several services (AdGuard Home, LinkAce, Forgejo, MiniFlux, TheLounge, Homepage, Beszel, Glances, Uptime Kuma, Tandoor Recipes, BookStack, Watchtower, and Portainer) and Authelia for authentication. All services should require authentication via Authelia. However, after setting up Authelia integration, all services are now returning 401 Unauthorized errors, while the Authelia auth domain itself works correctly. I expect all domains to be protected by Authelia and only allow access to authenticated users.
Authelia logs indicate errors related to insecure schemes ('') instead of https or wss.
2. Error messages and/or full log output:
Journald Output for Authelia:
$ sudo journalctl -u authelia --no-pager
Feb 24 21:01:47 stormux authelia[2932]: time="2025-02-24T21:01:47-06:00" level=error msg="Target URL '/' has an insecure scheme '', only the 'https' and 'wss' schemes are supported so session cookies can be transmitted securely" method=GET path=/api/verify remote_ip=133.242.174.119
Feb 24 21:04:27 stormux authelia[2932]: time="2025-02-24T21:04:27-06:00" level=error msg="Target URL '/' has an insecure scheme '', only the 'https' and 'wss' schemes are supported so session cookies can be transmitted securely" method=GET path=/api/verify remote_ip=69.58.156.77
Feb 24 21:04:27 stormux authelia[2932]: time="2025-02-24T21:04:27-06:00" level=error msg="Target URL '/api/v1/instance' has an insecure scheme '', only the 'https' and 'wss' schemes are supported so session cookies can be transmitted securely" method=GET path=/api/verify remote_ip=69.58.156.77
Feb 24 21:04:28 stormux authelia[2932]: time="2025-02-24T21:04:28-06:00" level=error msg="Target URL '/favicon.ico' has an insecure scheme '', only the 'https' and 'wss' schemes are supported so session cookies can be transmitted securely" method=GET path=/api/verify remote_ip=69.58.156.77
Journald Output for Caddy:
$ sudo journalctl -u caddy --no-pager
Feb 24 21:19:41 stormux caddy[48845]: {"level":"info","ts":1740453581.2056363,"logger":"http.log.access.log2","msg":"handled request","request":{"remote_ip":"69.58.156.77","remote_port":"56293","client_ip":"69.58.156.77","proto":"HTTP/2.0","method":"GET","host":"adguard.laniecarmelo.tech","uri":"/control/status","headers":{"Accept":["*/*"],"Sec-Fetch-Mode":["cors"],"Sec-Fetch-Storage-Access":["active"],"Priority":["u=1, i"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36 Edg/135.0.0.0"],"Sec-Fetch-Dest":["empty"],"Mode":["cors"],"Accept-Encoding":["gzip, deflate, br, zstd"],"Content-Type":["application/json"],"Cookie":["REDACTED"],"Sec-Fetch-Site":["none"],"Accept-Language":["en-US,en;q=0.9"],"Authorization":["REDACTED"],"Dnt":["1"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"adguard.laniecarmelo.tech"}},"bytes_read":0,"user_id":"","duration":0.001446233,"size":344,"status":200}
3. Caddy version:
$ caddy version
v2.9.1 h1:Lo3rT+gSImQvvH0Jv646YwNSQSPz+DxlUgNyVQ=
4. How I installed and ran Caddy:
a. System environment:
- OS: Stormux (Arch Linux ARM-based)
- Kernel: Linux stormux 6.12.11-3-rpi-16k #1 SMP PREEMPT Fri Jan 31 17:57:05 MST 2025 aarch64 GNU/Linux
- Architecture: ARM64
- Systemd: Yes
- Docker: Some services are Dockerized; Caddy and Authelia are not.
b. Command:
sudo systemctl start caddy
c. Service/unit file:
[Unit]
Description=Caddy web server
Documentation=https://caddyserver.com/
After=network.target
[Service]
User=caddy
Group=caddy
WorkingDirectory=/etc/caddy
ExecStart=/usr/bin/caddy run --config /etc/caddy/Caddyfile
Restart=on-failure
StartLimitInterval=600
[Install]
WantedBy=multi-user.target
d. My complete Caddy config:
{
email [laniecarmelo@gmail.com](mailto:laniecarmelo@gmail.com)
debug
acme_dns cloudflare sK7FP4C2FEIgK4Mh-aSH2ThU6rpO0nwYLv2NQq8Y
http_port 80
https_port 443
}
(logconfig) {
log {
output stdout
format json
}
}
(proxy_config) {
header_up Host {http.request.host}
header_up X-Real-IP {http.request.remote}
header_up X-Forwarded-Proto {http.request.scheme}
}
(authelia_middleware) {
forward_auth 127.0.0.1:9091 {
uri /api/verify
copy_headers Remote-User Remote-Email Remote-Groups Authorization
header_up X-Original-URL {orig_uri}
}
}
(security_headers) {
header {
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
X-XSS-Protection "1; mode=block"
X-Content-Type-Options "nosniff"
Referrer-Policy "strict-origin-when-cross-origin"
Permissions-Policy "geolocation=(), midi=(), sync-xhr=(), microphone=(), camera=(), magnetometer=(), gyroscope=(), fullscreen=(self), payment=()"
}
}
# Authentication Service
[https://auth.laniecarmelo.tech](https://auth.laniecarmelo.tech/) {
reverse_proxy 127.0.0.1:9091 {
import proxy_config
trusted_proxies 127.0.0.1 192.168.1.0/24 100.64.0.0/10
}
import logconfig
import security_headers
}
# Example Service Configuration with Authelia Middleware Applied:
[https://home.laniecarmelo.tech](https://home.laniecarmelo.tech/) {
import authelia_middleware
reverse_proxy 127.0.0.1:3000 {
import proxy_config
trusted_proxies 127.0.0.1 192...
(import other service configurations here)
}
text
Full Authelia Configuration:
# ========================
# Server Settings (Authelia)
# ========================
host: 0...
(import full configuration here)