I’ve been using Caddy for about 6 months now, and I couldn’t be happier. I started out just wanting some basic reverse proxy capabilities with https, but it’s helped me to learn so much more. This weekend I’ve spent way too much time learning about @greenpau’s fantastic caddy_auth_portal. There was quite a learning curve for me, but at this point I have all of the basics working with Google Oath2.
I have a few final questions I’m hoping someone can assist me with.
- The portal is working great for home.ccpk.us, but I would like to also be able to secure my another host ha.ccpk.us. I can get it to work fine as home.ccpk.us/ha, but I’d prefer to do this by host rather than virtual directory. Is this possible?
- This may be related, but in addition to securing the reverse proxy for ha.ccpk.us from the outside, would it also be possible to pass my authenticated user information to authenticate me into that system?
- Not critical, but I was not able to get MFA working for the the local backend auth. Setting it up with the Microsoft authenticator app, I was able to get it configured and it test successfully. The problem, is that after setting up MFA, the portal still allows me to login with just username password. (This is why I’ve disabled in the config for now)
- Also not critical, but I was curious if it was possible to run with just the public_key trusted_tokens. I tried a few different ways of excluding the static_secret, but it always threw errors.
- Any other recommendations for my configuration?
Thank you!
Caddy v2 running in Docker on Ubuntu AMD64. Below is my caddyfile.
{
debug
#acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
email xxxx@gmail.com
#local_certs
}
home.ccpk.us {
route /auth* {
auth_portal {
path /auth
jwt {
token_name access_token
token_secret xxxx
}
backends {
google_oauth2_backend {
method oauth2
realm google
provider google
client_id xxxx
client_secret xxxx
scopes openid email profile
#user xxx@gmail.com add role admin
}
#local_backend {
# method local
# path /data/gatekeeper/auth/local/users.json
# realm local
#}
}
ui {
theme basic
links {
"Home Assistant" /ha/
"Blue Iris" /bi/
"My Identity" /auth/whoami/
"Settings" /auth/settings/
}
}
}
}
route /sso/oauth2/google* {
jwt {
auth_url /auth/oauth2/google
}
respond * "google oauth2 sso" 200
}
route /* {
jwt {
auth_url /auth?redirect_url=/auth/portal
allow roles guest
}
respond * "home.ccpk.us" 200
}
route /myapp/* {
jwt {
primary yes
trusted_tokens {
static_secret {
token_name access_token
token_secret xxxx
}
public_key {
token_name access_token
token_rsa_file xxxx /data/gatekeeper/auth/jwt/verify_key.pem
token_sign_method RS256
}
}
#auth_url /auth
allow roles admin
}
respond * "myapp" 200
}
route /bi/* {
jwt {
#auth_url /auth?redirect_url=/bi/
allow roles guest
}
#respond "Blue Iris!!"
reverse_proxy clswsrv.int.ccpk.us:81
}
route /ha/* {
jwt {
auth_url /auth?redirect_url=/ha/
allow roles guest
enable claim headers
}
uri strip_prefix /ha/
#reverse_proxy home-assistant.int.ccpk.us:8123
redir https://ha.ccpk.us{uri}
}
}
# Firewall rules required - Keep in mind that there is splitDNS so it is being reported to the caddy-int proxy with the same name
ha.ccpk.us {
route /* {
#jwt {
# auth_url https://home.ccpk.us/auth
# disable auth_redirect_query
#}
reverse_proxy home-assistant.int.ccpk.us:8123
}
}