Caddy authentication using oauth2-proxy with multiple upstreams

Help
1

1. The problem I’m having:

Hi,
i am trying to have Caddy and single instance of Oauth2-proxy to provide authentication for multiple upstreams.
what happens is that after successful EntraID authentication, i get again 401 and back to the Azure authentication page.

3. Caddy version:

2.10.2

4. How I installed and ran Caddy:

Using docker. here is docker compose file

```
services:
  caddy:
    image: ghcr.io/caddybuilds/caddy-cloudflare:latest
    container_name: caddy
    restart: unless-stopped
    volumes:
      - ${VOLUME_DIR:-./.volumes}/caddy/data:/data
      - ${VOLUME_DIR:-./.volumes}/caddy/config:/config
      - ${VOLUME_DIR:-./.volumes}/caddy/Caddyfile:/etc/caddy/Caddyfile
      - /root/.public/:/srv/public:ro
    ports:
      # http
      - "80:80"
      # https
      - "443:443"
    networks:
      - "proxy"
  oauth2-proxy:
    image: quay.io/oauth2-proxy/oauth2-proxy:v7.12.0
    container_name: oauth2-proxy
    restart: unless-stopped
    environment:
      OAUTH2_PROXY_HTTP_ADDRESS: "0.0.0.0:4180"
      OAUTH2_PROXY_REVERSE_PROXY: true
      OAUTH2_PROXY_EMAIL_DOMAINS: "*"
      OAUTH2_PROXY_COOKIE_NAME: "_oauth2_proxy"
      OAUTH2_PROXY_COOKIE_SECRET: "secret"
      OAUTH2_PROXY_COOKIE_DOMAIN: ".proxy.domain.dev"
      OAUTH2_PROXY_COOKIE_SECURE: "true"
      OAUTH2_PROXY_COOKIE_SAMESITE: lax
      OAUTH2_PROXY_WHITELIST_DOMAINS: ".proxy.domain.dev"
      OAUTH2_PROXY_SET_XAUTHREQUEST: "true"
      OAUTH2_PROXY_PROVIDER: oidc
      OAUTH2_PROXY_CLIENT_ID: "client-id"
      OAUTH2_PROXY_CLIENT_SECRET: "client-secret"
      OAUTH2_PROXY_OIDC_ISSUER_URL: "https://login.microsoftonline.com/<tenant-id>/v2.0"
      OAUTH2_PROXY_REDIRECT_URL: "https://auth.proxy.domain.dev/oauth2/callback"
      OAUTH2_PROXY_SCOPE: "openid email profile offline_access"
      OAUTH2_PROXY_UPSTREAMS: "file:///dev/null"
    ports:
      - "4180:4180"
    networks:
      - "proxy"
networks:
  proxy:

d. My complete Caddy config:

{       
acme_dns cloudflare ""
}

https://auth.proxy.domain.dev {
    reverse_proxy oauth2-proxy:4180
}

*.proxy.domain.dev {
    
    handle /oauth2/* {
        reverse_proxy oauth2-proxy:4180 {
            header_up X-Real-IP {remote_host}
            header_up X-Forwarded-Host {host}
			header_up X-Forwarded-Uri {uri}
        }
    }

    handle {
        forward_auth oauth2-proxy:4180 {
            uri /oauth2/auth

            header_up X-Real-IP {remote_host}

			@unauth status 401 403
			handle_response @unauth  {
				redir https://auth.proxy.domain.dev/oauth2/start?rd={scheme}://{host}{uri}
			}

        }

        @sub1 host sub1.proxy.domain.dev
        handle @sub1 {
            reverse_proxy https://upstream1.fqdn:123 {
                transport http {
                    keepalive_idle_conns 8      
                    max_conns_per_host 16
                    tls_insecure_skip_verify
                }
            }
        }

        @sub2 host sub2.proxy.domain.dev
        handle @sub2 {
            reverse_proxy https://upstream2.fqdn:123 {
                transport http {
                    keepalive_idle_conns 8      
                    max_conns_per_host 16
                    tls_insecure_skip_verify
                }
            }
        }
        
    }
}
2

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.