1. Output of caddy version:
Caddy caddy:2.6.2-builder
2. How I run Caddy:
a. System environment:
Host Ubuntu 22.04.1 LTS
VM Ubuntu 22.04.1 LTS
Docker version 20.10.21, build baeda1f
b. Command:
sudo docker build -t caddy-sec:2.6.2 .
sudo docker compose up -d
c. Service/unit/compose file:
Dockerfile
FROM caddy:2.6.2-builder AS builder
RUN xcaddy build \
--with github.com/greenpau/caddy-security
FROM caddy:2.6.2
COPY --from=builder /usr/bin/caddy /usr/bin/caddy
docker-compose.yml
version: "3.7"
services:
caddy:
image: caddy-sec:2.6.2
restart: unless-stopped
ports:
- "80:80"
- "443:443"
- "443:443/udp"
volumes:
- /var/caddy-conf/caddyfile:/etc/caddy/Caddyfile
- /var/caddy-static:/srv
- /var/caddy-conf/ca/ca.crt:/etc/ssl/certs/ca.crt
- caddy_data:/data
- caddy_config:/config
volumes:
caddy_data:
caddy_config:
d. My complete Caddy config:
{
http_port 80
https_port 443
debug
order authenticate before respond
order authorize before basicauth
security {
oauth identity provider gitlab {
realm gitlab
driver gitlab
domain_name gitlabhost1.tux.foo
client_id b5da6c3491723a2eb1de1c92bbba4d58cca7bae3772b860b06e9de4cdde492f6
client_secret 228f4c3c9b76423e5fb752b59c404ca4fb38b3045dcd4300b7adc1c0274e27c7
scopes openid email profile
user_group_filters rnd
}
authentication portal myportal {
crypto default token lifetime 3600
crypto key sign-verify {env.JWT_SHARED_KEY}
enable identity provider gitlab
cookie domain tux.foo
ui {
links {
"My Identity" "/whoami" icon "las la-user"
}
}
transform user {
match realm gitlab
action add role authp/user
ui link "File Server1" https://static1.tux.foo/ icon "las la-star"
ui link "File Server2" https://static2.tux.foo/ icon "las la-star"
ui link "File Server3" https://static3.tux.foo/ icon "las la-star"
}
transform user {
match realm gitlab
match email my.name@owndomain.com
action add role authp/admin
}
}
authorization policy mypolicy {
set auth url https://auth.tux.foo/oauth2/gitlab
crypto key verify {env.JWT_SHARED_KEY}
allow roles authp/admin authp/user
validate bearer header
inject headers with claims
}
}
}
auth.tux.foo {
tls internal
authenticate with myportal
}
static1.tux.foo {
tls internal
authorize with mypolicy
root * /srv/static1
file_server browse
}
static2.tux.foo {
tls internal
authorize with mypolicy
root * /srv/static2
file_server browse
}
static3.tux.foo {
tls internal
authorize with mypolicy
root * /srv/static3
file_server
}
3. The problem I’m having:
I am trying to host 3 static folders with Caddy and secure them with Oauth2 using GitLab.
The static1.tux.foo redirects to gitlabhost1.tux.foo where I can login but the callback url does not work.
4. Error messages and/or full log output:
After login GitLab shows:
An error has occurred
The redirect URI included is not valid.
GitLab application:
Name caddy-webapps
Redirect URI https://auth.tux.foo/auth/oauth2/gitlab/authorization-code-callback/
Confidential
Scopes:
read_user
openid
profile
email
5. What I already tried:
Changing the Redirect URI to any of the following:
https://auth.tux.foo/auth/oauth2/gitlab/authorization-code-callback
https://auth.tux.foo/auth/oauth2/gitlab/authorization-code-callback/
http://auth.tux.foo/auth/oauth2/gitlab/authorization-code-callback
http://auth.tux.foo/auth/oauth2/gitlab/authorization-code-callback/
https://auth.tux.foo
https://auth.tux.foo/
http://auth.tux.foo
http://auth.tux.foo/
https://static1.tux.foo
https://static1.tux.foo/
http://static1.tux.foo
http://static1.tux.foo/
6. Links to relevant resources:
Guide I followed:
Caddyfile I used:
I am having a hard time understanding how does the callback URL work, why does it not work and what am I missing? I feel a bit lost now.
Everything is running in a local environment. The Docker and GitLab are running on two separate VM within the same subnet where they can communicate. GitLab uses a self-signed cert that Caddy trusts.