Caddy static folders + Oauth2 with GitLab

1. Output of caddy version:

Caddy caddy:2.6.2-builder

2. How I run Caddy:

a. System environment:

Host Ubuntu 22.04.1 LTS
VM Ubuntu 22.04.1 LTS
Docker version 20.10.21, build baeda1f

b. Command:

sudo docker build -t caddy-sec:2.6.2 .
sudo docker compose up -d

c. Service/unit/compose file:


FROM caddy:2.6.2-builder AS builder

RUN xcaddy build \

FROM caddy:2.6.2

COPY --from=builder /usr/bin/caddy /usr/bin/caddy


version: "3.7"

    image: caddy-sec:2.6.2
    restart: unless-stopped
      - "80:80"
      - "443:443"
      - "443:443/udp"
      - /var/caddy-conf/caddyfile:/etc/caddy/Caddyfile
      - /var/caddy-static:/srv
      - /var/caddy-conf/ca/ca.crt:/etc/ssl/certs/ca.crt
      - caddy_data:/data
      - caddy_config:/config


d. My complete Caddy config:

	http_port 80
	https_port 443

	order authenticate before respond
	order authorize before basicauth

	security {
		oauth identity provider gitlab {
			realm gitlab
			driver gitlab
			client_id b5da6c3491723a2eb1de1c92bbba4d58cca7bae3772b860b06e9de4cdde492f6
			client_secret 228f4c3c9b76423e5fb752b59c404ca4fb38b3045dcd4300b7adc1c0274e27c7
			scopes openid email profile
			user_group_filters rnd

		authentication portal myportal {
			crypto default token lifetime 3600
			crypto key sign-verify {env.JWT_SHARED_KEY}
			enable identity provider gitlab
			cookie domain
			ui {
				links {
					"My Identity" "/whoami" icon "las la-user"

			transform user {
				match realm gitlab
				action add role authp/user
				ui link "File Server1" icon "las la-star"
				ui link "File Server2" icon "las la-star"
				ui link "File Server3" icon "las la-star"

			transform user {
				match realm gitlab
				match email
				action add role authp/admin

		authorization policy mypolicy {
			set auth url
			crypto key verify {env.JWT_SHARED_KEY}
			allow roles authp/admin authp/user
			validate bearer header
			inject headers with claims
} {
	tls internal
	authenticate with myportal
} {
	tls internal
	authorize with mypolicy
	root * /srv/static1
	file_server browse
} {
	tls internal
	authorize with mypolicy
	root * /srv/static2
	file_server browse
} {
	tls internal
	authorize with mypolicy
	root * /srv/static3

3. The problem I’m having:

I am trying to host 3 static folders with Caddy and secure them with Oauth2 using GitLab.
The redirects to where I can login but the callback url does not work.

4. Error messages and/or full log output:

After login GitLab shows:

An error has occurred
The redirect URI included is not valid.

GitLab application:

Name caddy-webapps
Redirect URI

5. What I already tried:

Changing the Redirect URI to any of the following:

6. Links to relevant resources:

Guide I followed:

Caddyfile I used:

I am having a hard time understanding how does the callback URL work, why does it not work and what am I missing? I feel a bit lost now.

Everything is running in a local environment. The Docker and GitLab are running on two separate VM within the same subnet where they can communicate. GitLab uses a self-signed cert that Caddy trusts.

1 Like

Please ask your support questions with caddy-security on GitHub Issues · greenpau/caddy-security · GitHub

Thank you for the replay. Browsing the GitHub issues helped to debug my issue.

There is a missing slash at the end of this line in Caddyfile:

It should be like this:
set auth url

The GitLab application callback url also looks like this:


This topic was automatically closed after 30 days. New replies are no longer allowed.