Caddy will not accept authorization

1. Output of caddy version:

v2.5.2 h1:eCJdLyEyAGzuQTa5Mh3gETnYWDClo1LjtQm2q9RNZrs=

2. How I run Caddy:

I run caddy installed through the apt repo with xcaddy and the github.com/greenpau/caddy-security and github.com/caddy-dns/cloudflare modules installed.

a. System environment:

OS: Ubuntu 22.04.1 LTS x86_64
Host: X9DRi-LN4+/X9DR3-LN4+ 0123456789
Kernel: 5.15.0-47-generic
Packages: 1226 (dpkg), 6 (snap)
Shell: bash 5.1.16
CPU: Intel Xeon E5-2690 v2 (40) @ 3.600GHz
GPU: 08:01.0 Matrox Electronics Systems Ltd. MGA G200eW WPCM450
Memory: 12736MiB / 84527MiB

b. Command:

sudo systemctl start caddy.service

c. Service/unit/compose file:

# caddy.service
#
# For using Caddy with a config file.
#
# Make sure the ExecStart and ExecReload commands are correct
# for your installation.
#
# See https://caddyserver.com/docs/install for instructions.
#
# WARNING: This service does not use the --resume flag, so if you
# use the API to make changes, they will be overwritten by the
# Caddyfile next time the service is restarted. If you intend to
# use Caddy's API to configure it, add the --resume flag to the
# `caddy run` command or use the caddy-api.service file instead.

[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target

[Service]
Type=notify
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile --force
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

d. My complete Caddy config:

# The Caddyfile is an easy way to configure your Caddy web server.
#
# Unless the file starts with a global options block, the first
# uncommented line is always the address of your site.
#
# To use your own domain name (with automatic HTTPS), first make
# sure your domain's A/AAAA DNS records are properly pointed to
# this machine's public IP, then replace ":80" below with your
# domain name.

(cloudflare) {
  tls {
    dns cloudflare X36XzkCjmhFUyAKfafMooYZ6Zm8x1k1JwgoXh675
  }
}
 

:80 {
    # Set this path to your site's directory.
    root * /usr/share/caddy

    # Enable the static file server.
    file_server

    # Another common task is to set up a reverse proxy:
    # reverse_proxy localhost:8080

    # Or serve a PHP site through php-fpm:
    # php_fastcgi localhost:9000

}

#security { 
#    authorization policy admin {
#        
#        set auth url https://xanderland.tv/auth
#        crypto key token name organizr_token_uuid
#        crypto key verify organizrHash
#        set token sources cookie
#        validate bearer header
#
#        # Log any admin
#        acl rule {
#            match iss Organizr
#            match role Admin
#            allow stop log info
#        }
#
#        # Log any denied 
#        acl rule {
#            match iss any
#            deny log warn
#        }
#    }
#
#    authorization policy user {
#        
#        set auth url https://xanderland.tv/auth
#        crypto key token name organizr_token_uuid
#        crypto key verify organizrHash
#        set token sources cookie
#        validate bearer header
#
#        # Log any admin/user
#        acl rule {
#            match iss Organizr
#            match role Admin User
#            allow stop log info
#        }
#
#        # Log any denied 
#        acl rule {
#            match iss any
#            deny log warn
#        }
#    }
#}

xanderland.tv {
#10.0.0.10:80 {
    root * /var/www/websites/organizr        
    php_fastcgi unix//run/php/php8.1-fpm.sock  
    rewrite /api/v2/* /api/v2/index.php?{query}
    file_server

    # Subdirectory     
    #route /requests/* {           
    #    uri strip_prefix /requests         
    #    reverse_proxy http://127.0.0.1:5055
    #    #import cloudflare
    #}
}

# Subdomain
#tautulli.xanderland.tv {
#    route /tautulli* {
#        #authorize with admin
#        reverse_proxy localhost:8181
#    } 
#}

#xanderland.tv {
#requests.xanderland.tv {
#    #route /ombi* {
#    #reverse_proxy http://127.0.0.1:5000
#    #redir / /ombi
#    route /overseerr*
#    #redir / /requests
#    reverse_proxy http://127.0.0.1:5055
#    import cloudflare
#}

requests.xanderland.tv {
    route /overseerr*
    #redir / /requests
    reverse_proxy http://127.0.0.1:5055
    import cloudflare
}

comics.xanderland.tv {
    reverse_proxy http://127.0.0.1:8616
    import cloudflare
    redir / /comics
}

# Refer to the Caddy docs for more information:
# https://caddyserver.com/docs/caddyfile

3. The problem I’m having:

I am trying to get the security and authorization to work on my organizr setup. No matter what I do I cannot get it to run. I get the same ‘authorization not recognized’ error every time. I am starting to think there’s something wrong with organizr’s code. I unfortunately do not know how to code well so I pretty much just copy + pasted it

4. Error messages and/or full log output:

Sep 09 04:37:16 xeon.xanderland.tv caddy[106813]: caddy.HomeDir=/var/lib/caddy
Sep 09 04:37:16 xeon.xanderland.tv caddy[106813]: caddy.AppDataDir=/var/lib/caddy/.local/share/caddy
Sep 09 04:37:16 xeon.xanderland.tv caddy[106813]: caddy.AppConfigDir=/var/lib/caddy/.config/caddy
Sep 09 04:37:16 xeon.xanderland.tv caddy[106813]: caddy.ConfigAutosavePath=/var/lib/caddy/.config/caddy/autosave.json
Sep 09 04:37:16 xeon.xanderland.tv caddy[106813]: caddy.Version=v2.5.2 h1:eCJdLyEyAGzuQTa5Mh3gETnYWDClo1LjtQm2q9RNZrs=
Sep 09 04:37:16 xeon.xanderland.tv caddy[106813]: runtime.GOOS=linux
Sep 09 04:37:16 xeon.xanderland.tv caddy[106813]: runtime.GOARCH=amd64
Sep 09 04:37:16 xeon.xanderland.tv caddy[106813]: runtime.Compiler=gc
Sep 09 04:37:16 xeon.xanderland.tv caddy[106813]: runtime.NumCPU=40
Sep 09 04:37:16 xeon.xanderland.tv caddy[106813]: runtime.GOMAXPROCS=40
Sep 09 04:37:16 xeon.xanderland.tv caddy[106813]: runtime.Version=go1.18.1
Sep 09 04:37:16 xeon.xanderland.tv caddy[106813]: os.Getwd=/
Sep 09 04:37:16 xeon.xanderland.tv caddy[106813]: LANG=en_US.UTF-8
Sep 09 04:37:16 xeon.xanderland.tv caddy[106813]: PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
Sep 09 04:37:16 xeon.xanderland.tv caddy[106813]: NOTIFY_SOCKET=/run/systemd/notify
Sep 09 04:37:16 xeon.xanderland.tv caddy[106813]: HOME=/var/lib/caddy
Sep 09 04:37:16 xeon.xanderland.tv caddy[106813]: LOGNAME=caddy
Sep 09 04:37:16 xeon.xanderland.tv caddy[106813]: USER=caddy
Sep 09 04:37:16 xeon.xanderland.tv caddy[106813]: INVOCATION_ID=d42a617e1ec241e78ed8af57e912d088
Sep 09 04:37:16 xeon.xanderland.tv caddy[106813]: JOURNAL_STREAM=8:176557
Sep 09 04:37:16 xeon.xanderland.tv caddy[106813]: SYSTEMD_EXEC_PID=106813
Sep 09 04:37:16 xeon.xanderland.tv caddy[106813]: {"level":"info","ts":1662698236.5191967,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":""}
Sep 09 04:37:16 xeon.xanderland.tv caddy[106813]: run: adapting config using caddyfile: /etc/caddy/Caddyfile:34: unrecognized directive: authorization
Sep 09 04:37:16 xeon.xanderland.tv systemd[1]: caddy.service: Main process exited, code=exited, status=1/FAILURE

5. What I already tried:

Honestly I probably haven’t tried much. I’m dyslexic and it took me literally all day to realized I hadn’t install the security module correctly. I’m still not 100% sure I did. The documentation on organizr is terrible. All I want to do is get this working so I can control my server when I leave the house. My guess is I missed something obvious, but at this point I really don’t know where to go. I am very new to this

6. Links to relevant resources:

https://orangizr.app

1 Like

Directives in Caddy must go inside site blocks. They cannot go at the top-level. See the Caddyfile concepts docs to understand how it’s structured:

You should remove the default :80 site at the top of your config, that’s only there to show a default page when you first install Caddy, and it’s meant to be removed when you set up your own stuff.

For help with caddy-security itself, you’ll get better help from its GitHub repo which is where its author spends his time answering questions.

1 Like

Thank you!