Does caddy support the Proxy-Authorization header for basic auth?

If you want to protect all your apps with HTTP basic auth on your reverse proxy, but also have an app that uses basic auth which you don’t want to disable (either for added security or because it uses a different username, etc), you run into a problem because the app and the reverse proxy both want to use the Authorization header. See this Jellyfin issue0.

It seems like a good standard solution to this would be the Proxy-Authorization header, but I haven’t managed to find documentation for any major reverse proxies on whether this is supported.

Does Caddy support this?

My understanding is that Proxy-Authorization is for forward proxies, not for reverse proxies. The GitHub - caddyserver/forwardproxy: Forward proxy plugin for the Caddy web server project uses that header, because it’s a forward proxy plugin, but reverse_proxy will not handle that.

I recommend using forward_auth instead, I think. You can use an app like Authelia to manage authentication.

1 Like

Ah gotcha, that would make sense. I agree forward auth is the correct solution to this problem. Unfortunately the Jellyfin backend doesn’t currently support it.

Could you not use Caddy Security?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.