Elastic search with authentik groups

Hi guys, I have searched the forum, but it seems like no one is trying to run caddy+authentik+elasticsearch. Maybe this config is impossible to do, I have tried (and failed) with a couple of different configs and trying to use AI to help me. But all failed, so this is my last hope.

1. The problem I’m having:

I have elastic search behind caddy as a reversed proxy. It used to work great. The problem is that I have also included authentik in the mix, which partly works great.

        @usergroup1 header X-Authentik-Groups *user_1*
        handle @usergroup1 {
                reverse_proxy 127.0.0.1:5601 {
                # Add specific header for user requests
                        header_up Authorization "Basic XXXXXX"
                        }
                }

        @usergroup2 header X-Authentik-Groups *user_2*
        handle @usergroup2 {
                reverse_proxy 127.0.0.1:5601 {
                # Add specific header for user requests
                        header_up Authorization "Basic XXXXX"
                        }
                }
        }
	


handle_path /elastic/* {
    @usergroup1 header X-Authentik-Groups *user_1*
    reverse_proxy @usergroup1 http://localhost:9200 {
        header_up Authorization "Basic XXXXXXXX"
    }

    @usergroup2 header X-Authentik-Groups *user_2*
    reverse_proxy @usergroup2 http://localhost:9200 {
        header_up Authorization "Basic XXXXXXX"
    }

    reverse_proxy http://localhost:9200 {
    }
}

The first part works fine, it sends the correct header and everything works in Kibana.

The second part doesnt work, it seems that the matching doesnt work and I end up with the fallback on the end.

Maybe there isnt supposed to work?

2. Error messages and/or full log output:

{"level":"info","ts":1740552290.0746903,"logger":"http.log.access.log2","msg":"handled request","request":{"remote_ip":"185.209.199.142","remote_port":"64434","client_ip":"185.209.199.142","proto":"HTTP/3.0","method":"GET","host":"app.carboncompute.com","uri":"/elastic/travels_alias*/_search","headers":{"Accept-Encoding":["gzip, deflate, br, zstd"],"Cache-Control":["max-age=0"],"Sec-Ch-Ua-Mobile":["?0"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36"],"Sec-Fetch-Site":["same-origin"],"Sec-Fetch-User":["?1"],"Sec-Fetch-Dest":["document"],"Sec-Ch-Ua":["\"Not(A:Brand\";v=\"99\", \"Google Chrome\";v=\"133\", \"Chromium\";v=\"133\""],"Upgrade-Insecure-Requests":["1"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7"],"Sec-Fetch-Mode":["navigate"],"Priority":["u=0, i"],"Sec-Ch-Ua-Platform":["\"Windows\""],"Accept-Language":["sv-SE,sv;q=0.9"],"Cookie":["REDACTED"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h3","server_name":"app.carboncompute.com"}},"bytes_read":0,"user_id":"","duration":0.00469852,"size":236,"status":403,"resp_headers":{"Server":["Caddy"],"Content-Type":["application/json"],"Content-Encoding":["gzip"],"Content-Length":["236"],"Date":["Wed, 26 Feb 2025 06:44:50 GMT"]}}
{"level":"info","ts":1740552290.1635275,"logger":"http.log.access.log2","msg":"handled request","request":{"remote_ip":"185.209.199.142","remote_port":"64434","client_ip":"185.209.199.142","proto":"HTTP/3.0","method":"GET","host":"app.carboncompute.com","uri":"/favicon.ico","headers":{"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36"],"Sec-Fetch-Site":["same-origin"],"Cookie":["REDACTED"],"Sec-Ch-Ua-Platform":["\"Windows\""],"Sec-Ch-Ua-Mobile":["?0"],"Referer":["https://app.carboncompute.com/elastic/travels_alias*/_search"],"Accept-Language":["sv-SE,sv;q=0.9"],"Accept":["image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8"],"Sec-Fetch-Dest":["image"],"Sec-Ch-Ua":["\"Not(A:Brand\";v=\"99\", \"Google Chrome\";v=\"133\", \"Chromium\";v=\"133\""],"Sec-Fetch-Mode":["no-cors"],"Accept-Encoding":["gzip, deflate, br, zstd"],"Priority":["u=1, i"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h3","server_name":"app.carboncompute.com"}},"bytes_read":0,"user_id":"","duration":0.036097866,"size":25931,"status":200,"resp_headers":{"Content-Type":["image/x-icon"],"Server":["Caddy"],"Date":["Wed, 26 Feb 2025 06:44:50 GMT"],"Vary":["RSC, Next-Router-State-Tree, Next-Router-Prefetch"],"X-Nextjs-Cache":["HIT"],"Cache-Control":["public, max-age=0, must-revalidate"]}}


3. Caddy version: v2.8.4

4. How I installed and ran Caddy:

I installed Caddy as a ubuntu package. Packaged by Matthew Holt.

a. System environment:

Running Ubuntu 24.04.2 LTS

b. Command:

Running through systemd.

I believe it passes by the 2 reverse_proxys, one for the authenticated route, and another for the non-authed. Can you try something like this?

@authed header X-Authentik-Groups *user_1* *user_2*
handle @authed {
	@usergroup1 header X-Authentik-Groups *user_1*
	reverse_proxy @usergroup1 http://localhost:9200 {
		header_up Authorization "Basic XXXXXXXX"
	}

	@usergroup2 header X-Authentik-Groups *user_2*
	reverse_proxy @usergroup2 http://localhost:9200 {
		header_up Authorization "Basic XXXXXXX"
	}
}
handle {
	reverse_proxy http://localhost:9200
}