Error when using Immich app with Authelia

GonsalvesC · February 27, 2024, 6:46pm

Hi there! First off want to thank the devs for creating such a great product! I’ve been using Caddy reverse proxy with Crowdsec and Authelia to host various sites and it’s been working perfectly! I’m just having trouble with the Immich app working with Authelia with Caddy as the reverse-proxy

1. The problem I’m having:

I’m using Caddy reverse proxy to host Immich with Authelia for authentication. It works perfectly on a web browser. However, using the app throws errors in the Caddy logs.

2. Error messages and/or full log output:

{"level":"error","ts":1709057882.656811,"logger":"http.log.access.immich","msg":"handled request","request":{"remote_ip":"108.162.241.78","remote_port":"64374","client_ip":"38.85.165.230","proto":"HTTP/2.0","method":"GET","host":"immich.mason.dad","uri":"/api","headers":{"Cf-Ipcountry":["CA"],"X-Forwarded-For":["38.85.165.230"],"User-Agent":["Dart/3.2 (dart:io)"],"Cf-Connecting-Ip":["38.85.165.230"],"Cdn-Loop":["cloudflare"],"Accept-Encoding":["gzip"],"Cf-Ray":["85c26d960a3a54a9-YYZ"],"X-Forwarded-Proto":["https"],"Cf-Visitor":["{\"scheme\":\"https\"}"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"immich.mason.dad"}},"bytes_read":0,"user_id":"","duration":0.003330541,"size":115,"status":401,"resp_headers":{"X-Frame-Options":["SAMEORIGIN"],"Location":["https://auth.mason.dad/?rd=https%3A%2F%2Fimmich.mason.dad%2Fapi&rm=GET"],"Date":["Tue, 27 Feb 2024 18:18:02 GMT"],"Content-Type":["text/html; charset=utf-8"],"Permissions-Policy":["interest-cohort=()"],"X-Content-Type-Options":["nosniff"],"Alt-Svc":["h3=\":443\"; ma=2592000"],"Set-Cookie":[],"Content-Length":["115"],"Referrer-Policy":["strict-origin-when-cross-origin"],"X-Xss-Protection":["1; mode=block"],"Server":["Caddy"]}}
{"level":"error","ts":1709057882.8636556,"logger":"http.log.access.immich","msg":"handled request","request":{"remote_ip":"108.162.241.117","remote_port":"42772","client_ip":"38.85.165.230","proto":"HTTP/2.0","method":"GET","host":"immich.mason.dad","uri":"/api/.well-known/immich","headers":{"Cdn-Loop":["cloudflare"],"Accept-Encoding":["gzip"],"Cf-Ray":["85c26d9749df5437-YYZ"],"X-Forwarded-Proto":["https"],"User-Agent":["Dart/3.2 (dart:io)"],"Accept":["application/json"],"Cf-Ipcountry":["CA"],"X-Forwarded-For":["38.85.165.230"],"Cf-Visitor":["{\"scheme\":\"https\"}"],"Cf-Connecting-Ip":["38.85.165.230"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"immich.mason.dad"}},"bytes_read":0,"user_id":"","duration":0.000533741,"size":138,"status":401,"resp_headers":{"Server":["Caddy"],"Alt-Svc":["h3=\":443\"; ma=2592000"],"X-Content-Type-Options":["nosniff"],"X-Frame-Options":["SAMEORIGIN"],"X-Xss-Protection":["1; mode=block"],"Set-Cookie":[],"Permissions-Policy":["interest-cohort=()"],"Referrer-Policy":["strict-origin-when-cross-origin"],"Location":["https://auth.mason.dad/?rd=https%3A%2F%2Fimmich.mason.dad%2Fapi%2F.well-known%2Fimmich&rm=GET"],"Date":["Tue, 27 Feb 2024 18:18:02 GMT"],"Content-Type":["text/html; charset=utf-8"],"Content-Length":["138"]}}
{"level":"error","ts":1709057883.0426967,"logger":"http.log.access.immich","msg":"handled request","request":{"remote_ip":"172.69.214.34","remote_port":"9716","client_ip":"38.85.165.230","proto":"HTTP/2.0","method":"GET","host":"immich.mason.dad","uri":"/api/server-info/version","headers":{"Cf-Ipcountry":["CA"],"X-Forwarded-For":["38.85.165.230"],"Cf-Ray":["85c26d987b7636db-YYZ"],"Cf-Connecting-Ip":["38.85.165.230"],"User-Agent":["Dart/3.2 (dart:io)"],"Cdn-Loop":["cloudflare"],"Accept-Encoding":["gzip"],"X-Forwarded-Proto":["https"],"Cf-Visitor":["{\"scheme\":\"https\"}"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"immich.mason.dad"}},"bytes_read":0,"user_id":"","duration":0.001520894,"size":139,"status":401,"resp_headers":{"Referrer-Policy":["strict-origin-when-cross-origin"],"Location":["https://auth.mason.dad/?rd=https%3A%2F%2Fimmich.mason.dad%2Fapi%2Fserver-info%2Fversion&rm=GET"],"Content-Type":["text/html; charset=utf-8"],"Content-Length":["139"],"Alt-Svc":["h3=\":443\"; ma=2592000"],"X-Frame-Options":["SAMEORIGIN"],"X-Content-Type-Options":["nosniff"],"Permissions-Policy":["interest-cohort=()"],"X-Xss-Protection":["1; mode=block"],"Set-Cookie":[],"Date":["Tue, 27 Feb 2024 18:18:02 GMT"],"Server":["Caddy"]}}
{"level":"error","ts":1709057883.1072989,"logger":"http.log.access.immich","msg":"handled request","request":{"remote_ip":"172.69.214.34","remote_port":"9716","client_ip":"38.85.165.230","proto":"HTTP/2.0","method":"GET","host":"immich.mason.dad","uri":"/api/server-info/features","headers":{"Cf-Ray":["85c26d994ca736db-YYZ"],"Cf-Visitor":["{\"scheme\":\"https\"}"],"User-Agent":["Dart/3.2 (dart:io)"],"Cdn-Loop":["cloudflare"],"Accept-Encoding":["gzip"],"X-Forwarded-Proto":["https"],"Cf-Connecting-Ip":["38.85.165.230"],"Cf-Ipcountry":["CA"],"X-Forwarded-For":["38.85.165.230"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"immich.mason.dad"}},"bytes_read":0,"user_id":"","duration":0.001529564,"size":140,"status":401,"resp_headers":{"Server":["Caddy"],"Date":["Tue, 27 Feb 2024 18:18:03 GMT"],"X-Content-Type-Options":["nosniff"],"X-Frame-Options":["SAMEORIGIN"],"X-Xss-Protection":["1; mode=block"],"Set-Cookie":[],"Permissions-Policy":["interest-cohort=()"],"Alt-Svc":["h3=\":443\"; ma=2592000"],"Content-Type":["text/html; charset=utf-8"],"Content-Length":["140"],"Referrer-Policy":["strict-origin-when-cross-origin"],"Location":["https://auth.mason.dad/?rd=https%3A%2F%2Fimmich.mason.dad%2Fapi%2Fserver-info%2Ffeatures&rm=GET"]}}
{"level":"error","ts":1709057883.176247,"logger":"http.log.access.immich","msg":"handled request","request":{"remote_ip":"172.69.214.34","remote_port":"9716","client_ip":"38.85.165.230","proto":"HTTP/2.0","method":"GET","host":"immich.mason.dad","uri":"/api/server-info/config","headers":{"Cdn-Loop":["cloudflare"],"Cf-Ipcountry":["CA"],"X-Forwarded-Proto":["https"],"Cf-Connecting-Ip":["38.85.165.230"],"Accept-Encoding":["gzip"],"X-Forwarded-For":["38.85.165.230"],"Cf-Ray":["85c26d99ad5b36db-YYZ"],"Cf-Visitor":["{\"scheme\":\"https\"}"],"User-Agent":["Dart/3.2 (dart:io)"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"immich.mason.dad"}},"bytes_read":0,"user_id":"","duration":0.001400052,"size":138,"status":401,"resp_headers":{"Permissions-Policy":["interest-cohort=()"],"X-Frame-Options":["SAMEORIGIN"],"Location":["https://auth.mason.dad/?rd=https%3A%2F%2Fimmich.mason.dad%2Fapi%2Fserver-info%2Fconfig&rm=GET"],"Set-Cookie":[],"Content-Type":["text/html; charset=utf-8"],"Server":["Caddy"],"Alt-Svc":["h3=\":443\"; ma=2592000"],"Content-Length":["138"],"Referrer-Policy":["strict-origin-when-cross-origin"],"X-Xss-Protection":["1; mode=block"],"X-Content-Type-Options":["nosniff"],"Date":["Tue, 27 Feb 2024 18:18:03 GMT"]}}
{"level":"error","ts":1709057905.3008428,"logger":"http.log.access.immich","msg":"handled request","request":{"remote_ip":"172.69.214.242","remote_port":"14996","client_ip":"38.85.165.230","proto":"HTTP/2.0","method":"GET","host":"immich.mason.dad","uri":"/api","headers":{"Cdn-Loop":["cloudflare"],"X-Forwarded-For":["38.85.165.230"],"X-Forwarded-Proto":["https"],"Cf-Connecting-Ip":["38.85.165.230"],"Cf-Ipcountry":["CA"],"Accept-Encoding":["gzip"],"Cf-Ray":["85c26e239da536d8-YYZ"],"Cf-Visitor":["{\"scheme\":\"https\"}"],"User-Agent":["Dart/3.2 (dart:io)"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"immich.mason.dad"}},"bytes_read":0,"user_id":"","duration":0.001637642,"size":115,"status":401,"resp_headers":{"X-Content-Type-Options":["nosniff"],"Referrer-Policy":["strict-origin-when-cross-origin"],"Server":["Caddy"],"Permissions-Policy":["interest-cohort=()"],"X-Xss-Protection":["1; mode=block"],"Date":["Tue, 27 Feb 2024 18:18:25 GMT"],"Content-Type":["text/html; charset=utf-8"],"Alt-Svc":["h3=\":443\"; ma=2592000"],"Location":["https://auth.mason.dad/?rd=https%3A%2F%2Fimmich.mason.dad%2Fapi&rm=GET"],"Set-Cookie":[],"Content-Length":["115"],"X-Frame-Options":["SAMEORIGIN"]}}
{"level":"error","ts":1709057905.4867058,"logger":"http.log.access.immich","msg":"handled request","request":{"remote_ip":"172.69.214.68","remote_port":"11466","client_ip":"38.85.165.230","proto":"HTTP/2.0","method":"GET","host":"immich.mason.dad","uri":"/api/.well-known/immich","headers":{"X-Forwarded-Proto":["https"],"Cf-Visitor":["{\"scheme\":\"https\"}"],"User-Agent":["Dart/3.2 (dart:io)"],"Accept":["application/json"],"Cf-Ipcountry":["CA"],"Accept-Encoding":["gzip"],"X-Forwarded-For":["38.85.165.230"],"Cf-Ray":["85c26e24d8bc3a04-YYZ"],"Cf-Connecting-Ip":["38.85.165.230"],"Cdn-Loop":["cloudflare"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"immich.mason.dad"}},"bytes_read":0,"user_id":"","duration":0.00161921,"size":138,"status":401,"resp_headers":{"X-Xss-Protection":["1; mode=block"],"Content-Length":["138"],"Referrer-Policy":["strict-origin-when-cross-origin"],"Permissions-Policy":["interest-cohort=()"],"Location":["https://auth.mason.dad/?rd=https%3A%2F%2Fimmich.mason.dad%2Fapi%2F.well-known%2Fimmich&rm=GET"],"Alt-Svc":["h3=\":443\"; ma=2592000"],"X-Content-Type-Options":["nosniff"],"X-Frame-Options":["SAMEORIGIN"],"Set-Cookie":[],"Date":["Tue, 27 Feb 2024 18:18:25 GMT"],"Content-Type":["text/html; charset=utf-8"],"Server":["Caddy"]}}
{"level":"error","ts":1709057905.6700306,"logger":"http.log.access.immich","msg":"handled request","request":{"remote_ip":"172.69.214.105","remote_port":"47890","client_ip":"38.85.165.230","proto":"HTTP/2.0","method":"POST","host":"immich.mason.dad","uri":"/api/oauth/authorize","headers":{"Cdn-Loop":["cloudflare"],"Cf-Ipcountry":["CA"],"Content-Length":["30"],"X-Forwarded-Proto":["https"],"User-Agent":["Dart/3.2 (dart:io)"],"Cf-Connecting-Ip":["38.85.165.230"],"Accept-Encoding":["gzip"],"X-Forwarded-For":["38.85.165.230"],"Cf-Ray":["85c26e25fc3936ff-YYZ"],"Cf-Visitor":["{\"scheme\":\"https\"}"],"Content-Type":["application/json; charset=utf-8"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"immich.mason.dad"}},"bytes_read":0,"user_id":"","duration":0.00153216,"size":136,"status":401,"resp_headers":{"Set-Cookie":[],"Server":["Caddy"],"Content-Length":["136"],"Referrer-Policy":["strict-origin-when-cross-origin"],"Permissions-Policy":["interest-cohort=()"],"Location":["https://auth.mason.dad/?rd=https%3A%2F%2Fimmich.mason.dad%2Fapi%2Foauth%2Fauthorize&rm=POST"],"X-Content-Type-Options":["nosniff"],"X-Frame-Options":["SAMEORIGIN"],"Alt-Svc":["h3=\":443\"; ma=2592000"],"Date":["Tue, 27 Feb 2024 18:18:25 GMT"],"Content-Type":["text/html; charset=utf-8"],"X-Xss-Protection":["1; mode=block"]}}

3. Caddy version:

v2.7.6 h1:w0NymbG2m9PcvKWsrXO6EEkY9Ru4FJK8uQbYcev1p3A=

4. How I installed and ran Caddy:

Installed using Docker with multiple Caddy modules
‘’‘’
xcaddy build
–with GitHub - WeidiDeng/caddy-cloudflare-ip
–with GitHub - caddy-dns/cloudflare: Caddy module: dns.providers.cloudflare
–with GitHub - mholt/caddy-dynamicdns: Caddy app that keeps your DNS records (A/AAAA) pointed at itself.
–with GitHub - hslatman/caddy-crowdsec-bouncer: A Caddy module that blocks malicious traffic based on decisions made by CrowdSec.
“”“”

a. System environment:

Ubuntu 22.04 with Docker

b. Command:

N/A

c. Service/unit/compose file:

Caddy compose file

version: '3.8'
services:
  caddy:
    image: caddy:2
    container_name: caddy
    restart: always
    ports:
      - 60080:80
      - 60443:443
      - 60443:443/udp
      - 2019:2019
    volumes:
      - ./caddy:/usr/bin/caddy:ro
      - caddy-data:/data
      - caddy-config:/config
      - ./Caddyfile:/etc/caddy/Caddyfile:ro
      - caddy-logs:/var/log/caddy
    environment:
      - CLOUDFLARE_API_TOKEN=MY_CLOUDFLARE_TOKEN
    networks:
      default:
        ipv4_address: 172.50.0.4
    security_opt:
      - no-new-privileges=true
    cap_add:
      - NET_ADMIN
volumes:
  caddy-data:
  caddy-config:
  caddy-logs:
networks:
  default:
    name: caddy-network
    ipam:
      driver: default

Authelia Compose file

version: '3'
services:
  authelia:
    image: authelia/authelia
    container_name: authelia
    volumes:
      - ./config:/config
      - authelia-logs:/var/log/authelia
      - /myDrive/docker-volumes/authelia/auth-data:/data
    networks:
      caddy-network:
        ipv4_address: 172.50.0.8
    restart: always
    environment:
      - TZ=America/Toronto
networks:
  caddy-network:
    external: true
volumes:
  authelia-logs:

d. My complete Caddy config:

{
    email {$EMAIL}
    acme_dns cloudflare {$CLOUDFLARE_API_TOKEN}

    admin :2019

    log {
        include http.log.access.immich http.log.access.auth
        level DEBUG
        output file /var/log/caddy/access.log {
            roll_size 50MB
            roll_keep 50
        }
    }

    order crowdsec first
    crowdsec {
        api_url http://172.50.0.6:8080
        api_key {$CROWDSEC_API_KEY}
    }

    dynamic_dns {
        provider cloudflare {$CLOUDFLARE_API_TOKEN}
        domains {
            mason.dad @ immich authelia
        }
        ip_source simple_http https://api64.ipify.org
        ip_source simple_http https://ifconfig.me
        ip_source simple_http https://icanhazip.com
        check_interval 30m
        versions ipv4
    }

    servers {
        trusted_proxies cloudflare {
            interval 6h
            timeout 30s
        }
    }

}

immich.mason.dad {
    forward_auth authelia:9091 {
        uri /api/verify?rd=https://auth.mason.dad/
        copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
    }
    crowdsec
    reverse_proxy 10.10.10.10:2283
    log immich
}

auth.mason.dad {
    crowdsec
    reverse_proxy authelia:9091
    log auth
}

francislavoie · February 27, 2024, 8:48pm

Yeah that’s to be expected. The app won’t be able to authenticate because redirecting to the auth form won’t work.

You should probably ask for help from the Authelia community, they might have suggestions for making it work with mobile apps. Or maybe their docs have something about that. This isn’t really a Caddy problem.

Tattered1900 · March 4, 2024, 8:02pm

I have this setup working (immich+authelia+caddy).
Let me know how can I help.

I dont see your authelia client. Did you set it up correctly?

Mine is below:

clients:
  - id: immich
    description: My Photos
    secret: '$pbkdf2-sha512$mysecret'
    #secret: '$plaintext$mypass'
    sector_identifier: ''
    public: false
    authorization_policy: two_factor
    consent_mode: implicit
    audience: [immich]
    scopes:
      - openid
      - email
      - profile
    redirect_uris:
      - https://img.mysite.net/auth/login
      - https://img.mysite.net/user-settings
      - app.immich:/
      - https://img.mysite.net/api/oauth/mobile-redirect
    grant_types:
      - refresh_token
      - authorization_code
    response_types:
      - code
    response_modes:
      - form_post
      - query
      - fragment
    userinfo_signing_algorithm: none

My caddy:


        # Global options block
        order crowdsec first
        crowdsec {
                api_url http://crowdsec:8080/
                api_key {$BOUNCER_CADDY_TOKEN}
                ticker_interval 15s
        }

(restricted-access) {
        forward_auth authelia:9091 {
                uri /api/verify?rd=https://auth.{$DOMAIN}/
                copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
        }
}

(cloudflare-tls) {
        tls {$EMAIL} {
                dns cloudflare {$CLOUDFLARE_API_TOKEN}
        }
}

(headers) {
        header {
                Permissions-Policy interest-cohort=()
                Strict-Transport-Security max-age=31536000;
                X-Content-Type-Options nosniff
                X-Frame-Options SAMEORIGIN
                Content-Security-Policy upgrade-insecure-requests
                Referrer-Policy strict-origin-when-cross-origin
                -Server
        }
}

(main) {
        crowdsec

        respond /robots.txt 200 {
                body "User-agent: *
    Disallow: /
    
    User-agent: AdsBot-Google
    Disallow: /

    User-agent: AdsBot-Google-Mobile
    Disallow: /"

                close
        }

        encode zstd gzip

        log {
                output file {$LOG_FILE} {
                        roll_size 24b
                        roll_keep 10
                        roll_keep_for 720h
                }
                format json {
                        time_format wall
                        time_local
                }
                level INFO
        }
}

img.{$DOMAIN} {
        ## OAuth - no import of restricted-access needed
        reverse_proxy immich-server:3001
        import headers
        header -X-Powered-By
        import cloudflare-tls
        import main
}

Backend services (authelia, caddy, crowdsec) compose:

####################

Back End Services

####################


  caddy:
    container_name: caddy
    hostname: caddy
    build: ./data/caddy/dockerfile-dns
    profiles:
      - backend
    depends_on:
      - crowdsec
    networks:
      - system
      - ownmedia
      - social
      - arrs
    ports:
      - ${PORT_CADDY_HTTP}:80
      - ${PORT_CADDY_HTTPS}:443
    environment:
      LOG_FILE: ${CADDY_LOG}
      DOMAIN: ${DOMAIN}
      SERVER_IP: ${SERVER_IP}
      EMAIL: ${EMAIL_ADMIN}
      CLOUDFLARE_API_TOKEN: ${CLOUDFLARE_API_TOKEN}
      BOUNCER_CADDY_TOKEN: ${BOUNCER_CADDY_TOKEN}
      TZ: ${TZ}
    volumes:
      - ${ROOTDIR}/Caddyfile:/etc/caddy/Caddyfile:ro
      - ${CONFIGDIR}/caddy/data:/data
      - ${CONFIGDIR}/caddy/config:/config
      - ${LOGDIR}/caddy:/var/log/caddy/
      - ${CONFIGDIR}/piped/piped-proxy:/var/run/ytproxy
    healthcheck:
      test: ["CMD", "caddy", "version"]
    restart: unless-stopped  
    
  crowdsec:
    container_name: crowdsec
    image: crowdsecurity/crowdsec:latest
    profiles:
      - backend
    networks:
      - system
    security_opt:
      - no-new-privileges=true
    ports:
      - ${PORT_CROWDSEC_API}:8080 # exposes a REST API for bouncers, cscli and communication between crowdsec agent and local api
      - ${PORT_CROWDSEC_METRICS}:6060 #exposes prometheus metrics on /metrics and pprof debugging metrics on /debug
    environment:
      TZ: ${TZ}
      GID: ${PGID}
      COLLECTIONS: "crowdsecurity/caddy LePresidente/authelia"
      POSTOVERFLOWS: "crowdsecurity/rdns"
      CUSTOM_HOSTNAME: omv
      #DOCKER_HOST: tcp://socky_proxy:${PORT_SOCKY_PROXY} 
    volumes:
      - ${CONFIGDIR}/crowdsec/config/acquis.yaml:/etc/crowdsec/acquis.yaml:ro
      - ${CONFIGDIR}/crowdsec/myconf/mywhitelists.yaml:/etc/crowdsec/postoverflows/s01-whitelists/mywhitelists.yaml:ro
      - ${CONFIGDIR}/crowdsec/config:/etc/crowdsec/
      - ${CONFIGDIR}/crowdsec/data:/var/lib/crowdsec/data/
      - ${LOGDIR}/caddy:/logs/caddy:ro
      - ${LOGDIR}/authelia:/logs/authelia:ro

      #- /var/log/auth.log:/logs/auth.log:ro
      #- /var/log/syslog.log:/logs/syslog.log:ro
    #healthcheck:
    #  test: ["CMD", "cscli", "version"]
    restart: always

  authelia:
    container_name: authelia
    image: authelia/authelia:4
    profiles:
      - backend
    depends_on:
      - authelia_redis
    networks:
      - system
      - ownmedia
      - social
      - arrs
      - authelia-internal
    user: ${PUID}:${PGID}
    env_file:
      - ./data/authelia/.env
    expose:
      - 9091
    volumes:
      - ${CONFIGDIR}/authelia/config:/config
      - ${CONFIGDIR}/authelia/secrets:/secrets
      - ${LOGDIR}/authelia:/config/log/
    restart: unless-stopped
  authelia_redis:
    container_name: authelia_redis
    hostname: authelia_redis
    image: redis:latest
    profiles:
      - backend
    networks:
      - authelia-internal
    expose:
      - 6379
    user: ${PUID}:${PGID}
    volumes:
      - ${CONFIGDIR}/authelia/redis:/data
    restart: unless-stopped


networks:
  system:
    driver: bridge
    enable_ipv6: false
    ipam:
      driver: default
      config:
        - subnet: 172.20.230.0/24
          gateway: 172.20.230.1
  ownmedia:
    driver: bridge
    enable_ipv6: false
    ipam:
      driver: default
      config:
        - subnet: 172.20.231.0/24
          gateway: 172.20.231.1
  social:
    driver: bridge
    enable_ipv6: false
    ipam:
      driver: default
      config:
        - subnet: 172.20.232.0/24
          gateway: 172.20.232.1
  arrs:
    driver: bridge
    enable_ipv6: false
    ipam:
      driver: default
      config:
        - subnet: 172.20.233.0/24
          gateway: 172.20.233.1
  immich-internal:
    driver: bridge
    enable_ipv6: false
    ipam:
      driver: default
      config:
        - subnet: 172.20.234.0/24
          gateway: 172.20.234.1
  authelia-internal:
    driver: bridge
    enable_ipv6: false
    ipam:
      driver: default
      config:
        - subnet: 172.20.236.0/24
          gateway: 172.20.236.1

GonsalvesC · March 5, 2024, 3:44pm

It worked! Thank you! Thank you! Thank you! I just had to add the below to my Caddyfile:

auth.{$DOMAIN} {
        reverse_proxy authelia:9091
}

So my next question - HOW is this working? How is it that I didn’t need to import restricted-access ?

francislavoie · March 5, 2024, 4:01pm

That’s the same as what you had in your original post, except without crowdsec. Maybe crowdsec was breaking it by blocking things?

GonsalvesC · March 5, 2024, 5:15pm

I’m now excluding the foward_auth directive.

  forward_auth authelia:9091 {
        uri /api/verify?rd=https://auth.mason.dad/
        copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
    }

Also, the headers section is new.

Tattered1900 · March 5, 2024, 6:37pm

You don’t need to import the restricted access since you already have the oauth configured for the app (immich) it in the Authelia config (section with identity_providers oidc clients).

Importing the directive is only needed for apps that don’t have integration with authelia, and need protection before accessing the resource.

Glad that you worked it out.

GonsalvesC · March 5, 2024, 7:03pm

Thank you!

francislavoie · March 5, 2024, 8:34pm

Are you saying you had forward_auth inside your auth.mason.dad site?

You didn’t here though:

GonsalvesC · March 5, 2024, 9:48pm

No. I had foward_auth inside immich.mason.dad
Removing it fixed the issue

francislavoie · March 6, 2024, 7:14pm

Okay I’m confused, I thought you wanted to use Authelia to authenticate requests to Immich.

GonsalvesC · March 11, 2024, 6:42pm

Yes, I do want to use Authelia for authentication.
But as @Tattered1900 said - Immich already has oauth and Authelia configured. So I don’t need to do the forward_auth directive

Tattered1900 · March 11, 2024, 8:05pm

@francislavoie - if applications have integration with authelia (oidc client configured within authelia’s configuration.yml), there’s no need to add the snippet with forward_auth in Caddyfile

He had the immich client already configured (oidc) but also added the protection in caddy. He removed the italicizided part and afterwards it worked as expected:

immich.mason.dad {
    *forward_auth authelia:9091 {*
*        uri /api/verify?rd=https://auth.mason.dad/*
*        copy_headers Remote-User Remote-Groups Remote-Name Remote-Email*
*    }*
    crowdsec
    reverse_proxy 10.10.10.10:2283
    log immich
}

francislavoie · March 11, 2024, 8:55pm

Ahhh I see now, you have Immich directly integrating with Authelia via OIDC. Makes sense.

system · April 10, 2024, 8:56pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.