I have this setup working (immich+authelia+caddy).
Let me know how can I help.
I dont see your authelia client. Did you set it up correctly?
Mine is below:
clients:
- id: immich
description: My Photos
secret: '$pbkdf2-sha512$mysecret'
#secret: '$plaintext$mypass'
sector_identifier: ''
public: false
authorization_policy: two_factor
consent_mode: implicit
audience: [immich]
scopes:
- openid
- email
- profile
redirect_uris:
- https://img.mysite.net/auth/login
- https://img.mysite.net/user-settings
- app.immich:/
- https://img.mysite.net/api/oauth/mobile-redirect
grant_types:
- refresh_token
- authorization_code
response_types:
- code
response_modes:
- form_post
- query
- fragment
userinfo_signing_algorithm: none
My caddy:
# Global options block
order crowdsec first
crowdsec {
api_url http://crowdsec:8080/
api_key {$BOUNCER_CADDY_TOKEN}
ticker_interval 15s
}
(restricted-access) {
forward_auth authelia:9091 {
uri /api/verify?rd=https://auth.{$DOMAIN}/
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
}
}
(cloudflare-tls) {
tls {$EMAIL} {
dns cloudflare {$CLOUDFLARE_API_TOKEN}
}
}
(headers) {
header {
Permissions-Policy interest-cohort=()
Strict-Transport-Security max-age=31536000;
X-Content-Type-Options nosniff
X-Frame-Options SAMEORIGIN
Content-Security-Policy upgrade-insecure-requests
Referrer-Policy strict-origin-when-cross-origin
-Server
}
}
(main) {
crowdsec
respond /robots.txt 200 {
body "User-agent: *
Disallow: /
User-agent: AdsBot-Google
Disallow: /
User-agent: AdsBot-Google-Mobile
Disallow: /"
close
}
encode zstd gzip
log {
output file {$LOG_FILE} {
roll_size 24b
roll_keep 10
roll_keep_for 720h
}
format json {
time_format wall
time_local
}
level INFO
}
}
img.{$DOMAIN} {
## OAuth - no import of restricted-access needed
reverse_proxy immich-server:3001
import headers
header -X-Powered-By
import cloudflare-tls
import main
}
Backend services (authelia, caddy, crowdsec) compose:
####################
Back End Services
####################
caddy:
container_name: caddy
hostname: caddy
build: ./data/caddy/dockerfile-dns
profiles:
- backend
depends_on:
- crowdsec
networks:
- system
- ownmedia
- social
- arrs
ports:
- ${PORT_CADDY_HTTP}:80
- ${PORT_CADDY_HTTPS}:443
environment:
LOG_FILE: ${CADDY_LOG}
DOMAIN: ${DOMAIN}
SERVER_IP: ${SERVER_IP}
EMAIL: ${EMAIL_ADMIN}
CLOUDFLARE_API_TOKEN: ${CLOUDFLARE_API_TOKEN}
BOUNCER_CADDY_TOKEN: ${BOUNCER_CADDY_TOKEN}
TZ: ${TZ}
volumes:
- ${ROOTDIR}/Caddyfile:/etc/caddy/Caddyfile:ro
- ${CONFIGDIR}/caddy/data:/data
- ${CONFIGDIR}/caddy/config:/config
- ${LOGDIR}/caddy:/var/log/caddy/
- ${CONFIGDIR}/piped/piped-proxy:/var/run/ytproxy
healthcheck:
test: ["CMD", "caddy", "version"]
restart: unless-stopped
crowdsec:
container_name: crowdsec
image: crowdsecurity/crowdsec:latest
profiles:
- backend
networks:
- system
security_opt:
- no-new-privileges=true
ports:
- ${PORT_CROWDSEC_API}:8080 # exposes a REST API for bouncers, cscli and communication between crowdsec agent and local api
- ${PORT_CROWDSEC_METRICS}:6060 #exposes prometheus metrics on /metrics and pprof debugging metrics on /debug
environment:
TZ: ${TZ}
GID: ${PGID}
COLLECTIONS: "crowdsecurity/caddy LePresidente/authelia"
POSTOVERFLOWS: "crowdsecurity/rdns"
CUSTOM_HOSTNAME: omv
#DOCKER_HOST: tcp://socky_proxy:${PORT_SOCKY_PROXY}
volumes:
- ${CONFIGDIR}/crowdsec/config/acquis.yaml:/etc/crowdsec/acquis.yaml:ro
- ${CONFIGDIR}/crowdsec/myconf/mywhitelists.yaml:/etc/crowdsec/postoverflows/s01-whitelists/mywhitelists.yaml:ro
- ${CONFIGDIR}/crowdsec/config:/etc/crowdsec/
- ${CONFIGDIR}/crowdsec/data:/var/lib/crowdsec/data/
- ${LOGDIR}/caddy:/logs/caddy:ro
- ${LOGDIR}/authelia:/logs/authelia:ro
#- /var/log/auth.log:/logs/auth.log:ro
#- /var/log/syslog.log:/logs/syslog.log:ro
#healthcheck:
# test: ["CMD", "cscli", "version"]
restart: always
authelia:
container_name: authelia
image: authelia/authelia:4
profiles:
- backend
depends_on:
- authelia_redis
networks:
- system
- ownmedia
- social
- arrs
- authelia-internal
user: ${PUID}:${PGID}
env_file:
- ./data/authelia/.env
expose:
- 9091
volumes:
- ${CONFIGDIR}/authelia/config:/config
- ${CONFIGDIR}/authelia/secrets:/secrets
- ${LOGDIR}/authelia:/config/log/
restart: unless-stopped
authelia_redis:
container_name: authelia_redis
hostname: authelia_redis
image: redis:latest
profiles:
- backend
networks:
- authelia-internal
expose:
- 6379
user: ${PUID}:${PGID}
volumes:
- ${CONFIGDIR}/authelia/redis:/data
restart: unless-stopped
networks:
system:
driver: bridge
enable_ipv6: false
ipam:
driver: default
config:
- subnet: 172.20.230.0/24
gateway: 172.20.230.1
ownmedia:
driver: bridge
enable_ipv6: false
ipam:
driver: default
config:
- subnet: 172.20.231.0/24
gateway: 172.20.231.1
social:
driver: bridge
enable_ipv6: false
ipam:
driver: default
config:
- subnet: 172.20.232.0/24
gateway: 172.20.232.1
arrs:
driver: bridge
enable_ipv6: false
ipam:
driver: default
config:
- subnet: 172.20.233.0/24
gateway: 172.20.233.1
immich-internal:
driver: bridge
enable_ipv6: false
ipam:
driver: default
config:
- subnet: 172.20.234.0/24
gateway: 172.20.234.1
authelia-internal:
driver: bridge
enable_ipv6: false
ipam:
driver: default
config:
- subnet: 172.20.236.0/24
gateway: 172.20.236.1