Forward Auth and Wildcard Certificates

1. Caddy version (caddy version):

v2.5.1 h1:bAWwslD1jNeCzDa+jDCNwb8M3UJ2tPa8UZFFzPVmGKs=

2. How I run Caddy:

a. System environment:

HOST: Ubuntu 22.04 LTS
Docker: Docker version 20.10.16, build aa7e414

b. Command:

docker compose up -d

c. Service/unit/compose file:

  caddy:
    container_name: caddy
    image: cr.hotio.dev/hotio/caddy
    <<: *security-restart
    cap_add:
      - NET_ADMIN
    networks:
      traefik_proxy:
    ports:
      - "80:8080"
      - "443:8443"
    environment:
      <<: *default-tz-puid-pgid
      CUSTOM_BUILD: "/config/caddy_custom"
      FILE__CF_API_KEY: /run/secrets/cloudflare_zone_token
      DOMAINNAME: ${DOMAINNAME}
    volumes:
      - $DOCKERDIR/caddy:/config
    secrets:
      - cloudflare_zone_token
    labels:
      ## Watchtower
      - *watchtower

d. My complete Caddyfile or JSON config:

{
	http_port 8080
	https_port 8443

	email REDACTED
}

(auth) {
	forward_auth authelia:9091 {
		uri /api/verify?rd=https://auth.{$DOMAINNAME}
		copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
	}
}

*.{$DOMAINNAME}, {$DOMAINNAME} {
	tls {
		dns cloudflare {$CF_API_KEY}
	}

	@authelia host auth.{$DOMAINNAME}
	handle @authelia {
		reverse_proxy authelia:9091
	}

	@sonarr host sonarr.REDACTED
	handle @sonarr {
		import auth
		reverse_proxy sonarr:8989
	}

	# Fallback for otherwise unhandled domains
	handle {
		abort
	}
}

3. The problem I’m having:

I am trying to use authelia to authenticate access to some of my sites.
When access one of those sites I get redirected to authelia.
The problem seems to be the URL rewrite redirects authelia to site to authelia to site, on a loop.

https://auth.REDACTED/?rd=https%3A%2F%2Fsonarr.REDACTED%2F&rm=GET,%20https://auth.REDACTED/?rd=https://sonarr.REDACTED/,GET*

The urls without the import auth seem to work.

4. Error messages and/or full log output:

caddy  | Server ready
caddy  | {"level":"debug","ts":1653470746.3097873,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"home.REDACTED"}
caddy  | {"level":"debug","ts":1653470746.309861,"logger":"tls.handshake","msg":"choosing certificate","identifier":"*.REDACTED","num_choices":1}
caddy  | {"level":"debug","ts":1653470746.3099043,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"*.REDACTED","subjects":["*.REDACTED"],"managed":true,"issuer_key":"acme.zerossl.com-v2-DV90","hash":"f8bb1eea9a72c78193f920cd22bc39222bbef6baa7702d604f6626ddb53da666"}
caddy  | {"level":"debug","ts":1653470746.309929,"logger":"tls.handshake","msg":"matched certificate in cache","subjects":["*.REDACTED"],"managed":true,"expiration":1661212799,"hash":"f8bb1eea9a72c78193f920cd22bc39222bbef6baa7702d604f6626ddb53da666"}
caddy  | {"level":"debug","ts":1653470746.3185263,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"hermes.local:8123","total_upstreams":1}
caddy  | {"level":"debug","ts":1653470746.3207893,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"hermes.local:8123","duration":0.002223922,"request":{"remote_ip":"192.168.2.2","remote_port":"53816","proto":"HTTP/1.1","method":"GET","host":"home.REDACTED","uri":"/api/websocket","headers":{"Sec-Websocket-Key":["/LSeYa+/hGeo3Yw4lNlNog=="],"Upgrade":["websocket"],"Sec-Websocket-Extensions":["permessage-deflate; client_max_window_bits"],"X-Forwarded-For":["192.168.2.2"],"Sec-Websocket-Version":["13"],"Connection":["Upgrade"],"User-Agent":[""],"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["home.REDACTED"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"","server_name":"home.REDACTED"}},"headers":{"Sec-Websocket-Accept":["6SD/XKkta7b+c6z16n4ECgwGwBA="],"Sec-Websocket-Extensions":["permessage-deflate"],"Content-Type":["application/octet-stream"],"Date":["Wed, 25 May 2022 09:25:46 GMT"],"Server":["Python/3.9 aiohttp/3.8.1"],"Upgrade":["websocket"],"Connection":["upgrade"]},"status":101}
caddy  | {"level":"debug","ts":1653470746.3208344,"logger":"http.handlers.reverse_proxy","msg":"upgrading connection","upstream":"hermes.local:8123","duration":0.002223922,"request":{"remote_ip":"192.168.2.2","remote_port":"53816","proto":"HTTP/1.1","method":"GET","host":"home.REDACTED","uri":"/api/websocket","headers":{"Sec-Websocket-Key":["/LSeYa+/hGeo3Yw4lNlNog=="],"Upgrade":["websocket"],"Sec-Websocket-Extensions":["permessage-deflate; client_max_window_bits"],"X-Forwarded-For":["192.168.2.2"],"Sec-Websocket-Version":["13"],"Connection":["Upgrade"],"User-Agent":[""],"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["home.REDACTED"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"","server_name":"home.REDACTED"}}}
caddy  | {"level":"debug","ts":1653470770.5857382,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"rss.REDACTED"}
caddy  | {"level":"debug","ts":1653470770.5858128,"logger":"tls.handshake","msg":"choosing certificate","identifier":"*.REDACTED","num_choices":1}
caddy  | {"level":"debug","ts":1653470770.585857,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"*.REDACTED","subjects":["*.REDACTED"],"managed":true,"issuer_key":"acme.zerossl.com-v2-DV90","hash":"f8bb1eea9a72c78193f920cd22bc39222bbef6baa7702d604f6626ddb53da666"}
caddy  | {"level":"debug","ts":1653470770.5858862,"logger":"tls.handshake","msg":"matched certificate in cache","subjects":["*.REDACTED"],"managed":true,"expiration":1661212799,"hash":"f8bb1eea9a72c78193f920cd22bc39222bbef6baa7702d604f6626ddb53da666"}
caddy  | {"level":"debug","ts":1653470770.714744,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"freshrss:80","total_upstreams":1}
caddy  | {"level":"debug","ts":1653470770.7502217,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"freshrss:80","duration":0.035418721,"request":{"remote_ip":"172.70.127.23","remote_port":"12762","proto":"HTTP/2.0","method":"POST","host":"rss.REDACTED","uri":"/api/pshb.php?k=cf740a2ea636ebd5ba159c8fe3000848edf1d903","headers":{"User-Agent":["FeedFetcher-Google; (+http://www.google.com/feedfetcher.html)"],"From":["googlebot(at)googlebot.com"],"Cf-Visitor":["{\"scheme\":\"https\"}"],"Content-Length":["3521"],"Cf-Ipcountry":["US"],"Accept-Encoding":["gzip"],"Cdn-Loop":["cloudflare"],"Accept":["*/*"],"Link":["<http://feeds.feedburner.com/expresso-geral>; rel=self, <http://pubsubhubbub.appspot.com/>; rel=hub"],"Cf-Ray":["710d3a5b0f252b03-ORD"],"Content-Type":["application/rss+xml"],"Pragma":["no-cache"],"X-Forwarded-For":["172.70.127.23"],"Cache-Control":["no-cache,max-age=0"],"Cf-Connecting-Ip":["74.125.212.87"],"X-Forwarded-Host":["rss.REDACTED"],"X-Forwarded-Proto":["https"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"rss.REDACTED"}},"headers":{"X-Content-Type-Options":["nosniff"],"Expires":["Thu, 19 Nov 1981 08:52:00 GMT"],"Pragma":["no-cache"],"Set-Cookie":[],"Date":["Wed, 25 May 2022 09:26:10 GMT"],"Server":["Apache/2.4.52 (Debian)"],"Cache-Control":["no-store, no-cache, must-revalidate"],"Content-Length":["8"],"Content-Type":["text/plain; charset=UTF-8"]},"status":200}
caddy  | {"level":"debug","ts":1653470777.5129185,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"auth.REDACTED"}
caddy  | {"level":"debug","ts":1653470777.5129862,"logger":"tls.handshake","msg":"choosing certificate","identifier":"*.REDACTED","num_choices":1}
caddy  | {"level":"debug","ts":1653470777.513017,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"*.REDACTED","subjects":["*.REDACTED"],"managed":true,"issuer_key":"acme.zerossl.com-v2-DV90","hash":"f8bb1eea9a72c78193f920cd22bc39222bbef6baa7702d604f6626ddb53da666"}
caddy  | {"level":"debug","ts":1653470777.513038,"logger":"tls.handshake","msg":"matched certificate in cache","subjects":["*.REDACTED"],"managed":true,"expiration":1661212799,"hash":"f8bb1eea9a72c78193f920cd22bc39222bbef6baa7702d604f6626ddb53da666"}
caddy  | {"level":"debug","ts":1653470777.5604498,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"authelia:9091","total_upstreams":1}
caddy  | {"level":"debug","ts":1653470777.5636759,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"authelia:9091","duration":0.003077199,"request":{"remote_ip":"172.70.85.12","remote_port":"46836","proto":"HTTP/2.0","method":"GET","host":"auth.REDACTED","uri":"/?rd=https%3A%2F%2Fsonarr.REDACTED%2F&rm=GET,%20https://auth.REDACTED/?rd=https://sonarr.REDACTED/,GET","headers":{"Accept-Encoding":["gzip"],"X-Forwarded-Proto":["https"],"User-Agent":["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Safari/605.1.15"],"Cdn-Loop":["cloudflare"],"Cf-Visitor":["{\"scheme\":\"https\"}"],"Accept-Language":["en-GB,en;q=0.9"],"Cookie":[],"Cf-Connecting-Ip":["188.251.234.206"],"Cf-Ray":["710d3a86fe0f7779-LHR"],"X-Forwarded-Host":["auth.REDACTED"],"Cf-Ipcountry":["PT"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"],"X-Forwarded-For":["172.70.85.12"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"auth.REDACTED"}},"headers":{"X-Content-Type-Options":["nosniff"],"Referrer-Policy":["strict-origin-when-cross-origin"],"X-Xss-Protection":["1; mode=block"],"Content-Type":["text/html; charset=utf-8"],"X-Frame-Options":["SAMEORIGIN"],"Content-Length":["984"],"Content-Security-Policy":["default-src 'self'; object-src 'none'; style-src 'self' 'nonce-QrK1nRM44DATyx6OHD4YBHrk6qJGeswt'"],"Date":["Wed, 25 May 2022 09:26:17 GMT"],"Permissions-Policy":["interest-cohort=()"]},"status":200}
caddy  | {"level":"debug","ts":1653470777.8850877,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"authelia:9091","total_upstreams":1}
caddy  | {"level":"debug","ts":1653470777.8860686,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"authelia:9091","duration":0.000827772,"request":{"remote_ip":"172.70.85.12","remote_port":"46836","proto":"HTTP/2.0","method":"GET","host":"auth.REDACTED","uri":"/locales/en-GB/portal.json","headers":{"Cookie":[],"Cdn-Loop":["cloudflare"],"Referer":["https://auth.REDACTED/?rd=https%3A%2F%2Fsonarr.REDACTED%2F&rm=GET,%20https://auth.REDACTED/?rd=https://sonarr.REDACTED/,GET"],"X-Forwarded-For":["172.70.85.12"],"Accept-Encoding":["gzip"],"X-Forwarded-Host":["auth.REDACTED"],"User-Agent":["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Safari/605.1.15"],"Accept":["*/*"],"Cf-Ipcountry":["PT"],"Cf-Ray":["710d3a899c277779-LHR"],"X-Forwarded-Proto":["https"],"Cf-Visitor":["{\"scheme\":\"https\"}"],"Cf-Connecting-Ip":["188.251.234.206"],"Accept-Language":["en-GB,en;q=0.9"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"auth.REDACTED"}},"headers":{"Date":["Wed, 25 May 2022 09:26:17 GMT"],"Content-Type":["application/json"],"Content-Length":["2"]},"status":200}
caddy  | {"level":"debug","ts":1653470777.924567,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"auth.REDACTED"}
caddy  | {"level":"debug","ts":1653470777.9246006,"logger":"tls.handshake","msg":"choosing certificate","identifier":"*.REDACTED","num_choices":1}
caddy  | {"level":"debug","ts":1653470777.9246156,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"*.REDACTED","subjects":["*.REDACTED"],"managed":true,"issuer_key":"acme.zerossl.com-v2-DV90","hash":"f8bb1eea9a72c78193f920cd22bc39222bbef6baa7702d604f6626ddb53da666"}
caddy  | {"level":"debug","ts":1653470777.9246256,"logger":"tls.handshake","msg":"matched certificate in cache","subjects":["*.REDACTED"],"managed":true,"expiration":1661212799,"hash":"f8bb1eea9a72c78193f920cd22bc39222bbef6baa7702d604f6626ddb53da666"}
caddy  | {"level":"debug","ts":1653470777.9681606,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"authelia:9091","total_upstreams":1}
caddy  | {"level":"debug","ts":1653470777.968669,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"authelia:9091","duration":0.000426621,"request":{"remote_ip":"172.70.85.12","remote_port":"46838","proto":"HTTP/2.0","method":"GET","host":"auth.REDACTED","uri":"/locales/en/portal.json","headers":{"Accept-Encoding":["gzip"],"X-Forwarded-Host":["auth.REDACTED"],"X-Forwarded-Proto":["https"],"User-Agent":["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Safari/605.1.15"],"Accept":["*/*"],"Cf-Visitor":["{\"scheme\":\"https\"}"],"Referer":["https://auth.REDACTED/?rd=https%3A%2F%2Fsonarr.REDACTED%2F&rm=GET,%20https://auth.REDACTED/?rd=https://sonarr.REDACTED/,GET"],"Cf-Connecting-Ip":["188.251.234.206"],"X-Forwarded-For":["172.70.85.12"],"Cdn-Loop":["cloudflare"],"Accept-Language":["en-GB,en;q=0.9"],"Cf-Ray":["710d3a89ac2b7779-LHR"],"Cookie":[],"Cf-Ipcountry":["PT"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"auth.REDACTED"}},"headers":{"Content-Type":["application/json"],"Content-Length":["4567"],"Date":["Wed, 25 May 2022 09:26:17 GMT"]},"status":200}
caddy  | {"level":"debug","ts":1653470778.0662272,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"authelia:9091","total_upstreams":1}
caddy  | {"level":"debug","ts":1653470778.0699468,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"authelia:9091","duration":0.003562055,"request":{"remote_ip":"172.70.85.12","remote_port":"46836","proto":"HTTP/2.0","method":"GET","host":"auth.REDACTED","uri":"/api/state","headers":{"Cf-Ipcountry":["PT"],"Cf-Ray":["710d3a8abe6d7779-LHR"],"User-Agent":["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Safari/605.1.15"],"Cf-Connecting-Ip":["188.251.234.206"],"Accept-Encoding":["gzip"],"Cf-Visitor":["{\"scheme\":\"https\"}"],"Cdn-Loop":["cloudflare"],"Accept-Language":["en-GB,en;q=0.9"],"Referer":["https://auth.REDACTED/?rd=https%3A%2F%2Fsonarr.REDACTED%2F&rm=GET,%20https://auth.REDACTED/?rd=https://sonarr.REDACTED/,GET"],"X-Forwarded-For":["172.70.85.12"],"Cookie":[],"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["auth.REDACTED"],"Accept":["application/json, text/plain, */*"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"auth.REDACTED"}},"headers":{"Content-Type":["application/json"],"Referrer-Policy":["strict-origin-when-cross-origin"],"X-Xss-Protection":["1; mode=block"],"Cache-Control":["no-store"],"Content-Security-Policy":["default-src 'none';"],"Date":["Wed, 25 May 2022 09:26:17 GMT"],"Content-Length":["114"],"X-Content-Type-Options":["nosniff"],"Permissions-Policy":["interest-cohort=()"],"X-Frame-Options":["SAMEORIGIN"],"Pragma":["no-cache"]},"status":200}
caddy  | {"level":"debug","ts":1653470779.5718422,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"sonarr.REDACTED"}
caddy  | {"level":"debug","ts":1653470779.571907,"logger":"tls.handshake","msg":"choosing certificate","identifier":"*.REDACTED","num_choices":1}
caddy  | {"level":"debug","ts":1653470779.5719378,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"*.REDACTED","subjects":["*.REDACTED"],"managed":true,"issuer_key":"acme.zerossl.com-v2-DV90","hash":"f8bb1eea9a72c78193f920cd22bc39222bbef6baa7702d604f6626ddb53da666"}
caddy  | {"level":"debug","ts":1653470779.5719588,"logger":"tls.handshake","msg":"matched certificate in cache","subjects":["*.REDACTED"],"managed":true,"expiration":1661212799,"hash":"f8bb1eea9a72c78193f920cd22bc39222bbef6baa7702d604f6626ddb53da666"}
caddy  | {"level":"debug","ts":1653470779.6152956,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"authelia:9091","total_upstreams":1}
caddy  | {"level":"debug","ts":1653470779.6196089,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"authelia:9091","duration":0.004174684,"request":{"remote_ip":"172.70.162.3","remote_port":"20370","proto":"HTTP/2.0","method":"GET","host":"sonarr.REDACTED","uri":"/api/verify?rd=https://auth.REDACTED","headers":{"Cf-Connecting-Ip":["188.251.234.206"],"Accept-Encoding":["gzip"],"X-Forwarded-Uri":["/"],"Cf-Visitor":["{\"scheme\":\"https\"}"],"Cf-Ray":["710d3a93dc0074b5-LHR"],"Accept-Language":["en-GB,en;q=0.9"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"],"X-Forwarded-For":["172.70.162.3"],"X-Forwarded-Method":["GET"],"Cookie":[],"User-Agent":["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Safari/605.1.15"],"Cf-Ipcountry":["PT"],"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["sonarr.REDACTED"],"Cdn-Loop":["cloudflare"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"sonarr.REDACTED"}},"headers":{"Referrer-Policy":["strict-origin-when-cross-origin"],"Permissions-Policy":["interest-cohort=()"],"Pragma":["no-cache"],"Content-Security-Policy":["default-src 'none';"],"Content-Type":["text/html"],"Content-Length":["91"],"X-Content-Type-Options":["nosniff"],"Cache-Control":["no-store"],"Location":["https://auth.REDACTED/?rd=https%3A%2F%2Fsonarr.REDACTED%2F&rm=GET"],"Date":["Wed, 25 May 2022 09:26:19 GMT"],"X-Frame-Options":["SAMEORIGIN"],"X-Xss-Protection":["1; mode=block"]},"status":302}
caddy  | {"level":"debug","ts":1653470779.619637,"logger":"http.handlers.reverse_proxy","msg":"handling response","handler":1}
caddy  | {"level":"debug","ts":1653470779.7882504,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"auth.REDACTED"}
caddy  | {"level":"debug","ts":1653470779.7883086,"logger":"tls.handshake","msg":"choosing certificate","identifier":"*.REDACTED","num_choices":1}
caddy  | {"level":"debug","ts":1653470779.7883344,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"*.REDACTED","subjects":["*.REDACTED"],"managed":true,"issuer_key":"acme.zerossl.com-v2-DV90","hash":"f8bb1eea9a72c78193f920cd22bc39222bbef6baa7702d604f6626ddb53da666"}
caddy  | {"level":"debug","ts":1653470779.7883508,"logger":"tls.handshake","msg":"matched certificate in cache","subjects":["*.REDACTED"],"managed":true,"expiration":1661212799,"hash":"f8bb1eea9a72c78193f920cd22bc39222bbef6baa7702d604f6626ddb53da666"}
caddy  | {"level":"debug","ts":1653470779.835014,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"authelia:9091","total_upstreams":1}
caddy  | {"level":"debug","ts":1653470779.8370538,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"authelia:9091","duration":0.000800133,"request":{"remote_ip":"172.70.91.69","remote_port":"37938","proto":"HTTP/2.0","method":"GET","host":"auth.REDACTED","uri":"/?rd=https%3A%2F%2Fsonarr.REDACTED%2F&rm=GET,%20https://auth.REDACTED/?rd=https%3A%2F%2Fsonarr.REDACTED%2F&rm=GET","headers":{"Accept-Language":["en-GB,en;q=0.9"],"Accept-Encoding":["gzip"],"Cf-Ipcountry":["PT"],"X-Forwarded-For":["172.70.91.69"],"User-Agent":["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Safari/605.1.15"],"Cookie":[],"Cf-Connecting-Ip":["188.251.234.206"],"Cdn-Loop":["cloudflare"],"Cf-Ray":["710d3a95191672f1-LHR"],"X-Forwarded-Proto":["https"],"Cf-Visitor":["{\"scheme\":\"https\"}"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"],"X-Forwarded-Host":["auth.REDACTED"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"auth.REDACTED"}},"headers":{"Content-Type":["text/html; charset=utf-8"],"Content-Length":["984"],"X-Xss-Protection":["1; mode=block"],"X-Frame-Options":["SAMEORIGIN"],"Referrer-Policy":["strict-origin-when-cross-origin"],"Date":["Wed, 25 May 2022 09:26:19 GMT"],"X-Content-Type-Options":["nosniff"],"Content-Security-Policy":["default-src 'self'; object-src 'none'; style-src 'self' 'nonce-8oG3KlWfJvalCU1aF73d9L8LZ0xhp0js'"],"Permissions-Policy":["interest-cohort=()"]},"status":200}
caddy  | {"level":"debug","ts":1653470780.1711898,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"authelia:9091","total_upstreams":1}
caddy  | {"level":"debug","ts":1653470780.172191,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"authelia:9091","duration":0.00084447,"request":{"remote_ip":"172.70.91.69","remote_port":"37938","proto":"HTTP/2.0","method":"GET","host":"auth.REDACTED","uri":"/locales/en/portal.json","headers":{"X-Forwarded-Host":["auth.REDACTED"],"Accept":["*/*"],"Cookie":[],"Accept-Encoding":["gzip"],"Cf-Ipcountry":["PT"],"X-Forwarded-Proto":["https"],"Cf-Visitor":["{\"scheme\":\"https\"}"],"Accept-Language":["en-GB,en;q=0.9"],"User-Agent":["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Safari/605.1.15"],"X-Forwarded-For":["172.70.91.69"],"Cf-Ray":["710d3a97ecf972f1-LHR"],"Cf-Connecting-Ip":["188.251.234.206"],"Referer":["https://auth.REDACTED/?rd=https%3A%2F%2Fsonarr.REDACTED%2F&rm=GET,%20https://auth.REDACTED/?rd=https%3A%2F%2Fsonarr.REDACTED%2F&rm=GET"],"Cdn-Loop":["cloudflare"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"auth.REDACTED"}},"headers":{"Content-Type":["application/json"],"Date":["Wed, 25 May 2022 09:26:19 GMT"],"Content-Length":["4567"]},"status":200}
caddy  | {"level":"debug","ts":1653470780.204234,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"auth.REDACTED"}
caddy  | {"level":"debug","ts":1653470780.2042572,"logger":"tls.handshake","msg":"choosing certificate","identifier":"*.REDACTED","num_choices":1}
caddy  | {"level":"debug","ts":1653470780.2042685,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"*.REDACTED","subjects":["*.REDACTED"],"managed":true,"issuer_key":"acme.zerossl.com-v2-DV90","hash":"f8bb1eea9a72c78193f920cd22bc39222bbef6baa7702d604f6626ddb53da666"}
caddy  | {"level":"debug","ts":1653470780.204275,"logger":"tls.handshake","msg":"matched certificate in cache","subjects":["*.REDACTED"],"managed":true,"expiration":1661212799,"hash":"f8bb1eea9a72c78193f920cd22bc39222bbef6baa7702d604f6626ddb53da666"}
caddy  | {"level":"debug","ts":1653470780.2477152,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"authelia:9091","total_upstreams":1}
caddy  | {"level":"debug","ts":1653470780.2484026,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"authelia:9091","duration":0.000587786,"request":{"remote_ip":"172.70.91.69","remote_port":"37940","proto":"HTTP/2.0","method":"GET","host":"auth.REDACTED","uri":"/locales/en-GB/portal.json","headers":{"Accept-Encoding":["gzip"],"Cf-Connecting-Ip":["188.251.234.206"],"X-Forwarded-Proto":["https"],"User-Agent":["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Safari/605.1.15"],"Cdn-Loop":["cloudflare"],"X-Forwarded-Host":["auth.REDACTED"],"X-Forwarded-For":["172.70.91.69"],"Accept-Language":["en-GB,en;q=0.9"],"Referer":["https://auth.REDACTED/?rd=https%3A%2F%2Fsonarr.REDACTED%2F&rm=GET,%20https://auth.REDACTED/?rd=https%3A%2F%2Fsonarr.REDACTED%2F&rm=GET"],"Cf-Ipcountry":["PT"],"Cf-Ray":["710d3a97ecee72f1-LHR"],"Cf-Visitor":["{\"scheme\":\"https\"}"],"Accept":["*/*"],"Cookie":[]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"auth.REDACTED"}},"headers":{"Date":["Wed, 25 May 2022 09:26:20 GMT"],"Content-Type":["application/json"],"Content-Length":["2"]},"status":200}
caddy  | {"level":"debug","ts":1653470780.3435001,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"authelia:9091","total_upstreams":1}
caddy  | {"level":"debug","ts":1653470780.3450894,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"authelia:9091","duration":0.001497116,"request":{"remote_ip":"172.70.91.69","remote_port":"37938","proto":"HTTP/2.0","method":"GET","host":"auth.REDACTED","uri":"/api/state","headers":{"Cf-Connecting-Ip":["188.251.234.206"],"Cdn-Loop":["cloudflare"],"Cf-Visitor":["{\"scheme\":\"https\"}"],"Referer":["https://auth.REDACTED/?rd=https%3A%2F%2Fsonarr.REDACTED%2F&rm=GET,%20https://auth.REDACTED/?rd=https%3A%2F%2Fsonarr.REDACTED%2F&rm=GET"],"User-Agent":["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Safari/605.1.15"],"Accept":["application/json, text/plain, */*"],"Cf-Ray":["710d3a98fe9a72f1-LHR"],"Accept-Language":["en-GB,en;q=0.9"],"Accept-Encoding":["gzip"],"X-Forwarded-For":["172.70.91.69"],"X-Forwarded-Proto":["https"],"Cf-Ipcountry":["PT"],"Cookie":[],"X-Forwarded-Host":["auth.REDACTED"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"auth.REDACTED"}},"headers":{"X-Frame-Options":["SAMEORIGIN"],"X-Xss-Protection":["1; mode=block"],"Cache-Control":["no-store"],"Content-Security-Policy":["default-src 'none';"],"Content-Type":["application/json"],"Content-Length":["114"],"X-Content-Type-Options":["nosniff"],"Pragma":["no-cache"],"Date":["Wed, 25 May 2022 09:26:20 GMT"],"Referrer-Policy":["strict-origin-when-cross-origin"],"Permissions-Policy":["interest-cohort=()"]},"status":200}

5. What I already tried:

I can get it to work if I don’t use the *.{$DOMAINNAME} block. But that means each subdomain needs a cert.
Is there a workaround?
Am I using it wrong?

6. Links to relevant resources:

I don’t have any relevant links

Why are you changing the ports? Why not just use 443:443? It’s simpler, will let you avoid needing to modify https_port etc.

Make sure to persist /data, otherwise you’ll lose your certs and keys when you recreate the containers, potentially making you hit ACME issuer rate limits.

This might be messing up because of this port mismatch. Try fixing the above, then try again.

Please make the request with curl -v and show what it looks like.

I got started with a Caddyfile that had those port definitions but never bothered to change them. I have now per your suggestion. About the data volume, the image I am using appears to condense everything in the config folder, or at least I am able to see the certs on my host’s config folder.

I have changed the ports, and here is the result of curl -v.

% curl -v https://sonarr.beloso.me
*   Trying 172.67.186.160:443...
* Connected to sonarr.beloso.me (172.67.186.160) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-ECDSA-CHACHA20-POLY1305
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=sni.cloudflaressl.com
*  start date: Apr 15 00:00:00 2022 GMT
*  expire date: Apr 15 23:59:59 2023 GMT
*  subjectAltName: host "sonarr.beloso.me" matched cert's "*.beloso.me"
*  issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7f941580ca00)
> GET / HTTP/2
> Host: sonarr.beloso.me
> user-agent: curl/7.77.0
> accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
< HTTP/2 302
< date: Wed, 25 May 2022 16:44:44 GMT
< content-type: text/html
< location: https://auth.beloso.me/?rd=https%3A%2F%2Fsonarr.beloso.me%2F&rm=GET
< cache-control: no-store
< cache-control: no-store
< content-security-policy: default-src 'none';
< content-security-policy: default-src 'none';
< location: https://auth.beloso.me/?rd=https%3A%2F%2Fsonarr.beloso.me%2F&rm=GET
< permissions-policy: interest-cohort=()
< permissions-policy: interest-cohort=()
< pragma: no-cache
< pragma: no-cache
< referrer-policy: strict-origin-when-cross-origin
< referrer-policy: strict-origin-when-cross-origin
< x-content-type-options: nosniff
< x-frame-options: SAMEORIGIN
< x-frame-options: SAMEORIGIN
< x-xss-protection: 1; mode=block
< x-xss-protection: 1; mode=block
< cf-cache-status: DYNAMIC
< expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=7E8aiJHDfZqVLLgGrjle7mZCuFJ4GMyN7M4uFMDkjbgSaLHvzlkpEi%2BS4FETYT4jJOfvksUh2Yft6ZbyOJNZo32Ci6Sow%2BcLHjE%2FrPq4eyXwEkhks8kLvKVHHd324rrrVYu6"}],"group":"cf-nel","max_age":604800}
< nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
< strict-transport-security: max-age=15552000; includeSubDomains; preload
< server: cloudflare
< cf-ray: 710fbcc80e56e680-LHR
< alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
<
* Connection #0 to host sonarr.beloso.me left intact
<a href="https://auth.beloso.me/?rd=https%3A%2F%2Fsonarr.beloso.me%2F&amp;rm=GET">Found</a>%

The problem still persists

I’d strongly recommend using our official Docker image. See Docker. We can’t provide support for unofficial Docker images.

That’s really strange. All the headers are doubled up!

Hmm…

Oh, I think I see the problem, forward_auth by default passes through the original Host header of the request, but since you’re using the same server to proxy authelia, I think it gets rehandled with the same host matching logic, so it doubles up on forward_auth calls.

I think you need to change your forward_auth to override the Host like this:

(auth) {
	forward_auth authelia:9091 {
		uri /api/verify?rd=https://auth.{$DOMAINNAME}
		header_up Host auth.{$DOMAINNAME}
		copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
	}
}

I’d strongly recommend using our official Docker image. See Docker Hub. We can’t provide support for unofficial Docker images.

For now I am playing with Caddy, to see if I can replace Traefik. I find Caddy’s configs way more palatable.
I didn’t want to mess with Dockerfiles to add new modules, so I am using this custom docker image that allows passing of a binary. When I have all set I will try to use the official image, as I think it’s a best approach in the long term.

But I don’t think that for now the issue has been the image. Right?

I think you need to change your forward_auth to override the Host like this:

(auth) {
	forward_auth authelia:9091 {
		uri /api/verify?rd=https://auth.{$DOMAINNAME}
		header_up Host auth.{$DOMAINNAME}
		copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
	}
}

I changed it just like you suggested and curl -v keeps duplicating the headers:

❯ curl -v https://sonarr.beloso.me
*   Trying 104.21.56.136:443...
* Connected to sonarr.beloso.me (104.21.56.136) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-AES256-GCM-SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=sni.cloudflaressl.com
*  start date: Apr 15 00:00:00 2022 GMT
*  expire date: Apr 15 23:59:59 2023 GMT
*  subjectAltName: host "sonarr.beloso.me" matched cert's "*.beloso.me"
*  issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7ff394812c00)
> GET / HTTP/2
> Host: sonarr.beloso.me
> user-agent: curl/7.79.1
> accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
< HTTP/2 302
< date: Wed, 25 May 2022 17:46:30 GMT
< content-type: text/html
< location: https://auth.beloso.me/?rd=https%3A%2F%2Fsonarr.beloso.me%2F&rm=GET
< cache-control: no-store
< cache-control: no-store
< content-security-policy: default-src 'none';
< content-security-policy: default-src 'none';
< location: https://auth.beloso.me/?rd=https%3A%2F%2Fsonarr.beloso.me%2F&rm=GET
< permissions-policy: interest-cohort=()
< permissions-policy: interest-cohort=()
< pragma: no-cache
< pragma: no-cache
< referrer-policy: strict-origin-when-cross-origin
< referrer-policy: strict-origin-when-cross-origin
< x-content-type-options: nosniff
< x-frame-options: SAMEORIGIN
< x-frame-options: SAMEORIGIN
< x-xss-protection: 1; mode=block
< x-xss-protection: 1; mode=block
< cf-cache-status: DYNAMIC
< expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=t9Pt0khLylK6H8PmGt%2Fb715gqgiI%2BqOBv7XKvUyTh6GO%2FiMWUdrj83vE5aDiZkNP1xNexiS8jd%2FmjW8sJ9Wrz%2BNypd1zFw1omGJVflnWSSMzB%2FPsqvya6CF3bj9TjnzR%2BZ2F"}],"group":"cf-nel","max_age":604800}
< nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
< strict-transport-security: max-age=15552000; includeSubDomains; preload
< server: cloudflare
< cf-ray: 71101744184772de-LHR
< alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
<
* Connection #0 to host sonarr.beloso.me left intact
<a href="https://auth.beloso.me/?rd=https%3A%2F%2Fsonarr.beloso.me%2F&amp;rm=GET">Found</a>
~
❯ curl -v https://sonarr.beloso.me
*   Trying 104.21.56.136:443...
* Connected to sonarr.beloso.me (104.21.56.136) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-AES256-GCM-SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=sni.cloudflaressl.com
*  start date: Apr 15 00:00:00 2022 GMT
*  expire date: Apr 15 23:59:59 2023 GMT
*  subjectAltName: host "sonarr.beloso.me" matched cert's "*.beloso.me"
*  issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fb5ed812c00)
> GET / HTTP/2
> Host: sonarr.beloso.me
> user-agent: curl/7.79.1
> accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
< HTTP/2 302
< date: Wed, 25 May 2022 17:47:41 GMT
< content-type: text/html
< location: https://auth.beloso.me/?rd=https%3A%2F%2Fsonarr.beloso.me%2F&rm=GET
< cache-control: no-store
< cache-control: no-store
< content-security-policy: default-src 'none';
< content-security-policy: default-src 'none';
< location: https://auth.beloso.me/?rd=https%3A%2F%2Fsonarr.beloso.me%2F&rm=GET
< permissions-policy: interest-cohort=()
< permissions-policy: interest-cohort=()
< pragma: no-cache
< pragma: no-cache
< referrer-policy: strict-origin-when-cross-origin
< referrer-policy: strict-origin-when-cross-origin
< x-content-type-options: nosniff
< x-frame-options: SAMEORIGIN
< x-frame-options: SAMEORIGIN
< x-xss-protection: 1; mode=block
< x-xss-protection: 1; mode=block
< cf-cache-status: DYNAMIC
< expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=I16%2BuTqCNYSxB78bz4zwQ2lf820jL9aY4eYYQOTx2GYRuHQukMa13WjxHGmMzWEXhbftArFaboagplgCZMVBwLc0MVPRIPpetVoKIEVn5vRHVsntdV0SlwI%2FhbkJvBt%2BuOoB"}],"group":"cf-nel","max_age":604800}
< nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
< strict-transport-security: max-age=15552000; includeSubDomains; preload
< server: cloudflare
< cf-ray: 7110190078478862-LHR
< alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
<
* Connection #0 to host sonarr.beloso.me left intact
<a href="https://auth.beloso.me/?rd=https%3A%2F%2Fsonarr.beloso.me%2F&amp;rm=GET">Found</a>

I’ve seen that the forward_auth directive is new to Caddy, do you think this may be a bug on how it’s used in conjunction with @ and Host directives.

Very strange.

Can you turn on access logs (add the log directive to your site) then post the logs from a single request (with curl)? I want to see what happens in Caddy, in order.

Hey can you confirm the import auth directive does not appear in the Authelia handler? This is acting like it is included there. Also can you confirm that is actually your full Caddyfile and that the only modification was the items marked REDACTED?

Also you can temporarily work around this issue by adding a bypass rule to the Authelia configuration similar to this (make sure it’s at the top):

access_control:
  rules:
  - domain: auth.example.com
    policy: bypass

I just tried loading https://sonarr.beloso.me and it does seem to work properly now, both in the browser and with curl -v. I don’t see doubled up headers, etc.

Hey can you confirm the import auth directive does not appear in the Authelia handler? This is acting like it is included there. Also can you confirm that is actually your full Caddyfile and that the only modification was the items marked REDACTED ?

I am posting the full Caddyfile, just redacted the email. I am using ENV vars for the Token and the Domain

{
	email REDACTED_EMAIL

	acme_ca https://acme.zerossl.com/v2/DV90
	acme_dns cloudflare {$CF_API_KEY}
}

(auth) {
	forward_auth authelia:9091 {
		uri /api/verify?rd=https://auth.{$DOMAINNAME}
		copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
	}
}

*.{$DOMAINNAME}, {$DOMAINNAME} {
	@authelia host auth.{$DOMAINNAME}
	handle @authelia {
		reverse_proxy authelia:9091
	}

	@home host home.{$DOMAINNAME}
	handle @home {
		reverse_proxy hermes.local:8123
	}

	@adguard host dns.{$DOMAINNAME}
	handle @adguard {
		reverse_proxy adguard:80
	}

	@adguard2 host dns2.{$DOMAINNAME}
	handle @adguard2 {
		reverse_proxy angelia.local
	}

	@freshrss host rss.{$DOMAINNAME}
	handle @freshrss {
		reverse_proxy freshrss:80
	}

	@flood host torrent.{$DOMAINNAME}
	handle @flood {
		import auth
		reverse_proxy qbittorrent:3000
	}

	@prowlarr host prowlarr.{$DOMAINNAME}
	handle @prowlarr {
		import auth
		reverse_proxy prowlarr:9696
	}

	@sonarr host sonarr.{$DOMAINNAME}
	handle @sonarr {
		import auth
		reverse_proxy sonarr:8989
	}

	@radarr host radarr.{$DOMAINNAME}
	handle @radarr {
		import auth
		reverse_proxy radarr:7878
	}

	@readarr host readarr.{$DOMAINNAME}
	handle @readarr {
		import auth
		reverse_proxy readarr:8787
	}

	@bazarr host bazarr.{$DOMAINNAME}
	handle @bazarr {
		import auth
		reverse_proxy bazarr:6767
	}

	@plex host nucplex.{$DOMAINNAME}
	handle @plex {
		reverse_proxy plex:32400
	}

	# Fallback for otherwise unhandled domains
	handle {
		abort
	}
}

My access_control for authelia is as follows:

access_control:
  default_policy: deny
  rules:
    # Rules applied to everyone
    - domain: "auth.beloso.me"
      policy: bypass
    - domain: "*.beloso.me"
      policy: two_factor
    - domain: "beloso.me"
      policy: two_factor

Not sure there is a difference from your suggestion.

I just tried loading https://sonarr.beloso.me and it does seem to work properly now, both in the browser and with curl -v. I don’t see doubled up headers, etc.

I am sorry for any mixup, but it is in fact giving double headers. Yesterday I was switching between Traefik and Caddy to try and debug the issue with the two of them. I went to sleep and I left it exposed with Traefik. Traefik never had this issue, I am using it for a year or two now.

% curl -v https://sonarr.beloso.me
*   Trying 192.168.2.2:443...
* Connected to sonarr.beloso.me (192.168.2.2) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-ECDSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=*.beloso.me
*  start date: May 24 00:00:00 2022 GMT
*  expire date: Aug 22 23:59:59 2022 GMT
*  subjectAltName: host "sonarr.beloso.me" matched cert's "*.beloso.me"
*  issuer: C=AT; O=ZeroSSL; CN=ZeroSSL ECC Domain Secure Site CA
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fd06d80ca00)
> GET / HTTP/2
> Host: sonarr.beloso.me
> user-agent: curl/7.77.0
> accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
< HTTP/2 302
< cache-control: no-store
< cache-control: no-store
< content-security-policy: default-src 'none';
< content-security-policy: default-src 'none';
< content-type: text/html
< content-type: text/html
< date: Thu, 26 May 2022 08:48:10 GMT
< date: Thu, 26 May 2022 08:48:10 GMT
< location: https://auth.beloso.me/?rd=https%3A%2F%2Fsonarr.beloso.me%2F&rm=GET
< location: https://auth.beloso.me/?rd=https%3A%2F%2Fsonarr.beloso.me%2F&rm=GET
< permissions-policy: interest-cohort=()
< permissions-policy: interest-cohort=()
< pragma: no-cache
< pragma: no-cache
< referrer-policy: strict-origin-when-cross-origin
< referrer-policy: strict-origin-when-cross-origin
< server: Caddy
< x-content-type-options: nosniff
< x-content-type-options: nosniff
< x-frame-options: SAMEORIGIN
< x-frame-options: SAMEORIGIN
< x-xss-protection: 1; mode=block
< x-xss-protection: 1; mode=block
< content-length: 91
<
* Connection #0 to host sonarr.beloso.me left intact
<a href="https://auth.beloso.me/?rd=https%3A%2F%2Fsonarr.beloso.me%2F&amp;rm=GET">Found</a>%

Can you turn on access logs (add the log directive to your site) then post the logs from a single request (with curl)? I want to see what happens in Caddy, in order.

access.log for one request:

{"level":"info","ts":1653555185.4928796,"logger":"http.log.access.log0","msg":"handled request","request":{"remote_ip":"192.168.0.234","remote_port":"49161","proto":"HTTP/2.0","method":"GET","host":"sonarr.beloso.me","uri":"/","headers":{"User-Agent":["curl/7.77.0"],"Accept":["*/*"]},"tls":{"resumed":false,"version":771,"cipher_suite":49195,"proto":"h2","server_name":"sonarr.beloso.me"}},"user_id":"","duration":0.012835705,"size":91,"status":302,"resp_headers":{"Permissions-Policy":["interest-cohort=()","interest-cohort=()"],"Pragma":["no-cache","no-cache"],"Location":["https://auth.beloso.me/?rd=https%3A%2F%2Fsonarr.beloso.me%2F&rm=GET","https://auth.beloso.me/?rd=https%3A%2F%2Fsonarr.beloso.me%2F&rm=GET"],"Content-Length":["91","91"],"X-Content-Type-Options":["nosniff","nosniff"],"Referrer-Policy":["strict-origin-when-cross-origin","strict-origin-when-cross-origin"],"Date":["Thu, 26 May 2022 08:53:05 GMT","Thu, 26 May 2022 08:53:05 GMT"],"X-Frame-Options":["SAMEORIGIN","SAMEORIGIN"],"Cache-Control":["no-store","no-store"],"Content-Type":["text/html","text/html"],"Server":["Caddy"],"X-Xss-Protection":["1; mode=block","1; mode=block"],"Content-Security-Policy":["default-src 'none';","default-src 'none';"]}}

PS: I have posted a reply to @james_d_elliott, but somehow it got blocked due to offensive content,
I don’t know how it can be offensive, can a mod look at it and tell me what I did wrong? I just copied the entire Caddyfile and a relevant portion of the authelia config file.

PS2: If you guys use discord and can join up if you can help me in a more “real-time” way.

Hey Tiago, sorry about that. Our forum is configured to flag certain words including “REDACTED” because people so often redact their domain names against our forum rules. It’s fine to redact an email address or credentials though, so I let it through. I wish I knew how to change the forum’s wording from “offensive” to something else.

Thank you @matt, I just got confused, I wasn’t trying to be offensive.
I “hide” the domain, but it’s there.
I just don’t want the bot army to scrap the forums and bombard my domain a lot.

Did you ever find out why you were getting doubled up headers? I’m currently getting this in my setup as well, although I’m writing my own authentication handler.

I think this PR might be relevant: reverseproxy: Fix double headers in response handlers by francislavoie · Pull Request #4847 · caddyserver/caddy · GitHub

Yep – I think the issues have been resolved, you can try building from master to get the fixes right away.

I haven’t figured it out back then. Since I had a working config on Traefik I went along with that one.

I will try the new fix when it comes out.

This topic was automatically closed after 30 days. New replies are no longer allowed.