1. The problem I’m having:
Hey folks, bit of an odd one here.
I’ve been making use of forward_auth
for a while without any issues to authenticate multiple domains against Authentik.
However, with this specific reverse_proxy
block, for some totally inexplicable reason, Authentik is being proxied for the whole domain. Not just the /outpost.authentik.io
path, the whole thing. Seemingly, the intended reverse_proxy
directive is being… ignored?
I cannot work this out so if anyone would be willing to give me a hand, that’d be really appreciated please.
❯ curl -vL https://music.adhd.energy/
* Trying 192.168.1.2:443...
* Connected to music.adhd.energy (192.168.1.2) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/ssl/cert.pem
* CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256
* ALPN: server accepted h2
* Server certificate:
* subject: CN=music.adhd.energy
* start date: Jan 29 11:50:43 2024 GMT
* expire date: Apr 28 11:50:42 2024 GMT
* subjectAltName: host "music.adhd.energy" matched cert's "music.adhd.energy"
* issuer: C=US; O=Let's Encrypt; CN=R3
* SSL certificate verify ok.
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://music.adhd.energy/
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: music.adhd.energy]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.4.0]
* [HTTP/2] [1] [accept: */*]
> GET / HTTP/2
> Host: music.adhd.energy
> User-Agent: curl/8.4.0
> Accept: */*
>
< HTTP/2 404
< alt-svc: h3=":443"; ma=2592000
< content-type: text/html; charset=utf-8
< date: Tue, 30 Jan 2024 13:15:02 GMT
< referrer-policy: same-origin
< server: Caddy
< vary: Accept-Encoding
< vary: Cookie
< x-authentik-id: 937bf9367add470cabc34cc3527beeaf
< x-content-type-options: nosniff
< x-frame-options: DENY
< x-powered-by: authentik
<
2. Error messages and/or full log output:
I grepped this to just log lines with
music.adhd.energy
– very happy to include more, but this is quite a heavily used proxy with a lot of automations hitting it so the logs are… noisy at best!
Even grepped, this ended up too long for one post at 39,000 characters. Logs in next post…
3. Caddy version:
v2.7.6 h1:w0NymbG2m9PcvKWsrXO6EEkY9Ru4FJK8uQbYcev1p3A=
Standard modules: 106
dns.providers.cloudflare
http.handlers.teapot
Non-standard modules: 2
4. How I installed and ran Caddy:
a. System environment:
- Home Assistant OS 11.2
- Using the Caddy 2 add-on: einschmidt/addon-caddy-2
- Docker 24.07
b. Command:
n/a
c. My complete Caddy config:
I have removed irrelevant blocks (other domains) – but any block that is used or even slightly relevant has been included.
{
email $MY_EMAIL
acme_dns cloudflare $API_KEY
log {
output file /share/caddy/caddy.log
format json
exclude http.log.access
}
servers {
metrics
}
debug
}
(cf_resolver_tls) {
tls {
resolvers 1.1.1.1
dns cloudflare $API_KEY
}
}
(authentik_sso) {
reverse_proxy /outpost.goauthentik.io/* https://authentik.srv.adhd.energy:9443 {
transport http {
tls_trusted_ca_certs /share/caddy/aaroncarson_CA.pem
}
}
forward_auth https://authentik.srv.adhd.energy:9443 {
uri /outpost.goauthentik.io/auth/caddy
copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
trusted_proxies private_ranges
transport http {
tls_trusted_ca_certs /share/caddy/aaroncarson_CA.pem
}
}
}
(internal_only) {
@denied not remote_ip private_ranges
abort @denied
}
(rev_proxy_step_root_tls) {
reverse_proxy {args[0]} {
transport http {
tls_trusted_ca_certs /share/caddy/aaroncarson_Step_Root.pem
tls_server_name {args[1]}
}
}
}
(humio_access_log) {
log {
output file /share/caddy/caddy.log
format filter {
wrap json {
message_key message
time_format unix_nano
}
fields {
request>headers>Cf-Connecting-Ip ip_mask {
ipv4 16
ipv6 32
}
request>headers>X-Forwarded-For ip_mask {
ipv4 16
ipv6 32
}
request>headers>Authorization replace "auth_token"
request>headers>Cookie cookie delete
}
}
}
}
sso.adhd.energy {
import rev_proxy_step_root_tls https://authentik.srv.adhd.energy:9443 authentik.srv.adhd.energy
import cf_resolver_tls
import humio_access_log
}
apps.adhd.energy {
import internal_only
import authentik_sso
import cf_resolver_tls
reverse_proxy http://192.168.1.15
import humio_access_log
}
music.adhd.energy {
import internal_only
import authentik_sso
import cf_resolver_tls
reverse_proxy http://d5369777-music-assistant-beta:8095
import humio_access_log
}