1. The problem I’m having:
I want to use Caddy’s forward_auth such that when I visit lab.domain.dev it goes to auth.domain.dev and after succesful login goes back to lab.domain.dev
However, currently I only get the first redirect, aka from lab.domain.dev to auth.domain.dev, after a successful login I get the default authelia logged in screen at https://auth.domain.dev/authenticated
Other aspects of the login flow work properly, i.e. if I manually visit my page after logging in, it works as it should. I can also see the authelia cookie being set properly, etc etc.
I’ve been searching various combinations of authelia, caddy, authelia and caddy but I can’t find anything that helps with this case. I found some similar entries such as: Authelia redirects to itself / forward_auth - #2 by francislavoie
But it is not the exact same issue nor was I able to fix it from the info there.
Also I have noticed that any command that uses header_up that I found during my searches essentially does nothing. I have inspected the headers in my requests but they are absolutely unaffected by header_up, i.e. the Host header I currently have in my Caddyfile does not show up, nor does any other header that is not “default”. I guess the minimum amount of needed headers for a request/response to work.
I mean in essence it makes sense why the redirect doesn’t happen, there is no way for the page to know how to get back, when the information is not set anywhere. But I really can’t find how to set it.
2. Error messages and/or full log output:
No relevant logs as there is no visible error. The functionality is simply missing.
3. Caddy version:
v2.7.4
4. How I installed and ran Caddy:
a. System environment:
Docker
b. Command:
docker compose up
c. Service/unit/compose file:
version: '3.8'
services:
jellyfin:
image: jellyfin/jellyfin:latest
container_name: jellyfin
restart: 'unless-stopped'
ports:
- 8096:8096
- 8920:8920
volumes:
- ./jellyfin/config:/config
- ./jellyfin/cache:/cache
- ./jellyfin/media:/media
- ./jellyfin/media2:/media2:ro
networks:
- lab-network
caddy:
image: caddy:latest
container_name: caddy
restart: unless-stopped
ports:
- 1336:1336
- 1337:1337
- 1337:1337/udp
volumes:
- ./caddy/Caddyfile:/etc/caddy/Caddyfile
- ./caddy/site:/srv
- ./caddy/data:/data
- ./caddy/config:/config
networks:
- lab-network
authelia:
image: authelia/authelia:latest
container_name: authelia
restart: unless-stopped
depends_on:
- postgres
- redis
volumes:
- ./authelia/config:/config
environment:
TZ: Europe/Copenhagen
AUTHELIA_JWT_SECRET_FILE: /config/secrets/JWT_SECRET
AUTHELIA_SESSION_SECRET_FILE: /config/secrets/SESSION_SECRET
AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE: /config/secrets/SMTP_PASSWORD
AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: /config/secrets/STORAGE_ENCRYPTION_KEY
AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE: /config/secrets/STORAGE_PASSWORD
AUTHELIA_SESSION_REDIS_PASSWORD_FILE: /config/secrets/REDIS_PASSWORD
networks:
- lab-network
postgres:
image: postgres:15
container_name: postgres
restart: unless-stopped
volumes:
- ./postgres:/var/lib/postgresql/data
environment:
POSTGRES_USER: "authelia"
POSTGRES_PASSWORD: "redacted"
networks:
- lab-network
redis:
image: redis:7
container_name: redis
restart: unless-stopped
command: "redis-server --save 60 1 --loglevel warning --requirepass [redacted]"
volumes:
- ./redis:/data
networks:
- lab-network
networks:
lab-network:
driver: bridge
d. My complete Caddy config:
{
http_port 1336
https_port 1337
}
(secure) {
forward_auth {args[0]} https://auth.domain.dev {
uri /api/verify?rd=https://auth.domain.dev
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
header_up Host {upstream_hostport}
}
}
auth.domain.dev {
reverse_proxy authelia:9091
}
lab.domain.dev {
import secure *
redir /tv /tv/
reverse_proxy /tv/* jellyfin:8096
}
5. Links to relevant resources:
I followed this guide for setting up caddy and authelia: Securing web apps with Caddy and Authelia in Docker Compose: an opinionated, practical, and minimal production-ready login portal guide
