1. The problem I’m having:
I have caddy established as a reverse proxy with authelia for authentication. This works fine for the most part. Just recently, I launched a new application that comes in two parts: a UI and an API. When visiting the UI, I’m redirected to authelia for authenication. After that, I visit the UI like normal.
However, I also made sure that the API was behind authelia. I figured that a user authenticated with the UI would be able to authorize themselves for API use as well.
Whats weird to me is that the UI’s network requests to the API are being redirected to the authentication portal. This is background traffic that the UI uses… surely it would piggy back off the users authentication? I guess not.
2. Error messages and/or full log output:
I have no errors, just unexpected behavior. The API calls from my UI are being directed to the auth portal, even though the user is already authenticated.
3. Caddy version:
v2.7.6 h1:w0NymbG2m9PcvKWsrXO6EEkY9Ru4FJK8uQbYcev1p3A=
4. How I installed and ran Caddy:
ARG CADDY_VERSION=2.7.6
FROM caddy:${CADDY_VERSION}-builder AS builder
RUN xcaddy build \
--with github.com/caddy-dns/route53
FROM caddy:${CADDY_VERSION}-alpine
COPY --from=builder /usr/bin/caddy /usr/bin/caddy
a. System environment:
I am running Caddy in Docker. This is my docker file:
# Route53 plugin
(tls_config) {
tls {
dns route53 {
max_retries 10
}
}
}
# Authelia SSO Portal
auth.company-bi.com {
import tls_config
reverse_proxy 10.0.2.250:9091
}
# Schedule app
schedule.company-bi.com, schedule-api.company-bi.com {
import tls_config
forward_auth 10.0.2.250:9091 {
uri /api/authz/forward-auth
copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
}
reverse_proxy http://internal-main-alb-1928384756.us-west-1.elb.amazonaws.com {
header_up Host {http.request.host}
}
}
I am sure this is just some kind of configuration issue. Without exposing my API to unauthenticated users, how should I make sure the UI can use the API via the users existing authentication info?