1. The problem I’m having:
2. Error messages and/or full log output:
403 Forbidden
3. Caddy version:
2.8.44. How I installed and ran Caddy:
Docker Composea. System environment:
b. Command:
PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.
c. Service/unit/compose file:
PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.
d. My complete Caddy config:
{
# Disable admin interface (optional, comment out if needed)
# admin off
# Email address for certificate management (replace with your actual email)
email {env.CLOUDFLARE_EMAIL}
debug
log {
output file /var/log/caddy/access.log {
roll_size 10MB
roll_keep 10
roll_keep_for 336h
}
format json
}
acme_dns cloudflare {env.CLOUDFLARE_API_TOKEN}
acme_ca https://acme-v02.api.letsencrypt.org/directory
servers {
trusted_proxies cloudflare {
interval 12h
timeout 15s
}
}
dynamic_dns {
provider cloudflare {env.CLOUDFLARE_API_TOKEN}
domains {
mydomain.com
}
check_interval 5m
}
}
(mybasicauth) {
tls pkpamarthy@gmail.com {
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
ca https://acme-v02.api.letsencrypt.org/directory
}
encode gzip zstd
reverse_proxy 192.168.3.199:{args[0]}
}
(protected_endpoint) {
forward_auth {args[0]} 192.168.3.199:9091 {
uri /api/authz/forward-auth
copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
header_up Host {upstream_hostport}
}
}
auth.mydomain.com {
reverse_proxy 192.168.3.199:9091
#import mybasicauth "9091"
}
adguard.mydomain.com {
forward_auth 192.168.3.199:9091 {
#uri /api/authz/forward-auth
## The following commented line is for configuring the Authelia URL in the proxy. We strongly suggest
## this is configured in the Session Cookies section of the Authelia configuration.
#uri /api/authz/forward-auth?authelia_url=https://auth.mydomain.com/
uri /api/verify?rd=https://auth.mydomain.com
copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
header_up Host {upstream_hostport}
}
#uri /api/verify?rd=https://auth.domain.dev
import mybasicauth "9080"
}
portainer.mydomain.com {
import mybasicauth "9000"
}
photos.mydomain.com {
import mybasicauth "8212"
}
mycloud.mydomain.com {
# proxy / nextcloud-aio {
# upstream 192.168.3.199:8680
# }
# redir http:// {uri} https://
tls pkapamarthy@gmail.com
reverse_proxy http://192.168.3.199:12000
}
PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.
I have installed authelia and able to access it using auth.mydomain.com and login with 2FA authentication. What I am struggling with is to setup redirection to auth.mydomain.com using the Forward_Auth commands. I want caddy to redirect me to auth page when I try to access adguard.mydomain.com and after successful authentication, bring me back to adguard login page. At the moment, I am running into 403 Forbidden error when I access adguard.mydomain.com but if i remove the forward auth stuff, direct access to adguard login works without issues.
My authelia config file:
# Miscellaneous https://www.authelia.com/configuration/miscellaneous/introduction/
server:
address: 'tcp://0.0.0.0:9091/'
buffers:
read: 4096
write: 4096
endpoints:
authz:
forward-auth:
implementation: 'ForwardAuth'
#endpoints:
# enable_pprof: false
# enable_expvars: false
#disable_healthcheck: false
#host: 127.0.0.1
#port: 9091
log:
level: info
#default_redirection_url: https://auth.mydomain.com
totp:
issuer: mydomain.com
authentication_backend:
ldap:
implementation: custom
url: ldap://ldap.mydomain.com:389
start_tls: false
base_dn: dc=ldap,dc=mydomain,dc=com
additional_users_dn: cn=users
additional_groups_dn: cn=groups
user: 'uid=root,cn=users,dc=ldap,dc=mydomain,dc=com'
password: 'o'
#users_filter: (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))
users_filter: '(&({username_attribute}={input})(objectClass=person))'
permit_referrals: false
permit_unauthenticated_bind: false
groups_filter: (&(member={dn})(objectclass=posixGroup))
#groups_filter: (&(uniquemember={dn})(objectclass=groupOfUniqueNames))
attributes:
username: 'uid'
display_name: 'gecos'
mail: 'mail'
group_name: 'cn'
session:
name: authelia_session
cookies:
- domain: 'mydomain.com'
authelia_url: 'https://auth.mydomain.com'
default_redirection_url: 'https://dsm.mydomain.com'
# redis:
# host: redis
# port: 6379
expiration: 1h
inactivity: 5m
regulation:
max_retries: 3
find_time: 2m
ban_time: 5m
storage:
postgres:
host: database
database: authelia
username: authelia
# local:
# path: /var/lib/authelia
# SMTP Notifier https://www.authelia.com/configuration/notifications/smtp/
# Set also AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE
notifier:
smtp:
host: smtp.gmail.com
port: 587
sender: 'Authelia <myemail@gmail.com>'
username: myemail@gmail.com
access_control:
default_policy: deny
rules:
- domain: '*.mydomain.com'
policy: two_factor
resources:
- https://dsm.mydomain.com
- https://photos.mydomain.com
- https://mycloud.mydomain.com
- https://adguard.mydomain.com
#rules:
## bypass rule
# - domain:
# - "auth.mydomain.com"
# policy: bypass
## catch-all
# - domain:
# - "*.domain.com"
# subject:
# - "group:admins"
# policy: one_factor