Handling groups of subdomains

1. Caddy version: 2.6.2

2. How I installed, and run Caddy:

a. System environment:

Docker via Ubuntu x64

b. Command:

docker-compose up -d

c. Service/unit/compose file:

version: "3.7"

    image: caddy:latest
    container_name: caddy
    restart: unless-stoppedra
      - server_default
      - "80:80"
      - "443:443"
      - "443:443/udp"
      - [redacted]:/etc/caddy/Caddyfile
      - [redacted]:/data
      - [redacted]:/config

    name: server_default
    external: true

d. My complete Caddy config:

See below…

I use caddy to reverse proxy subdomains on my server. Pretty standard stuff:

https://auth.mysite.duckdns.org {
    reverse_proxy authelia:9091

## protected
https://foo.mysite.duckdns.org {
    forward_auth authelia:9091 {
        uri /api/verify?rd=https://auth.mysite.duckdns.org
        copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
    reverse_proxy foo:1234

## open
https://bar.mysite.duckdns.org {
    reverse_proxy bar:5678

However, copying that forward_auth block into every subdomain is both annoying and leads to things being missed by mistake.

Is it possible to have caddy do something like this pseudo-Caddyfile?

# require forward auth for these subdomains
some_kind_of_group {
    forward_auth authelia:9091 {
        uri /api/verify?rd=https://auth.mysite.duckdns.org
        copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
  https://dave.mysite.duckdns.org {
    reverse_proxy dave:1234

  https://roger.mysite.duckdns.org {
    reverse_proxy roger:5678

  https://nick.mysite.duckdns.org {
    reverse_proxy nick:9012


# no forward auth for any of these subdomains
some_other_kind_of_group {
  https://rich.mysite.duckdns.org {
    reverse_proxy rich:3456

The ideal result would be me just adding my subdomain proxies to the correct group and not having to remember to enable or not enable forward auth for each.

You’re looking for snippets:

You mean make a snippet of the forward_auth block? That would still require copy/pasting import snippet in each subdomain handler.

Unless there is another way to use them that I’m not aware of. Which is likely.

That’s correct. You need to import the snippet into each relevant site block.

There’s no way to have implicit configuration. The config file was designed such that you need to explicitly configure everything. If there was implicit configuration then we’d have to provide somekind of escape hatch to un-apply or override that implicit config, which is a whole can of worms. Always requiring explicit config is simpler and easier, with less surprises.

I could imagine a frankly disgustingly hacky solution involving running two Caddy instances and having one proxy https:// to the other with a catch-all Authelia forward auth.

But, at that point, you’re really just adding incredible complexity to the setup in order to avoid adding a line of text to each protected site.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.