Handling groups of subdomains

Garmarnarnar · February 13, 2023, 4:44am

1. Caddy version: 2.6.2

2. How I installed, and run Caddy:

a. System environment:

Docker via Ubuntu x64

b. Command:

docker-compose up -d

c. Service/unit/compose file:

version: "3.7"

services:
  caddy:
    image: caddy:latest
    container_name: caddy
    restart: unless-stoppedra
    networks:
      - server_default
    ports:
      - "80:80"
      - "443:443"
      - "443:443/udp"
    volumes:
      - [redacted]:/etc/caddy/Caddyfile
      - [redacted]:/data
      - [redacted]:/config

networks:
  server_default:
    name: server_default
    external: true

d. My complete Caddy config:

See below…

I use caddy to reverse proxy subdomains on my server. Pretty standard stuff:

https://auth.mysite.duckdns.org {
    reverse_proxy authelia:9091
}

## protected
https://foo.mysite.duckdns.org {
    forward_auth authelia:9091 {
        uri /api/verify?rd=https://auth.mysite.duckdns.org
        copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
    }
    reverse_proxy foo:1234
}

## open
https://bar.mysite.duckdns.org {
    reverse_proxy bar:5678
}

However, copying that forward_auth block into every subdomain is both annoying and leads to things being missed by mistake.

Is it possible to have caddy do something like this pseudo-Caddyfile?

# require forward auth for these subdomains
some_kind_of_group {
    forward_auth authelia:9091 {
        uri /api/verify?rd=https://auth.mysite.duckdns.org
        copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
    }
  
  https://dave.mysite.duckdns.org {
    reverse_proxy dave:1234
  }

  https://roger.mysite.duckdns.org {
    reverse_proxy roger:5678
  }

  https://nick.mysite.duckdns.org {
    reverse_proxy nick:9012
  }

}

# no forward auth for any of these subdomains
some_other_kind_of_group {
  https://rich.mysite.duckdns.org {
    reverse_proxy rich:3456
  }
}

The ideal result would be me just adding my subdomain proxies to the correct group and not having to remember to enable or not enable forward auth for each.

francislavoie · February 13, 2023, 4:50am

You’re looking for snippets:

Garmarnarnar · February 13, 2023, 5:05am

You mean make a snippet of the forward_auth block? That would still require copy/pasting import snippet in each subdomain handler.

Unless there is another way to use them that I’m not aware of. Which is likely.

francislavoie · February 13, 2023, 5:19am

That’s correct. You need to import the snippet into each relevant site block.

There’s no way to have implicit configuration. The config file was designed such that you need to explicitly configure everything. If there was implicit configuration then we’d have to provide somekind of escape hatch to un-apply or override that implicit config, which is a whole can of worms. Always requiring explicit config is simpler and easier, with less surprises.

Whitestrake · February 13, 2023, 6:45am

I could imagine a frankly disgustingly hacky solution involving running two Caddy instances and having one proxy https:// to the other with a catch-all Authelia forward auth.

But, at that point, you’re really just adding incredible complexity to the setup in order to avoid adding a line of text to each protected site.

system · March 15, 2023, 6:46am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.