Help with reverse-proxy breaking OIDC

1. The problem I’m having:

I have am reverse proxying to Audiobookshelf. Audiobookshelf has OIDC support, which I had working before I installed Caddy reverse proxy. Now that reverse proxy is enabled, Audiobookshelf oauth is broken. I get redirect_uri_mismatch from Google SSO because Google cloud is expecting https, but Audiobookshelf is sending http, I guess something to do with the reverse-proxy. In my browser it appears that I am on SSL https as I’m logging in, but then Google cloud gets an http redirect uri.

2. Error messages and/or full log output:

Google: redirect_uri_mismatch

3. Caddy version:

v2.7.6

4. How I installed and ran Caddy:

a. System environment:

Bare metal, raspberry pi 4, arm64 binary with Cloudflare DNS module

Services (incl. ABS) running in Docker

Cloudflare tunnel (CGNAT ISP)

  • Cloudflare manages DNS, directs domain to the tunnel address

b. Command:

./caddy run

c. Service/unit/compose file:

d. My complete Caddy config:


{
        acme_dns cloudflare ABCDEF
}

http://sevenlayercookie.xyz {
        reverse_proxy http://localhost:3000
        encode zstd gzip
}

localhost {
        reverse_proxy :3000
        encode zstd gzip
}

192.168.4.73 {
        reverse_proxy :3000
        encode zstd gzip
}

http://abs.sevenlayercookie.xyz {
        #abs.sevenlayercookie.xyz {
        encode zstd gzip
        reverse_proxy http://localhost:13378 {
                # reverse_proxy localhost:13378 {
                header_up X-Forwarded-Proto {scheme}
                header_up Host {host}
                header_up X-Real-IP {remote}
                header_up X-Forwarded-For {remote}
        }
}

5. Links to relevant resources:

Using http:// is the problem, it breaks X-Forwarded-Proto because Caddy doesn’t see HTTPS coming in, it sees HTTP.

We spoke on Discord, what’s the problem you’re having with HTTPS? Remove http:// to let Caddy use HTTPS.

What’s in Caddy’s logs?

After removing http:// and then looking at the logs, I realized that no requests were making it to the server. I took a closer look at Cloudflared and realized its domains and tunnels were misconfigured. Once I changed those to https and pointed them at Caddy, everything worked great! Including OIDC. I was able to remove the extraneous headers and such from the Caddyfile as well.

Thank you for your help.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.