Help with reverse-proxy breaking OIDC

sevenlayercookie · January 31, 2024, 1:56am

1. The problem I’m having:

I have am reverse proxying to Audiobookshelf. Audiobookshelf has OIDC support, which I had working before I installed Caddy reverse proxy. Now that reverse proxy is enabled, Audiobookshelf oauth is broken. I get redirect_uri_mismatch from Google SSO because Google cloud is expecting https, but Audiobookshelf is sending http, I guess something to do with the reverse-proxy. In my browser it appears that I am on SSL https as I’m logging in, but then Google cloud gets an http redirect uri.

2. Error messages and/or full log output:

Google: redirect_uri_mismatch

3. Caddy version:

v2.7.6

4. How I installed and ran Caddy:

a. System environment:

Bare metal, raspberry pi 4, arm64 binary with Cloudflare DNS module

Services (incl. ABS) running in Docker

Cloudflare tunnel (CGNAT ISP)

Cloudflare manages DNS, directs domain to the tunnel address

b. Command:

./caddy run

c. Service/unit/compose file:

d. My complete Caddy config:


{
        acme_dns cloudflare ABCDEF
}

http://sevenlayercookie.xyz {
        reverse_proxy http://localhost:3000
        encode zstd gzip
}

localhost {
        reverse_proxy :3000
        encode zstd gzip
}

192.168.4.73 {
        reverse_proxy :3000
        encode zstd gzip
}

http://abs.sevenlayercookie.xyz {
        #abs.sevenlayercookie.xyz {
        encode zstd gzip
        reverse_proxy http://localhost:13378 {
                # reverse_proxy localhost:13378 {
                header_up X-Forwarded-Proto {scheme}
                header_up Host {host}
                header_up X-Real-IP {remote}
                header_up X-Forwarded-For {remote}
        }
}

5. Links to relevant resources:

francislavoie · January 31, 2024, 4:13am

Using http:// is the problem, it breaks X-Forwarded-Proto because Caddy doesn’t see HTTPS coming in, it sees HTTP.

We spoke on Discord, what’s the problem you’re having with HTTPS? Remove http:// to let Caddy use HTTPS.

What’s in Caddy’s logs?

sevenlayercookie · January 31, 2024, 5:57am

After removing http:// and then looking at the logs, I realized that no requests were making it to the server. I took a closer look at Cloudflared and realized its domains and tunnels were misconfigured. Once I changed those to https and pointed them at Caddy, everything worked great! Including OIDC. I was able to remove the extraneous headers and such from the Caddyfile as well.

Thank you for your help.

system · March 1, 2024, 5:58am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.