How to conditionally import in a reverse proxy context?

Help
1

1. The problem I’m having:

I am protecting a reverse-proxied service with Authelia.
I also realized that some of the URI paths should not be protected and available as-it. To this I created several reverse-proxy entries for the service, and only one of them should import the Authelia configuration.

import is however rejected when trying to run the configuration

2. Error messages and/or full log output:

✔ Container caddy  Started                                                                                     0.6s 
caddy  | {"level":"info","ts":1691574274.5058055,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
caddy  | Error: adapting config using caddyfile: parsing caddyfile tokens for 'reverse_proxy': /etc/docker/authelia/caddy-authelia.conf:10 - Error during parsing: unrecognized response matcher not, import chain: ['/etc/caddy/Caddyfile:72 (import)','/etc/docker/domotique/caddy.caddyfile:8 (import authenticate-with-authelia)']
caddy exited with code 0

3. Caddy version:

v2.7.2 h1:QqThyoyUFAv1B7A2NMeaWlz7xmgKqU49PXBX08A+6xg=

4. How I installed and ran Caddy:

a. System environment:

Docker container with image: caddy:2

d. My complete Caddy config:

(main file)

{
	admin 0.0.0.0:2015
	email REDACTED
	# acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
	log {
		level ERROR
	}
	
}

# first import authelia config
import /etc/docker/authelia/caddy-authelia.conf

# import other config files
import /etc/docker/*/Caddyfile
import /etc/docker/*/caddy.caddyfile

(caddy-authelia.conf)

https://authelia.swtk.eu {
	reverse_proxy authelia:9091 {
		trusted_proxies private_ranges
	}
}

(authenticate-with-authelia) {
	@forceAuth {
		not remote_ip private_ranges
	}
	forward_auth @forceAuth authelia:9091 {
		uri /api/verify?rd=https://authelia.swtk.eu/
		copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
		trusted_proxies private_ranges
	}
}

(the problematic reverse proxy)

https://hass.swtk.eu {
	log {
		level ERROR
	}
	reverse_proxy /api/* 192.168.10.2:8123
	reverse_proxy /auth/* 192.168.10.2:8123
	reverse_proxy * {
		# import authenticate-with-authelia
		to 192.168.10.2:8123
	}
}

The config works when import is commented out

2

You can’t import HTTP handlers and matchers inside of another directive like reverse_proxy. You need to import it outside reverse_proxy.

If you only want to authenticate the last route, then you should do something like this instead:

hass.swtk.eu {
	log {
		level ERROR
	}

	@noauth path /api/* /auth/*
	handle @noauth {
		reverse_proxy 192.168.10.2:8123
	}

	handle {
		import authenticate-with-authelia
		reverse_proxy 192.168.10.2:8123
	}
}
1 Like
3

Thank you @francislavoie - handle is a very useful directive, it is really the “if … else …” structure I was looking for in other cases as well. Thanks a lot!

1 Like
4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.