How to create certs for local only proxying OR disable forward_auth when iframe?

1. The problem I’m having:


I’m a begginer with Caddy, I’ve only used the base features for now. I am searching to achieve the following:

I have an app that is reverse proxied by caddy with https (Home Assistant). I want to add other apps, that would be integrated into HA. They would be iframes inside HA UI. The problem I have is that when HA is accessed through https, all the apps in the iframes also need to be accessed through https. I can perfectly reverse proxy them too and then the iframes works, but the problem with doing that is that they will be accessible worldwide without any security. I can in that case use forward_auth with tools like Authelia, but tools like this make it incompatible with the iframes. So I have 2 directions I can search:

  1. Trying to make forward_auth inactive when accessed from HA through an iframe but still active when accessed directly
  2. Trying to make the services accessible through https locally but make them completely unavailable remotely

I don’t know how to do any of these.

I think the solution 2 is easier but I’m not quite sure, if you have ideas for both I’m all ears. Thanks in advance for any answer, have a great day

2. Error messages and/or full log output:

No errors

3. Caddy version:


4. How I installed and ran Caddy:

Caddy Docker Proxy

a. System environment:

b. Command:

Please use the preview pane to ensure it looks nice.

c. Service/unit/compose file:

Please use the preview pane to ensure it looks nice.

d. My complete Caddy config:

Here is an example of one of my services that I’m reverse proxying: {
	forward_auth authelia:9091 {
		copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
		uri /api/verify?rd=
	reverse_proxy zigbee2mqtt:80

5. Links to relevant resources:

I don’t understand why iframes are involved. Why can’t you just load those services directly in your browser? I’m confused.

Anyway, the 2nd one is very easy, just use the remote_ip matcher to reject any requests from non-private IP ranges.

@external not remote_ip private_ranges
error @external 403


Thanks a lot for your answer

Iframes are involved because I want to have these web apps (like Zigbee2MQTT, Music Assistant, Rhasspy…) within HA UI, in the sidebar of the UI. So they are loaded by HA in an iframe.

Thanks for your help for 2nd way, it works. But I think the 1st way is preferable because it allows me to access the apps both without HA, with Authelia as a security, and within HA with HA login as a security.

I’m not sure how this can be done. How can I distinguish requests made from an iframe from HA UI from a normal request, and exclude it from forward_auth ?

Thanks in advance and have a great day

Authelia dev here.

Have you tried setting the cookie same site value to none in Authelia? Browsers do not include cookies in cross site requests by default including iframes unless they have a same site value explicitly set to none.

Keep in mind this allows all cross site requests to include these cookies and could lead to security issues beyond the control of Authelia or Caddy. This is why we ensured this was not the default setting several years ago. You should probably do some reading about what this really means for security before changing it, both documents you source yourself and probably something like this.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.