How to exclude a path from forward_auth?

SaladCesar · May 29, 2023, 6:57pm

1. The problem I’m having:

I am using Caddy with forward_auth with Authelia. For my Aria2 service, my Caddyfile is the following:


aria2.redacted.com {
	forward_auth authelia:9091 {
		copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
		uri /api/verify?rd=https://authelia.redacted.com/
	}
	reverse_proxy /rpc/* aria2:6800
	reverse_proxy ariang:6880
}

AriaNG is the WebUI, Aria2 is the API accessible via RPC. I want AriaNG (so everything behind the subdomain) to be secured behind Authelia via forward_auth. But the subpath /rpc/* must not be included in the forward_auth, as RPC can’t connect.

Simply put, how can I exclude the path /rpc/* from forward_auth, while still including every other path and the base subdomain ?

Thanks in advance for any answer, have a great day.

2. Error messages and/or full log output:


PASTE OVER THIS, BETWEEN THE ``` LINES.

Please use the preview pane to ensure it looks nice.

3. Caddy version:

v2.6.4

4. How I installed and ran Caddy:

Caddy docker container

a. System environment:

Docker, Raspberry Pi 4, LibreELEC.

b. Command:


PASTE OVER THIS, BETWEEN THE ``` LINES.

Please use the preview pane to ensure it looks nice.

c. Service/unit/compose file:


PASTE OVER THIS, BETWEEN THE ``` LINES.

Please use the preview pane to ensure it looks nice.

d. My complete Caddy config:


PASTE OVER THIS, BETWEEN THE ``` LINES.

Please use the preview pane to ensure it looks nice.

5. Links to relevant resources:

francislavoie · May 29, 2023, 7:58pm

@except not path /rpc/*
forward_auth @except authelia:9091 {

Or:

aria2.redacted.com {
	handle /rpc/* {
		reverse_proxy aria2:6800
	}

	handle {
		forward_auth authelia:9091 {
			copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
			uri /api/verify?rd=https://authelia.redacted.com/
		}
		reverse_proxy ariang:6880
	}
}

SaladCesar · May 30, 2023, 9:02pm

Hi, thanks a lot for your answer.
Excluding /rpc from forward_auth works.
But I’m having another issue. aria2.redacted.com correctly takes me to AriaNG, it is accessible.
But I can’t access Aria2 via RPC on aria2.redacted.com/rpc. I have this error in caddy:

ERR ts=1685480351.281639 logger=http.log.error msg=EOF request={"remote_ip":"192.168.1.1","remote_port":"56188","proto":"HTTP/2.0","method":"POST","host":"aria2.redacted.com","uri":"/rpc","headers":{"Accept-Encoding":["gzip, deflate, br"],"Content-Type":["application/json;charset=utf-8"],"Content-Length":["138"],"Dnt":["1"],"Cookie":[],"Sec-Fetch-Site":["same-origin"],"Te":["trailers"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0"],"Accept":["application/json, text/plain, */*"],"Accept-Language":["fr-FR,fr;q=0.8,en-US;q=0.5,en;q=0.3"],"Origin":["moz-extension://48089e12-d1b6-4d96-b95d-41df98c36eb9"],"Sec-Fetch-Dest":["empty"],"Sec-Fetch-Mode":["cors"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"aria2.redacted.com"}} duration=30.22656849 status=502 err_id=tfpwe4iu0 err_trace=reverseproxy.statusError (reverseproxy.go:1299)

I’m not sure why Aria2 can’t be reached. Here is my Caddyfile:

aria2.redacted.com {
	handle {
		forward_auth authelia:9091 {
			copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
			uri /api/verify?rd=https://authelia.redacted.com/
		}
		reverse_proxy ariang:6880
	}
	handle /rpc/* {
		reverse_proxy aria2:6800
	}
}

I tested locally and I can access Aria2 on my lan, meaning the port is 6800.
Could you help me to find what’s wrong ?
Thanks in advance and have a great day.

francislavoie · May 30, 2023, 9:17pm

The matcher is /rpc/* but you made a request to /rpc which doesn’t have a trailing slash. If you need to match that, then use /rpc* instead.

SaladCesar · May 30, 2023, 11:11pm

Thanks for your answer.
I don’t understand why, but reverse proxying Aria2 to a completely different subdomain like this work:

ariang.redacted.com {
	forward_auth authelia:9091 {
		copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
		uri /api/verify?rd=https://authelia.redacted.com/
	}
	reverse_proxy ariang:6880
}
aria2.redacted.com {
	reverse_proxy aria2:6800
}

It works, but I would prefer to avoid using 2 subdomains. I prefer a single one and a subpath for aria2.

But this doesn’t:

aria2.redacted.com {
	handle {
		forward_auth authelia:9091 {
			copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
			uri /api/verify?rd=https://authelia.redacted.com/
		}
		reverse_proxy ariang:6880
	}
	handle /rpc* {
		reverse_proxy aria2:6800
	}

I have no error appearing in caddy with this, and no error in ariang. It just doesn’t connect, I can’t see the difference between the two.

francislavoie · May 30, 2023, 11:25pm

I don’t have enough details to go off of here. I don’t know what your applications are or what they’re doing. You also didn’t fill out the help topic template as per the forum rules. The template gives instructions for getting debug logs.

SaladCesar · May 31, 2023, 11:30am

What would you need exactly to have more info?
I checked caddy, aria2 and ariang logs, I don’t see any error or warning. I’m not sure which one is in fault. But I’m available to send any necessary information.

What I just noticed though, is that aria2 rpc address is not aria2:6800 but aria2:6800/jsonrpc. Could this be an issue? I tried to connect to /rpc/jsonrpc but it doesn’t work either.

francislavoie · June 1, 2023, 5:04am

Like I said, debug logs. Turn on the debug global option, show all the logs you see from making a request.

Are you expecting /rpc to be stripped from the URL before proxying? If so use handle_path /rpc* instead of handle /rpc* which will strip off /rpc from the front of the URL. Or change your matcher to /jsonrpc* if that’s what you actually need to proxy.

system · July 1, 2023, 5:05am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.