Issues with caddy and authelia on mobile devices

1. Caddy version (caddy version):

v2.5.1

2. How I run Caddy:

Opnsense vm redirecting trafic from 80 and 443 to Caddy vm.
Proxmox Lxc container running caddy.
Caddy is run in a docker container and managed with docker-compose.

a. System environment:

|Distributor ID:|Debian|
|Description:|Debian GNU/Linux 11 (bullseye)|
|Release:|11|
|Codename:|bullseye|

Client: Docker Engine - Community
Version: 20.10.17
API version: 1.41
Go version: go1.17.11
Git commit: 100c701
Built: Mon Jun 6 23:03:17 2022
OS/Arch: linux/amd64
Context: default
Experimental: true

Server: Docker Engine - Community
Engine:
Version: 20.10.17
API version: 1.41 (minimum version 1.12)
Go version: go1.17.11
Git commit: a89b842
Built: Mon Jun 6 23:01:23 2022
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.6.6
GitCommit: 10c12954828e7c7c9b6e0ea9b0c02b01407d3ae1
runc:
Version: 1.1.2
GitCommit: v1.1.2-0-ga916309
docker-init:
Version: 0.19.0
GitCommit: de40ad0

b. Command:

No command is run because the docker container starts it.

c. Service/unit/compose file:

Docker-compose content:

  caddy:
    <<: *std-keys-sec-be
    build:
      context: $DOCKER_DIR/caddy
      dockerfile: dockerfile
    image: caddy:cloudflare
    container_name: caddy
    ports:
      - 80:80
      - 443:443
    environment:
      - CLOUDFLARE_API_TOKEN=$CF_TOKEN
    volumes:
      - $DOCKER_DIR/caddy/Caddyfile:/etc/caddy/Caddyfile:ro
      - $DOCKER_DIR/caddy/data:/data
      - $DOCKER_DIR/caddy/config:/config
      - $LOG_DIR/caddy:/opt/logs/caddy  

d. My complete Caddyfile or JSON config:

{
        debug
        email me@xs.me
}
(trusted_proxies_list) {
        trusted_proxies 172.16.0.0/16 192.168.0.0/16 fc00::/7 100.64.0.0/10
}

auth.xs.me authelia.xs.me {
        reverse_proxy authelia:9091 {
                import trusted_proxies_list
        }
}
*.xs.me {
        log {
                level INFO
                output file /opt/logs/caddy/caddy.log {
                        roll_size 10MB
                        roll_keep 10
                }
        }
        tls {
                dns cloudflare {$CLOUDFLARE_API_TOKEN}
        }
        forward_auth authelia:9091 {
                uri /api/verify?rd=https://auth.xs.me
                copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
        }
        encode gzip
        @pmx-tfk-tc host tfk-tc.xs.me
        #********************************************************************************************
        reverse_proxy @pmx-tfk-tc cloudcmd:8000

3. The problem I’m having:

Running this configuration on a desktop works without any issues. The same configuration used with a mobile phone does not pass the authentication step.
Redirection to authelia is working fine. I get my authelia credentials request but the password is refused.
Getting error message “Incorrect Username or Password”.

This is the returned URL from Caddy:

 https://auth.xs.me/?rd=https%3A%2F%2Ftfk-tc.xs.me%2F&rm=GET,%20https://auth.xs.me/?rd=https://tfk-tc.xs.me/,GET

I am not saying Caddy is the problem but coming from Traefik with the same config on Authelia side did not raised this error.

4. Error messages and/or full log output:

“Incorrect Username or Password” when entering credentials on the Authelia form.

5. What I already tried:

Checked Caddy forum
Checked Authelia forum
Disabled all ad-blocking addons
Reduced browser security
Tried different browser
Tried to authenticate directly to Authelia by typing auth.xs.me. Credentials are accepted and I can thereafter access the protected site!

6. Links to relevant resources:

Upgrade to v2.5.2, there were some bugs with forward_auth in v2.5.1 which were fixed in the following version.

Thanks Francis for your swift answer.
Just rebuilt caddy but still getting a weird behavior.
Now, credentials seems to work but redirection not.
Credentials screen reappear.
I confirm also that desktop is still working.

I’m not sure I understand. Please explain in detail what behaviour you’re seeing. Try making the request with curl -v to show it.

When I enter the following URL: https://tfk-tc.xs.me, I am redirected to Authelia which checks its configuration and accordingly request the credentials before redirecting to the original url.

Before the update, the credentials were not accepted at all. Since the new version, I am able to enter the username and the password and reach the TOTP screen and enter the code, which seems to be accepted. But in place of redirecting to the original url I am entering in a loop requesting again the credentials.

What do the redirects look like though? What’s in the HTTP request headers, what URL is it trying to redirect to? What’s in Caddy’s logs?

1 Like

Dear Francis,

After some more tests I can confirm the issue has been resolved with the new caddy version.
Thank you for your support and this incredible piece of software.

Just as a comment:
Not being a developer and especially in web technologies, I am sure that a lot of people like would really appreciate some basic troubleshooting tips as you were suggesting (in a quite “telegraphic” way) in a more comprehensible way. I am sure that both you as developer and us as happy user would benefit from it.
This is just a friendly remark.
As I said I am no developer or as a hobby but I am an IT guy with quite a long experience in supporting people on the infrastructure side.

Have a nice day

Denis

1 Like