Make proxies accessible only internally (solved)

I have finally gotten caddy to work and it does everything i need it to do. Now i am working ont he want list.

I have multiple services running behind caddy… sonarr, radarr, sabnzbd, etc. and want to be able to turn off their individual authentications so i can use Organizr as a single sign on portal.

This would mean i would need to be able to have organizer still be able to see the individual pages but not have anyone browsing to be able to see the page.

Any idea’s or examples of how to start going about doing this?

Thanks for any help offered.

Running on Windows Server with the most recent Caddy Release.

I’m assuming you meant to enable this.

You could try the http.reauth plugin.

I saw that page and was just trying to figure out how to do it in caddy.

I much prefer caddy’s simplistic approach to config and ssl but don’t know enough about the background processes to be able to look at the nginx confog and convert that to what caddy requires.

I will research the link you provided and see if i can get it set up.

Thanks very much.

there is no equivalent in caddy to the auth_request line in nginx as discussed here.

So that is off the table until caddy has a plugin developed that with accept the authentication provided by organizr.

I don’t see an obvious way for me to use the http.reauth plugin to do what i want as my ideal situation is utilizing the existing user database in Organizr.
Edit* After posting this i had the tab up to copy the URL and went to the git page for it and was reading it again… just for the sake of it and noticed the upstream option might work for that authentication. Down another rabbit hole i go.

If i am missing something please let me know but i have been reading on this the last few days and it seems like those are my hold ups at the moment.

I would really prefer not to switch servers if i can help it since i finally got everything running how i like it in caddy. Hoping for a solution to come around as i’m not extremely secure right now since my focus has been function to start… now im moving to locking it down appropriately.

If Organizr is running in the same local network as the other services, couldn’t you just not proxy them via Caddy at all, and point Organizr to them directly over the LAN?

Otherwise, I think you want ipfilter. You can whitelist the private IP block (,, or as applicable) to only allow requests from there and deny requests from elsewhere.

organizr isn’t able to get them that way as it is a frame application not a reverse proxy. The tab url’s in organizr has to be the address you would use if accessing that page from a browser directly.

if i were to make a tab go to i could get to SABnzbd all day on that one machine but not on any others, is i were to put i could get to it on my network, etc. So i need it the proxy to have them accessable via domain name from outside the house and have Organizr just package them neatly.

if it was that easy then organizr would not need to have pages dedicated to how to authenticate via their interface i would think. There just isnt a very big group running it on Caddy with it yet. Caddy makes it so much easier to go https, especially on windows where there is no easy tools for assisting with the process.

I am going to see about adding what i have figured out so far in this proces to their wiki though so maybe it will be a bit easier for new users such as myself who had to learn all this in a matter of weeks to get their stuff up and going.

edit - Ihave started a thread over at the http.reauth page to see if it can be set up to work in this fashion. if the dev has time maybe ill get lucky and be able to use it for this purpose.

Ahh! My bad, I was obviously off base with that assumption.

I’m not 100% sure how reauth fits in to things at the moment. It looks like the current line of thought is to use http.reauth to protect the proxied locations, using Organizr’s auth.php as the authentication method. Does that sound right?

And the problem is that the reauth plugin doesn’t pass through Organizr’s cookie, so auth.php can’t authorise the reauth plugin, right?

I wouldn’t mind trying this out myself if it works well, looks pretty neat and the plugin author’s response to your request makes me optimistic.

As best i can tell not really understanding all of what i am looking at in the code. Yes.
Organizr has three authentication levels. You can assign the tabs to one, two , or all of them. They are Admin, User, and Guest. Guest is visible without log in so no checks needed. Things that are user or admin compare the current user’s cookie against their log in level and returns a 200 if they are allowed to see a specific page as assigned and 401 if not.

That’s my interpretation anyway.

Agreed. He seemed to not be too concerned with how hard it would be to integrate. Would be nice to have a lot of my services authenticate this way since organizer is behind HTTPS already and i’ll save some hassle.

for anyone looking. This now works with http.reauth thanks to freman modifying it to do what Organizr expected. Check the http.reauth git closed issues for details

Ref. First Question! Local PHP Auth · Issue #1 · freman/caddy-reauth · GitHub

Very cool.

1 Like

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.