1. The problem I’m having:
Dear All
I am using Caddy plugin in OPNsense as reverse proxy and would like to add forward auth. According to OPNsense documentation Authentik is supported. I use the Caddy-internal ACME for certs and for Authentik I though I can simply stay with the self-signed cert and somehow make Caddy accept it. When I access the reverse proxy URL, I get the error below. I have searched documentation for OPNsense, Caddy and Authentik but could not find additional requirements for things like wildcard certificates etc.
2. Error messages and/or full log output:
"error","ts":"2024-12-20T06:09:38Z","logger":"http.log.error.log0","msg":"tls: failed to verify certificate: x509: certificate is valid for *, not s003.beuthen.net","request":{"remote_ip":"10.10.100.100","remote_port":"53841","client_ip":"10.10.100.100","proto":"HTTP/2.0","method":"GET","host":"audiobooks.beuthen.net:1443","uri":"/sw.js","headers":{"Accept-Encoding":["gzip, deflate, br"],"Cookie":["REDACTED"],"User-Agent":["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.1.1 Safari/605.1.15"],"Origin":["https://audiobooks.beuthen.net:1443"],"Accept":["*/*"],"Priority":["u=5, i"],"Referer":[""],"Service-Worker":["script"],"Accept-Language":["de-DE,de;q=0.9"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"audiobooks.beuthen.net"}},"duration":0.004089531,"status":502,"err_id":"bqkg1x29n","err_trace":"reverseproxy.statusError (reverseproxy.go:1269)"}
s003: internal hostname with self-signed cert running authentic on docker
audiobooks: public DNS domain to expose service (running on the same internal server as above) with Letsencrypt cert
3. Caddy version:
Actually, I do not know. It is OPNsense os-caddy plugin 1.7.6
4. How I installed and ran Caddy:
OPNsense plugin in Proxmox connecting to Authentik in remote NAS on Docker with Portainer
a. System environment:
b. Command:
PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.
c. Service/unit/compose file:
PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.
d. My complete Caddy config:
# DO NOT EDIT THIS FILE -- OPNsense auto-generated file
# caddy_user=www
# Global Options
{
log {
output net unixgram//var/run/caddy/log.sock {
}
format json {
time_format rfc3339
}
}
http_port 1080
https_port 1443
servers {
protocols h1 h2 h3
}
email patric.beuthen@me.com
grace_period 10s
import /usr/local/etc/caddy/caddy.d/*.global
}
# Reverse Proxy Configuration
# Reverse Proxy Domain: "95bb2ca6-b136-4ff9-ad4c-0476f39eb1f8"
audiobooks.beuthen.net:1443 {
log {
output file /var/log/caddy/access/95bb2ca6-b136-4ff9-ad4c-0476f39eb1f8.log {
roll_keep_for 10d
}
}
handle {
reverse_proxy /outpost.goauthentik.io/* https://s003.beuthen.net:9302 {
header_up Host {http.reverse_proxy.upstream.hostport}
}
forward_auth https://s003.beuthen.net:9302 {
uri /outpost.goauthentik.io/auth/caddy
copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
}
reverse_proxy s003.beuthen.net:13378 {
}
}
}
import /usr/local/etc/caddy/caddy.d/*.conf
5. Links to relevant resources:
In Caddy | authentik I see an additional directive trusted_proxies but I do not know if that would help and where to put in in OPNsense as OPNsense generates the Caddy file.