Setup Authentik with Caddy

Hey everybody,

1. The problem I’m having:

I`m trying to setup authentik with forward auth according to the manuals of authentik Manual. But unfortuntly i am redirected to the local https URL of my authentik server.

2. Error messages and/or full log output:

curl -vL myurl

<removed DNS stuff>
* Connection #0 to host <<myurl>> left intact
* Clear auth, redirects to port from 80 to 443
* Issue another request to this URL: '<<myurl>>'
* Host <<myurl>>:443 was resolved.
* IPv6: 2606:4700:3037::6815:484f, 2606:4700:3030::ac43:b188
* IPv4: 104.21.72.79, 172.67.177.136
*   Trying [2606:4700:3037::6815:484f]:443...
* Connected to <<myurl>>(2606:4700:3037::6815:484f) port 443
* schannel: disabled automatic use of client certificate
* ALPN: curl offers http/1.1
* ALPN: server accepted http/1.1
* using HTTP/1.x
> GET / HTTP/1.1
> Host: <<myurl>>
> User-Agent: curl/8.9.1
> Accept: */*
>
* Request completely sent off
* schannel: remote party requests renegotiation
* schannel: renegotiating SSL/TLS connection
* schannel: SSL/TLS connection renegotiated
< HTTP/1.1 302 Found
< Date: Wed, 11 Dec 2024 09:36:09 GMT
< Content-Type: text/html; charset=utf-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< alt-svc: h3=":443"; ma=86400
< location: https://10.0.0.120:9444/application/o/authorize/?client_id=S41I9BDkE3liCCKoqd10m9tpZMnLsUQeASPqOVLs&redirect_uri=https%3A%2F%2F<<myurl>>%2Foutpost.goauthentik.io%2Fcallback%3FX-authentik-auth-callback%3Dtrue&response_type=code&scope=email+ak_proxy+groups+profile+openid&state=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnb2F1dGhlbnRpay5pby9vdXRwb3N0L1M0MUk5QkRrRTNsaUNDS29xZDEwbTl0cFpNbkxzVVFlQVNQcU9WTHMiLCJzaWQiOiIzVU9MM1E3TlhON1FMVVhOVEdRUDJDQ1FTWExSRVJNWlYyNDJTSUhaVTQyV0lKQlZZN1dRIiwic3RhdGUiOiJPTHJhZ0JYb1gyWDl4V21yQklpRndHdjhyLWFPQTVUY242dm9BYmlIUjJJIiwicmVkaXJlY3QiOiJodHRwczovL2dweC5mYW0td3Vlc3QuZGUvIn0.Pl3jZfACdtgEtQ2QO8anjgOiPw7b1wj9g6__UHuLGcI
< Set-Cookie: authentik_proxy_S41I9BDk=3UOL3Q7NXN7QLUXNTGQP2CCQSXLRERMZV242SIHZU42WIJBVY7WQ; Path=/; Expires=Thu, 12 Dec 2024 09:36:10 GMT; Max-Age=86401; HttpOnly; Secure; SameSite=Lax
< vary: Accept-Encoding
< CF-Cache-Status: DYNAMIC
< Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AxnTSREt%2BwbiXNCNQ4Yk1aGEkvmiAGuWFuO5TJtovVuI7nUU0eNUgwidnZ6934POgVw8uSnjpqqUYFlBfHwGoPqzReRPvFczF%2FRXre5K%2BKuV2zTFsViwtle9kc2GJludGhuZhDPf75fL%2BTVgbINX"}],"group":"cf-nel","max_age":604800}
< NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
< Server: cloudflare
< CF-RAY: 8f047d1948760404-FRA
< server-timing: cfL4;desc="?proto=TCP&rtt=12517&min_rtt=12433&rtt_var=4831&sent=5&recv=6&lost=0&retrans=0&sent_bytes=3131&recv_bytes=478&delivery_rate=289746&cwnd=252&unsent_bytes=0&cid=0264eb2226bb7044&ts=79&x=0"
* Ignoring the response-body
<
* Connection #1 to host <<myurl>> left intact
* Clear auth, redirects to port from 443 to 9444
* Issue another request to this URL: 'https://10.0.0.120:9444/application/o/authorize/?client_id=S41I9BDkE3liCCKoqd10m9tpZMnLsUQeASPqOVLs&redirect_uri=https%3A%2F%2F<<myurl>>%2Foutpost.goauthentik.io%2Fcallback%3FX-authentik-auth-callback%3Dtrue&response_type=code&scope=email+ak_proxy+groups+profile+openid&state=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnb2F1dGhlbnRpay5pby9vdXRwb3N0L1M0MUk5QkRrRTNsaUNDS29xZDEwbTl0cFpNbkxzVVFlQVNQcU9WTHMiLCJzaWQiOiIzVU9MM1E3TlhON1FMVVhOVEdRUDJDQ1FTWExSRVJNWlYyNDJTSUhaVTQyV0lKQlZZN1dRIiwic3RhdGUiOiJPTHJhZ0JYb1gyWDl4V21yQklpRndHdjhyLWFPQTVUY242dm9BYmlIUjJJIiwicmVkaXJlY3QiOiJodHRwczovL2dweC5mYW0td3Vlc3QuZGUvIn0.Pl3jZfACdtgEtQ2QO8anjgOiPw7b1wj9g6__UHuLGcI'
*   Trying 10.0.0.120:9444...

3. Caddy version:

Im curretly running version 2.8.4

4. How I installed and ran Caddy:

caddy is installed with apt on Ubuntu 22.04 while authentik is running in a container

d. My complete Caddy config:

(authenticate) {
        # always forward outpost path to actual outpost
        reverse_proxy /outpost.goauthentik.io/* http://127.0.0.1:9000

        # forward authentication to outpost
        forward_auth http://127.0.0.1:9000 {
                uri /outpost.goauthentik.io/auth/caddy

                # capitalization of the headers is important, otherwise they will be empty
                copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta>

                # optional, in this config trust all private ranges, should probably be set to the outposts IP
                trusted_proxies private_ranges
        }
}

<<myurl>> {
        import authenticate
        reverse_proxy 127.0.0.1:8098
}

<<authurl>> {
       reverse_proxy 127.0.0.1:9000
}


All URLs are using Cloudflare proxied DNS

5. Links to relevant resources:

For the authetik setup i used this tutorial https://www.youtube.com/watch?v=ywQVe9ikcVI&t=104s

Thanks in advance!

Sorry for the delay, was taking some time off from the forums.

That seems like an Authentik configuration issue. You need to configure it to be aware of your public domain. Authentik is what’s issuing the redirect here, not Caddy.

Hi,
found the setting in the outpost of authentik.
Thank you very mutch and have a nice Holiday.

1 Like