Trouble with Caddyfile's configuration and Authelia

1. The problem I’m having:

(Sorry for my english)

I’m trying to setup authelia with caddy, but my caddy container keeps crashing when importing authelia configuration to my Caddyfile.

• Caddy is working great (without Authelia)
• Authelia’s is working correctly (I can reach it and setup things).

2. Error messages and/or full log output:

(this is the only log I get before caddy crashes and restarts)

3. Caddy version:

Caddy V2.7.6

4. How I installed and ran Caddy:

a. System environment:

Docker-compose on a synology NAS 420+

c. Service/unit/compose file:

version: '3.9'
services:

  caddy:
    image: 'caddy:latest'
    container_name: caddy
    ports:
      - "6007:80"
      - "6006:443"
    volumes:
      - '/volume1/docker/caddy/caddy:/etc/caddy' #caddyfile
      - '/volume1/docker/caddy/cert:/etc/ssl/custcerts' #my own certs
      - '/var/run/docker.sock:/var/run/docker.sock' 
      - caddy_certs:/etc/ssl/certs #in order to not regenrate cert everytime caddy restart
    restart: unless-stopped
    network_mode: bridge
  
  authelia:
    image: authelia/authelia
    container_name: authelia
    volumes:
      - '/volume1/docker/authelia:/config'
    restart: unless-stopped
    ports: 
      - 9091:9091
    environment:
      - TZ=Europe/Zurich
    network_mode: bridge

volumes:
  caddy_certs:

d. My complete Caddy config:

{
    email myemail@gmail.com
}

(trusted_proxy_list) {
    trusted_proxies 192.168.0.0/24
}

	
auth.sine-fatum.com {
    reverse_proxy 192.168.0.200:9091 {
        import trusted_proxy_list
    }
}

# Protected Endpoint.
ytdl.sine-fatum.com {
    forward_auth 192.168.0.200:9091 {
        uri /api/verify?rd=https://auth.sine-fatum.com/
        copy_headers Remote-User Remote-Groups Remote-Name Remote-Email

        ## This import needs to be included if you're relying on a trusted proxies configuration.
        import trusted_proxy_list
    }
    reverse_proxy 192.168.0.200:6021 {
        ## This import needs to be included if you're relying on a trusted proxies configuration.
        import trusted_proxy_list
    }
}

#a host with custom certificats
host1.sine-fatum.com {
    tls /etc/ssl/custcerts/mycustomcert.crt /etc/ssl/custcerts/mycustomkey.key
    reverse_proxy 192.168.0.200:6009
}

#another host
host2.sine-fatum.com {
    reverse_proxy 192.168.0.200:6008
}

deleting the block “ytdl.sine-fatum.com{}” will avoid making caddy crash and will make host1.sine-fatum.com and host2.sine-fatum.com work again.

5. Links to relevant resources:

I used this in order to help me :

• Authelia doc
• Caddy reverse_proxy doc
• WhiteStrake tutorial

That exact config adapts just fine for me:

$ caddy adapt
{"apps":{"http":{"servers":{"srv0":{"listen":[":443"],"routes":[{"match":[{"host":["host1.sine-fatum.com"]}],"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"192.168.0.200:6009"}]}]}]}],"terminal":true},{"match":[{"host":["host2.sine-fatum.com"]}],"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"192.168.0.200:6008"}]}]}]}],"terminal":true},{"match":[{"host":["auth.sine-fatum.com"]}],"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","trusted_proxies":["192.168.0.0/24"],"upstreams":[{"dial":"192.168.0.200:9091"}]}]}]}],"terminal":true},{"match":[{"host":["ytdl.sine-fatum.com"]}],"handle":[{"handler":"subroute","routes":[{"handle":[{"handle_response":[{"match":{"status_code":[2]},"routes":[{"handle":[{"handler":"headers","request":{"set":{"Remote-Email":["{http.reverse_proxy.header.Remote-Email}"],"Remote-Groups":["{http.reverse_proxy.header.Remote-Groups}"],"Remote-Name":["{http.reverse_proxy.header.Remote-Name}"],"Remote-User":["{http.reverse_proxy.header.Remote-User}"]}}}]}]}],"handler":"reverse_proxy","headers":{"request":{"set":{"X-Forwarded-Method":["{http.request.method}"],"X-Forwarded-Uri":["{http.request.uri}"]}}},"rewrite":{"method":"GET","uri":"/api/verify?rd=https://auth.sine-fatum.com/"},"trusted_proxies":["192.168.0.0/24"],"upstreams":[{"dial":"192.168.0.200:9091"}]},{"handler":"reverse_proxy","trusted_proxies":["192.168.0.0/24"],"upstreams":[{"dial":"192.168.0.200:6021"}]}]}]}],"terminal":true}],"tls_connection_policies":[{"match":{"sni":["host1.sine-fatum.com"]},"certificate_selection":{"any_tag":["cert0"]}},{}]}}},"tls":{"certificates":{"load_files":[{"certificate":"/etc/ssl/custcerts/mycustomcert.crt","key":"/etc/ssl/custcerts/mycustomkey.key","tags":["cert0"]}]},"automation":{"policies":[{"subjects":["host1.sine-fatum.com","host2.sine-fatum.com","auth.sine-fatum.com","ytdl.sine-fatum.com"],"issuers":[{"email":"myemail@gmail.com","module":"acme"},{"email":"myemail@gmail.com","module":"zerossl"}]}]}}}}

Are you sure this is exactly the config you tried? If you edited to post it to the forums, you might have inadvertently fixed it.

Anyway. You can make a significant simplification to your config. Move trusted proxies to global options.

{
	email myemail@gmail.com
	servers {
		trusted_proxies static 192.168.0.0/24
	}
}
	
auth.sine-fatum.com {
	reverse_proxy 192.168.0.200:9091
}

ytdl.sine-fatum.com {
	forward_auth 192.168.0.200:9091 {
		uri /api/verify?rd=https://auth.sine-fatum.com/
		copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
	}
	reverse_proxy 192.168.0.200:6021
}

host1.sine-fatum.com {
	tls /etc/ssl/custcerts/mycustomcert.crt /etc/ssl/custcerts/mycustomkey.key
	reverse_proxy 192.168.0.200:6009
}

host2.sine-fatum.com {
	reverse_proxy 192.168.0.200:6008
}

Thank you for your really quick answer.

this is totally my fault and you’re correct. i’m very sorry !

I was testing, from the begining, the wrong file which had a typo in it while working on the code you saw in my post.

I tried with the code from my own post and it worked.
I also adapted it with your changes and it still works.

Sorry for waisting your time and thank you again !

No worries, here to help

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.