I am running Caddy as a reverse proxy inside Kubernetes (not as an ingress controller). I want my services to be able to connect to Caddy via http internally and Caddy should do the authentication for the remote endpoints.
I want to support 2 cases. One with api-key authentication (easily done by just adding the auth header) and one for 0auth (generally testing auth0.com). Auth0 auth should be done machine to machine, and not by the user. I want to support the usual secret key + access key credentials. The normal flow for this type of auth, is to authenticate using access key + secret key and then get a token which will be used for future calls.
My application handles the host header so that part is irrelevant. I do not need any help regarding Kubernetes. The Caddy configuration should be the same even if it’s running in a VM.
3. Caddy version:
v2.8.4
4. How I installed and ran Caddy:
Shouldn’t matter. My question relates strictly to configuration. But I am running it as a simple deployment on Kubernetes.
d. My complete Caddy config:
{
http_port 8080
auto_https off
log {
output stdout
}
}
:9999 {
handle / {
respond "OK"
}
}
http://apikey.internal-domain.com {
reverse_proxy https://api.domain.com {
header_up Host {upstream_hostport}
header_up api-key "MY_KEY"
}
}
http://auth0.api.internal-domain.com {
reverse_proxy https://api.domain.com {
header_up Host {upstream_hostport}
# I NEED HELP HERE
}
}
5. Links to relevant resources:
I noticed this plugin but it seems like this can be used only when I want the user to login and protect specific paths, and not as transparent proxy which does the authentication in the background.
Are you looking for forward_auth (Caddyfile directive) — Caddy Documentation ? This directive would let you forward the request to some upstream which can check the headers (cookies etc) to see if the request is allowed to proceed through the remaining Caddy routes (i.e. reverse_proxy).
For this, I guess Caddy would have to act independently as its own OIDC client on behalf of users? I’m pretty sure we have nothing like this built in to Caddy. You’d have to look at a plugin.
I have to admit this seems really strange to me, though. Why not simply turn off authentication for the API? Or disable that authentication for the Caddy IP?