I managed to get it working
docker-compose.yml
labels:
caddy: "*.$DOMAIN, $DOMAIN"
caddy.@whoami: "host whoami.$DOMAIN"
caddy.handle: "@whoami"
caddy.handle.import: auth
caddy.handle.reverse_proxy: "{{upstreams}}"
Caddyfile
(auth) {
# always forward outpost path to actual outpost
reverse_proxy /outpost.goauthentik.io/* http://authentik_server:9000 {
header_up Host {http.reverse_proxy.upstream.hostport}
}
# forward authentication to outpost
forward_auth http://authentik_server:9000 {
uri /outpost.goauthentik.io/auth/caddy
# capitalization of the headers is important, otherwise they will be empty
copy_headers copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
# optional, in this config trust all private ranges, should probably be set to the outposts IP
trusted_proxies private_ranges
}
}
*.$DOMAIN, $DOMAIN {
tls {
dns cloudflare $CF_API_KEY
}
@home host $DOMAIN
handle @home {
reverse_proxy homepage:3000
}
}
It may not be the most elegant way, but I can choose if I want a service to have Auth or not in my docker compose file by using
caddy.handle.import: auth