Skip to content

Error not found when I set up forward_auth (single application) with Caddy #12930

Open
@Marcus1Pierce

Description

@Marcus1Pierce

Describe your question
I created a provider using the wizard.

  • Under Application Details:
    Name: Mailu
    Slug: mailu
  • Under Provider Type, I chose Forward Auth (Single Application)
  • Under Provider Configuration:
    Name: Mailu
    Authorization flow: default-provider-authorization-explicit-consent (Authorize Application)
    External host: https://app.domain.tld

Example for the Authentik domain https://sso.domain.tld.
The problem I encountered is that if I follow the example from Authentik at https://docs.goauthentik.io/docs/add-secure-apps/providers/proxy/server_caddy , I always get an error. Here is an example of the error configuration:

app.domain.tld {
    # directive execution order is only as stated if enclosed with route.
    route {
        # always forward outpost path to actual outpost
        reverse_proxy /outpost.goauthentik.io/* https://sso.domain.tld {
            header_up Host {http.reverse_proxy.upstream.hostport}
        }

        # forward authentication to outpost
        forward_auth http://authentik:9000 {
            uri /outpost.goauthentik.io/auth/caddy

            # capitalization of the headers is important, otherwise they will be empty
            copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version

            # optional, in this config trust all private ranges, should probably be set to the outposts IP
            trusted_proxies private_ranges
        }

        # actual site configuration below, for example
        reverse_proxy 100.111.126.34:8080
    }
}

And here is an example of the configuration that I edited and succeeded in logging in:

app.domain.tld {
        # always forward outpost path to actual outpost
        reverse_proxy /outpost.goauthentik.io/* https://sso.domain.tld {
            header_up Host {http.reverse_proxy.upstream.hostport}
        }

        # forward authentication to outpost
        forward_auth http://authentik-server:9000 {
            uri /outpost.goauthentik.io/auth/caddy

            # capitalization of the headers is important, otherwise they will be empty
            copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version

            # optional, in this config trust all private ranges, should probably be set to the outposts IP
            trusted_proxies private_ranges
        }

        # actual site configuration below, for example
        reverse_proxy 100.111.126.34:8080
}

I deleted the route and everything ran normally. But I'm not sure if there will be any security issues or not after deleting that route.

Relevant info
Maybe this is relevant. I set up authentik with caddy docker with the following config:

sso.domain.tld {
        reverse_proxy authentik-server:9000

        header {
                Strict-Transport-Security "max-age=63072000"
        }
}

Screenshots
Here's a screenshot when the error occurred.
Image

Version and Deployment (please complete the following information):

  • authentik version: ghcr.io/goauthentik/server:2024.10.5
  • Deployment: docker-compose

Additional context
Is there a setup that is missing or is there additional information that I need to add? And for additional information, please let me know how to obtain it.

Metadata

Metadata

Assignees

No one assigned

    Labels

    questionFurther information is requested

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions