Hello fellow selfhoster! on my debian server I use Caddy as reverse proxy, and would like to protect some services and files with a password. I would like, however, to be able to access some protected files programmatically, from a script. using Caddy’s built-in basic_auth works as intended, but I’d like to be able to use a login form instead of just a browser prompt. This is AFAIK not possible, so I’m looking for alternatives. Any idea?

  • tubbadu@lemmy.kde.socialOPEnglish
    2·
    3 days ago

    I already looked into Authelia, and the “problem” I encountered is that it does not support “named policies” (I don’t know the actual name): what I mean is to be able to create “only_admin_policy”, “only_registered_users_policy” etc, and then in Caddy to be able to say something like this

    service1.website.com {
    reverse_proxy container1:1234
    apply_policy only_admin_policy
}
service2.website.com {
    reverse_proxy container2:1234
    apply_policy only_registered_users_policy
}
service3.website.com {
    reverse_proxy container3:1234
}

    Instead if I understood correctly (and I would gladly be proved wrong) this is not possible with Authelia, as these policies have to be specified inside Authelia, so I would have two different configurations in two different places instead of having everything in the Caddyfile

    I hope I explained well what I mean

    thanks for the help!

    • _cryptagion [he/him]@lemmy.dbzer0.comEnglish
      3·
      2 days ago

      yes, it can do that, assuming you are using LDAP or have set up users/groups in the Authelia config. you don’t need to set it up in the caddyfile though, you can handle everything from Authelia’s end. for example, here is a typical protected item from my caddyfile.

      # this is a bit of code at the top that I use for every protected item, and call it each time to save space
(protected) {
	tls /ssl/home-cert.pem /ssl/home-key.pem
	forward_auth :4100 {
		uri /api/verify?rd=https://auth.myurl.xyz/
		copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
		header_up Host {upstream_hostport}
	}
	encode gzip
}

# UptimeKuma
uptime.myurl.xyz {
    # now to call the code above for this item
	import protected *
	reverse_proxy :4000
}

      that’s all I need in my caddyfile, just the bits that forward the information about the user to each site to log them in. I can then handle all the auth rules like saying which sites are only for admins or users in the Authelia config. since I use LDAP, I can set up the groups in that, then just specify which sites are DENY or TWO_FACTOR for each group in the Authelia config. or even in the apps themselves, if they support LDAP like Jellyfin and Forgejo.