wayne/tailwart
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

authelia: sync caddy-forward-auth snippet to deployed reality

Browse Source 
The portal vhost + forward-auth are now live on the main box Caddy. Align
the template with what was actually deployed:

- upstream host -> agrajag.tail7b1641.ts.net (the Authelia node's MagicDNS
  name), replacing the majikthise placeholder
- drop the explicit `tls` cert-file lines: this Caddy uses automatic HTTPS
  (no /etc/caddy/certs); ACME for auth.infinidim.net rides the :443->:8443
  SNI fan-out (tls-alpn-01) + :80 (http-01)
- forward-auth endpoint /api/verify?rd=... -> /api/authz/forward-auth, the
  Authelia 4.39 path; portal redirect comes from authelia_url in the yml
- note the infinidim.net CAA accounturi pin: a new L7 vhost 403s until this
  Caddy's LE account is allowlisted (now done alongside Stalwart's)

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Wayne Hayes 2026-06-13 02:24:59 +01:00
parent ddf00fbf90
commit 7eefac0224
1 changed files with 19 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
authelia/caddy-forward-auth.snippet
View File

@ -1,19 +1,29 @@
# Add to the MAIN box Caddyfile (/etc/caddy/Caddyfile). Authelia is layer 7, # Wired into the MAIN box Caddyfile (/etc/caddy/Caddyfile). Authelia is layer 7,
# so unlike tailwart's mail edge it's an ordinary reverse_proxy + forward_auth. # so unlike tailwart's mail edge it's an ordinary reverse_proxy + forward_auth.
# Replace majikthise with your AUTHELIA_MAGIC_NAME. # This file mirrors what is deployed. Upstream host = AUTHELIA_MAGIC_NAME, the
# Authelia node's MagicDNS name (currently `agrajag`).
#
# Two deliberate differences from a vanilla Authelia example, to match this host:
# - No explicit `tls` cert files: this Caddy uses automatic HTTPS like its other
# vhosts (there is no /etc/caddy/certs). ACME for auth.infinidim.net works via
# the :443→:8443 SNI fan-out (tls-alpn-01) and :80 (http-01).
# NOTE: infinidim.net has a CAA record pinning issuance to Let's Encrypt by
# accounturi — this Caddy's LE account must be listed there or issuance 403s
# ("CAA record prevents issuance"). Stalwart's account + this Caddy's account
# are both allowlisted.
# - Endpoint is /api/authz/forward-auth (Authelia 4.38+/4.39 path). The legacy
# /api/verify?rd=... is deprecated; the portal redirect comes from
# `authelia_url` in configuration.yml, so no ?rd= query is needed.
# 1) The Authelia portal itself. # 1) The Authelia portal itself (access_control marks it `bypass`).
auth.infinidim.net { auth.infinidim.net {
import common_log reverse_proxy agrajag.tail7b1641.ts.net:9091
reverse_proxy majikthise.tail7b1641.ts.net:9091
tls /etc/caddy/certs/auth.infinidim.net/fullchain.pem \
/etc/caddy/certs/auth.infinidim.net/privkey.pem
} }
# 2) A reusable forward-auth snippet — import it into any vhost you want SSO on. # 2) A reusable forward-auth snippet — import it into any vhost you want SSO on.
(authelia) { (authelia) {
forward_auth majikthise.tail7b1641.ts.net:9091 { forward_auth agrajag.tail7b1641.ts.net:9091 {
uri /api/verify?rd=https://auth.infinidim.net uri /api/authz/forward-auth
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
} }
} }
@ -22,6 +32,4 @@ auth.infinidim.net {
# secure-app.infinidim.net { # secure-app.infinidim.net {
# import authelia # import authelia
# reverse_proxy some-backend.tail7b1641.ts.net:8080 # reverse_proxy some-backend.tail7b1641.ts.net:8080
# tls /etc/caddy/certs/secure-app.infinidim.net/fullchain.pem \
# /etc/caddy/certs/secure-app.infinidim.net/privkey.pem
# } # }