Wayne Hayes
7eefac0224
The portal vhost + forward-auth are now live on the main box Caddy. Align the template with what was actually deployed: - upstream host -> agrajag.tail7b1641.ts.net (the Authelia node's MagicDNS name), replacing the majikthise placeholder - drop the explicit `tls` cert-file lines: this Caddy uses automatic HTTPS (no /etc/caddy/certs); ACME for auth.infinidim.net rides the :443->:8443 SNI fan-out (tls-alpn-01) + :80 (http-01) - forward-auth endpoint /api/verify?rd=... -> /api/authz/forward-auth, the Authelia 4.39 path; portal redirect comes from authelia_url in the yml - note the infinidim.net CAA accounturi pin: a new L7 vhost 403s until this Caddy's LE account is allowlisted (now done alongside Stalwart's) Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
36 lines
1.7 KiB
Plaintext
36 lines
1.7 KiB
Plaintext
# Wired into the MAIN box Caddyfile (/etc/caddy/Caddyfile). Authelia is layer 7,
|
|
# so unlike tailwart's mail edge it's an ordinary reverse_proxy + forward_auth.
|
|
# This file mirrors what is deployed. Upstream host = AUTHELIA_MAGIC_NAME, the
|
|
# Authelia node's MagicDNS name (currently `agrajag`).
|
|
#
|
|
# Two deliberate differences from a vanilla Authelia example, to match this host:
|
|
# - No explicit `tls` cert files: this Caddy uses automatic HTTPS like its other
|
|
# vhosts (there is no /etc/caddy/certs). ACME for auth.infinidim.net works via
|
|
# the :443→:8443 SNI fan-out (tls-alpn-01) and :80 (http-01).
|
|
# NOTE: infinidim.net has a CAA record pinning issuance to Let's Encrypt by
|
|
# accounturi — this Caddy's LE account must be listed there or issuance 403s
|
|
# ("CAA record prevents issuance"). Stalwart's account + this Caddy's account
|
|
# are both allowlisted.
|
|
# - Endpoint is /api/authz/forward-auth (Authelia 4.38+/4.39 path). The legacy
|
|
# /api/verify?rd=... is deprecated; the portal redirect comes from
|
|
# `authelia_url` in configuration.yml, so no ?rd= query is needed.
|
|
|
|
# 1) The Authelia portal itself (access_control marks it `bypass`).
|
|
auth.infinidim.net {
|
|
reverse_proxy agrajag.tail7b1641.ts.net:9091
|
|
}
|
|
|
|
# 2) A reusable forward-auth snippet — import it into any vhost you want SSO on.
|
|
(authelia) {
|
|
forward_auth agrajag.tail7b1641.ts.net:9091 {
|
|
uri /api/authz/forward-auth
|
|
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
|
|
}
|
|
}
|
|
|
|
# 3) Example protected service: gate it behind Authelia, then proxy the backend.
|
|
# secure-app.infinidim.net {
|
|
# import authelia
|
|
# reverse_proxy some-backend.tail7b1641.ts.net:8080
|
|
# }
|