LogoLogo
APIDemoOfficial SiteDiscord
  • Introduction
  • Want to help?
  • πŸ’ΎInstallation
    • Prerequisites
      • Installing Webservers
        • Organizr & Dependency Installer
        • Nginx
        • Apache
        • Caddy
      • Installing PHP
    • Installing Organizr
  • πŸ“ŒGetting started
  • First Time Setup
  • Tab Management
  • πŸ€–Features
    • Authentication Backend
      • Plex Backend
      • LDAP Backend
    • Server Authentication
      • Nginx Server Authentication
      • Caddy Server Authentication
      • Traefik Server Authentication
    • SSO
      • Plex SSO
      • Tautulli SSO
      • Overseerr SSO
      • Petio SSO
      • Ombi SSO
      • Jellyfin SSO
      • Komga SSO
      • Proxy Auth SSO
        • Grafana SSO
        • NZBHydra2 SSO
        • Calibre SSO
      • Troubleshooting SSO
    • Homepage
      • Sonarr Homepage Item
      • Plex Homepage Item
      • HealthChecks Homepage Item
    • API Socks
    • Backup & Restore
    • Custom Error Pages
    • Fail2Ban Integration
  • πŸ§ͺTweaks
    • Tweaks
    • Hide custom text from specific groups
    • Optimizing PHP-FPM
  • πŸ†˜Help
    • Custom Work
      • Custom Pages
    • Tutorials
      • Reverse Proxies
    • FAQ
      • Organizr Requirements
      • Forgot my password
      • Organizr Login Error
      • Login Looping - SameSite Errors
      • Auth cookie is not used by other subdomains
      • Update available even though up to date
      • Migration Guide
  • 🌍 Development
    • Plugin Development
Powered by GitBook
On this page

Was this helpful?

Export as PDF
  1. Features
  2. Server Authentication

Caddy Server Authentication

Using the Organizr authorization API

Using Caddy and the reauth plugin you can accomplish the same using the following block:

reauth {
    path /sonarr   # location that requires reauth
    # path /glances   # other directories can be listed
    #
    # if someone is not authorized for a page, send them here instead
    failure redirect target=https://<your_domain>/
    
    upstream url=https://<your_domain>/api/v2/auth/<group_id>,cookies=true
}

Using OAuth / JWT tokens

Here is a sample Caddy directive using caddy-jwt to protect a path using the Organizr token:

jwt {
    # Name of the path to protect
    path /protected
    
    # Allow / deny based on JWT claims
    allow group Admin
    allow group User
    
    # Where to redirect in case the token is invalid or the claims are denied	
    redirect /
    
    # Where to read the token from
    token_source cookie organizr_token_62d9e46e-cdad-4726-9db7-e25b85397f57
    
    # Path the the secret to validate the token
    secret /etc/myprecious.txt
}

The secret to use to validate the token needs to be passed to Caddy either as an environment variable named JWT_SECRET or in a file, specified with the secret configuration option.

Note that the http.jwt plugin is not installed in default Caddy builds.

You should not protect the / Organizr root path. Organizr handles it on its ow

Using JWT tokens

For Caddy v2, caddy-security authorize offers all the required functionality for server authentication

Note that caddy-security plugin is not installed in default Caddy builds

An example Caddy V2 Caddyfile using caddy-security for authentication

security { 
    authorization policy admin {
        
        set auth url https://mydomain.com/auth
        crypto key token name organizr_token_uuid
        crypto key verify organizrHash
        set token sources cookie
        validate bearer header

        # Log any admin
        acl rule {
            match iss Organizr
            match role Admin
            allow stop log info
        }

        # Log any denied 
        acl rule {
            match iss any
            deny log warn
        }
    }

    authorization policy user {
        
        set auth url https://mydomain.com/auth
        crypto key token name organizr_token_uuid
        crypto key verify organizrHash
        set token sources cookie
        validate bearer header

        # Log any admin/user
        acl rule {
            match iss Organizr
            match role Admin User
            allow stop log info
        }

        # Log any denied 
        acl rule {
            match iss any
            deny log warn
        }
    }
}

mydomain.com {
    root * C:\Caddy\www\organizr\html
    php_fastcgi localhost:9000
    rewrite /api/v2/* /api/v2/index.php?{query}
    file_server

    # Subdirectory authentication
    route /calibre/* {
        uri strip_prefix /calibre
        authorize with user
        reverse_proxy localhost:9900
    }
}

# Subdomain authentication
tautulli.mydomain.com {
    route {
        authorize with admin
        reverse_proxy localhost:8181
    } 
}
PreviousNginx Server AuthenticationNextTraefik Server Authentication

Last updated 3 years ago

Was this helpful?

πŸ€–
GitHub - BTBurke/caddy-jwt: JWT middleware for the Caddy serverGitHub
caddy-jwt Github
GitHub - greenpau/caddy-security: πŸ” Authentication, Authorization, and Accounting (AAA) App and Plugin for Caddy v2. πŸ’Ž Implements Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0 (Github, Google, Facebook, Okta, etc.), SAML Authentication. MFA/2FA with App Authenticators and Yubico. πŸ’Ž Authorization with JWT/PASETO tokens. πŸ”GitHub
caddy-security Github
Authorize Plugin Overview | Caddy Security
Caddy Security Authorize Docs
Logo
Logo
Logo