Caddy Server Authentication
Caddy V1
Caddy V2

Using the Organizr authorization API

Using Caddy and the reauth plugin you can accomplish the same using the following block:
reauth {
path /sonarr # location that requires reauth
# path /glances # other directories can be listed
#
# if someone is not authorized for a page, send them here instead
failure redirect target=https://<your_domain>/
upstream url=https://<your_domain>/api/v2/auth/<group_id>,cookies=true
}

Using OAuth / JWT tokens

Here is a sample Caddy directive using caddy-jwt to protect a path using the Organizr token:
jwt {
# Name of the path to protect
path /protected
# Allow / deny based on JWT claims
allow group Admin
allow group User
# Where to redirect in case the token is invalid or the claims are denied
redirect /
# Where to read the token from
token_source cookie organizr_token_62d9e46e-cdad-4726-9db7-e25b85397f57
# Path the the secret to validate the token
secret /etc/myprecious.txt
}
The secret to use to validate the token needs to be passed to Caddy either as an environment variable named JWT_SECRET or in a file, specified with the secret configuration option.
Note that the http.jwt plugin is not installed in default Caddy builds.
You should not protect the / Organizr root path. Organizr handles it on its ow
GitHub - BTBurke/caddy-jwt: JWT middleware for the Caddy server
GitHub
caddy-jwt Github

Using JWT tokens

For Caddy v2, caddy-security authorize offers all the required functionality for server authentication
Note that caddy-security plugin is not installed in default Caddy builds
GitHub - greenpau/caddy-security: πŸ” Authentication, Authorization, and Accounting (AAA) App and Plugin for Caddy v2. πŸ’Ž Implements Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0 (Github, Google, Facebook, Okta, etc.), SAML Authentication. MFA/2FA with App Authenticators and Yubico. πŸ’Ž Authorization with JWT/PASETO tokens. πŸ”
GitHub
caddy-security Github
Authorize Plugin Overview | Caddy Security
Caddy Security Authorize Docs
An example Caddy V2 Caddyfile using caddy-security for authentication
security {
authorization policy admin {
set auth url https://mydomain.com/auth
crypto key token name organizr_token_uuid
crypto key verify organizrHash
set token sources cookie
validate bearer header
​
# Log any admin
acl rule {
match iss Organizr
match role Admin
allow stop log info
}
​
# Log any denied
acl rule {
match iss any
deny log warn
}
}
​
authorization policy user {
set auth url https://mydomain.com/auth
crypto key token name organizr_token_uuid
crypto key verify organizrHash
set token sources cookie
validate bearer header
​
# Log any admin/user
acl rule {
match iss Organizr
match role Admin User
allow stop log info
}
​
# Log any denied
acl rule {
match iss any
deny log warn
}
}
}
​
mydomain.com {
root * C:\Caddy\www\organizr\html
php_fastcgi localhost:9000
rewrite /api/v2/* /api/v2/index.php?{query}
file_server
​
# Subdirectory authentication
route /calibre/* {
uri strip_prefix /calibre
authorize with user
reverse_proxy localhost:9900
}
}
​
# Subdomain authentication
tautulli.mydomain.com {
route {
authorize with admin
reverse_proxy localhost:8181
}
}
Export as PDF
Copy link