Caddy Server Authentication
Utilizing Caddy's reauth

Using the Organizr authorization API

Using Caddy and the reauth plugin you can accomplish the same using the following block:
The reauth plugin doesn't seem to be fully working with Caddy v2, use the JWT method below
1
reauth {
2
path /sonarr # location that requires reauth
3
# path /glances # other directories can be listed
4
#
5
# if someone is not authorized for a page, send them here instead
6
failure redirect target=https://<your_domain>/
7
8
upstream url=https://<your_domain>/api/v2/auth/<group_id>,cookies=true
9
}
Copied!

Using OAuth / JWT tokens

Here is a sample Caddy directive to protect a path using the Organizr token:
1
jwt {
2
# Name of the path to protect
3
path /protected
4
5
# Allow / deny based on JWT claims
6
allow group Admin
7
allow group User
8
9
# Where to redirect in case the token is invalid or the claims are denied
10
redirect /
11
12
# Where to read the token from
13
token_source cookie organizr_token_62d9e46e-cdad-4726-9db7-e25b85397f57
14
15
# Path the the secret to validate the token
16
secret /etc/myprecious.txt
17
}
Copied!
The secret to use to validate the token needs to be passed to Caddy either as an environment variable named JWT_SECRET or in a file, specified with the secret configuration option.
Note that the http.jwt plugin is not installed in default Caddy builds. See https://caddyserver.com/docs/http.jwt for instructions on how to install it.
See https://github.com/BTBurke/caddy-jwt for more information on the jwt plugin and its configuration options.
You should not protect the / Organizr root path. Organizr handles it on its own.

Caddy v2

For Caddy v2, the caddy-security plugin seems to be the successor to caddy-jwt. The syntax has changed slightly to be something like this:
1
route /tautulli* {
2
authorize {
3
primary yes
4
set auth url https://mydomain.com
5
allow roles User Admin
6
crypto key token name organizr_token_uuid
7
crypto key verify organizrHash
8
}
9
reverse_proxy localhost:8181
10
}
11
12
route /sonarr* {
13
authorize
14
reverse_proxy localhost:8989
15
}
Copied!