question: Using caddy-security to protect lan service with pocket-id and forward to reverse proxy entryΒ #439
Description
I am using unraid and have all services running in docker (sonarr, pocket-id, caddy).
I want to use pocket-id to protect every service which does not have proper OIDC support via carry-security.
What I achieved so far:
When accessing sonarr.i2.mysite.com the user is redirected to the portal screen, clicks on the button for pocket-id, authentication is happening on pocket-id and sends user back to the portal screen, but user is not forwarded to the reverse proxy address for sonarr although it is mentioned on the site block.
- Is my configuration in general ok, for what I want to accomplish?
- is it even possible to forward to a reverse proxy entry at all?
- is there a problem that caddy and sonarr are running on different ports on the same machine?
Thanks
configuration:
unraid 7 host: 192.168.1.107
pocketid runs at: poc.i2.mysite.com:25444
sonarr exposed at: 192.168.1.107:8989
caddy exposed at: 192.168.1.107:2443
adguard home dns rewrites:
sonarr.i2.mysite.com -> 192.168.1.107
pocket-id call back url:
https://sonarr.i2.mysite.com:2443/oauth2/pocket-id/authorization-code-callback
caddy config:
{
order authenticate before respond
order authorize before basicauth
security {
oauth identity provider pocket-id {
realm pocket-id
driver generic
client_id CLIENTID
client_secret CLIENTSECRET
scopes openid email profile
base_auth_url https://poc.i2.mysite.com:25444/authorize
metadata_url https://poc.i2.mysite.com:25444/.well-known/openid-configuration
delay_start 3
}
authentication portal pocket-id-auth {
crypto default token lifetime 3600
enable identity provider pocket-id
cookie domain mysite.com
ui {
links {
"My Identity" "/whoami" icon "las la-user"
}
}
transform user {
match realm pocket-id
action add role authp/user
ui link "Sonarr Start" https://sonarr.i2.mysite.com:2443/settings icon "las la-star"
}
}
authorization policy users {
# set auth url /caddy-security/oauth2/pocket-id
set auth url https://auth.i2.mysite.com:2443/oauth2/pocket-id
allow roles authp/user
validate bearer header
inject headers with claims
}
}
debug
}
##### auth service
auth.i2.mysite.com {
authenticate with pocket-id-auth
}
##### sonarr service
sonarr.i2.mysite.com {
route /* {
authenticate with pocket-id-auth
authorize with users
reverse_proxy 192.168.1.107:8989
}
}
##### tls management
*.i2.mysite.com {
tls {
import KEY1
propagation_timeout 6m
}
###### pocket-id
poc.i2.mysite.com {
log {
import logtransform
output file /var/log/caddy/poc.access.log {
import logging
}
}
@banned {
fail2ban /data/banned-ips
}
handle @banned {
abort
}
handle {
reverse_proxy 192.168.1.107:1411 {
}
}
}