Caddy Proxy Compatibility

[tmeuze]

I know that Caddy doesn't support forward auth (natively at least), but should it be possible to use proxy mode in Authentik, and just double proxy?

I'm trying to secure Home-Assistant, and I was hoping it'd be as simple as pointing Caddy to the embedded outpost - which allows me to log in, but then ends up with an infinite redirect after.

I'm starting to think I should give up on Caddy, and learn Traefik. But I wanted to see if anyone has figured this out.

Thank you,

[deluxghost]

i dont know how the home assistant works. but proxy provider is working with caddy. fill the internal host with your service host that authentik can access, the external host is how you access the service from the browser.
the caddy part is easier, just change your reverse proxy directive to your authentik address.
NOTE you need to enable this application in your embeded outpost settings

service <--(internal)-- authentik <-- caddy <--(external)-- user

internal example: http://172.17.1.2:8888/
external example: https://foo.example.com/

only configure https on caddy side is ok, as long as a user can only access the service via the external host

[tmeuze]

Thanks for your reply! How you've described it is how I had it set up, but I guess there must be some kind of problem unique to this setup and the SP (Home-Assistant). I don't really have another application for testing that I need to set up this way, that doesn't natively support Authentik.

At the moment, I'm diving into Traefik as the alternative. I miss Caddy already...

[BeryJu]

I run homeassistant with a similar setup (double proxy, just Envoy instead of caddy) and thats working fine for me with those settings, but homeassistant also uses a lot of modern web technologoies so there might be some stuff cached

[tmeuze]

Hi @BeryJu , thank you so much for Authentik. I got Traefik all set up to see if it would work, but same behavior. I'm also using your hass-auth-header component. I took precautions regarding CSRF issues, and haven't seen any log entry about it.

I just hit a loop with the URL:
/if/flow/authorize/?client_id=...&redirect_uri=https%3A%2F%2Fsub.domain.tld%2Foutpost.goauthentik.io%2Fcallback&response_type=code&scope=profile+openid+email+ak_proxy&state=...
(client ID doesn't change)

Before eventually landing on:
/outpost.goauthentik.io/callback?code=...&state=...

I have logs but I don't want to take up your time. I'm just wondering if that flow seems normal (disregarding the loop)?

[tmeuze]

Update: I tried this same setup with AdGuard Home, and it worked. Clearly something is up with my config, or just with HA.

I noticed I saw the consent screen with AdGuard, whereas I never got that far with HA. It did redirect to an invalid /ws/client URL after auth, but don't think Authentik did that...