Closed joshoram80 closed 2 months ago
Post your full caddy config.
This is literally it, the rest is created at runtime by caddy-docker-proxy and labels, producing
gotify.my.domain {
reverse_proxy 172.25.0.11:80
}
or if I want Auth
service.my.domain {
import auth
reverse_proxy <container_ip>:<port>
}
(tls) {
import auth
tls {
dns cloudflare <token>
resolvers 1.1.1.1
}
}
(authentik) {
# always forward outpost path to actual outpost
reverse_proxy /outpost.goauthentik.io/* http://authentik_server:9000 {
#header_up Host {http.reverse_proxy.upstream.hostport}
}
# forward authentication to outpost
forward_auth http://authentik_server:9000 {
uri /outpost.goauthentik.io/auth/caddy
# capitalization of the headers is important, otherwise they will be empty
copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version authorization
# optional, in this config trust all private ranges, should probably be set to the outposts IP
trusted_proxies private_ranges
}
}
(auth) {
@internal_network {
not remote_ip 192.168.0.0/24 172.25.0.0/24
}
handle @internal_network {
import authentik
}
}
my.domain {
import auth
reverse_proxy homepage:3000
}
Gotify is the only service I seem to have issues with. I did previously use Traefik and didn't have a problem, but i'm testing Caddy out as I may move everything over to it.
copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version authorization
Gotify uses the authorization
header to transmit credentials for login. This setting overrides the authorization header with the header given by the forward auth server.
Gotify is not including the (auth) snipper so that header should not be used.
The (tls) isn't referenced in the config you listed, but it's likely used and it imports (auth). The simple examples listed in https://gotify.net/docs/caddy work fine. So must be related to your config.
I'm not sure how it would be used for Gotify though. For other services, I use
- caddy.import=tls
in my docker compose file, but not for gotify. Would having it for another service somehow affect Gotify?
I don't know the proxy you use. This config works fine.
$ docker network create caddy
version: "3.7"
services:
caddy:
image: lucaslorentz/caddy-docker-proxy:ci-alpine
ports:
- 8000:80
- 8443:443
networks:
- caddy
environment:
- CADDY_INGRESS_NETWORKS=caddy
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- caddy_data:/data
restart: unless-stopped
gotify:
image: gotify/server:2.4.0
networks:
- caddy
labels:
caddy: http://localhost
caddy.reverse_proxy: "{{upstreams}}"
networks:
caddy:
external: true
volumes:
caddy_data: {}
logs
gotify-1 | 2024-04-08T11:09:02Z | 200 | 89.739509ms | 172.24.0.1 | POST "/client"
gotify-1 | 2024-04-08T11:09:02Z | 200 | 4.384848ms | 172.24.0.1 | GET "/current/user"
gotify-1 | 2024-04-08T11:09:02Z | 200 | 246.072µs | 172.24.0.1 | GET "/stream?token=[masked]"
gotify-1 | 2024-04-08T11:09:02Z | 200 | 366.304µs | 172.24.0.1 | GET "/application"
gotify-1 | 2024-04-08T11:09:02Z | 200 | 521.115µs | 172.24.0.1 | GET "/message?since=0"
That's the same one I use, but I have a caddy image with that proxy plugin, as well as crowdsec and CloudFlare DNS built with xcaddy, and almost exactly the same configuration. It has started to work now after restarting all my containers. Maybe there was something being cached in the browser or something, I'm not sure.
On Mon, 8 Apr 2024, 9:18 pm Jannis Mattheis, @.***> wrote:
I don't know the proxy you use. This config works fine.
$ docker network create caddy
version: "3.7"services: caddy: image: lucaslorentz/caddy-docker-proxy:ci-alpine ports:
- 8000:80
- 8443:443 networks:
- caddy environment:
- CADDY_INGRESS_NETWORKS=caddy volumes:
- /var/run/docker.sock:/var/run/docker.sock
- caddy_data:/data restart: unless-stopped gotify: image: gotify/server:2.4.0 networks:
- caddy labels: caddy: http://localhost caddy.reverse_proxy: "{{upstreams}}" networks: caddy: external: true volumes: caddy_data: {}
logs
gotify-1 | 2024-04-08T11:09:02Z | 200 | 89.739509ms | 172.24.0.1 | POST "/client" gotify-1 | 2024-04-08T11:09:02Z | 200 | 4.384848ms | 172.24.0.1 | GET "/current/user" gotify-1 | 2024-04-08T11:09:02Z | 200 | 246.072µs | 172.24.0.1 | GET "/stream?token=[masked]" gotify-1 | 2024-04-08T11:09:02Z | 200 | 366.304µs | 172.24.0.1 | GET "/application" gotify-1 | 2024-04-08T11:09:02Z | 200 | 521.115µs | 172.24.0.1 | GET "/message?since=0"
— Reply to this email directly, view it on GitHub https://github.com/gotify/server/issues/644#issuecomment-2042486524, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAP7FG2RPWE5SOLOT7BISFTY4J4JHAVCNFSM6AAAAABF3WW4QGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANBSGQ4DMNJSGQ . You are receiving this because you authored the thread.Message ID: @.***>
Have you read the documentation?
You are setting up gotify in
Describe your problem
I cannot seems to log into to Gotify behind Caddy, but using IP:Port works fine. I have not changed anything from the defaults. Homepage pulls information via the API correctly though.
Web login attempt
Homepage pulling via API