From 34deb921946244e28ca1006df03ab2b55cb632e0 Mon Sep 17 00:00:00 2001
From: Florian Zirker <florian.zirker@kapsweyer.de>
Date: Thu, 20 Mar 2025 12:52:46 +0100
Subject: [PATCH] proxy auth for unsecured apps

---
 proxy/Caddyfile | 24 +++++++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)

diff --git a/proxy/Caddyfile b/proxy/Caddyfile
index d723d79..b8de824 100644
--- a/proxy/Caddyfile
+++ b/proxy/Caddyfile
@@ -6,6 +6,15 @@
 	}
 }
 
+(proxy-auth) {
+	reverse_proxy /outpost.goauthentik.io/* http://authentik-server:9000
+	forward_auth http://authentik-server:9000 {
+		uri /outpost.goauthentik.io/auth/caddy
+		copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Entitlements X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
+		trusted_proxies private_ranges
+	}
+}
+
 *.{$DOMAIN} {
 	tls {
 		dns netcup {
@@ -21,7 +30,10 @@
 
 	@whoami host whoami.{$DOMAIN}
 	handle @whoami {
-		reverse_proxy whoami:80
+		route {
+			import proxy-auth
+			reverse_proxy whoami:80
+		}
 	}
 
 	@dashboard host dashboard.{$DOMAIN}
@@ -37,7 +49,10 @@
 
 	@zigbee2mqtt host zigbee2mqtt.{$DOMAIN}
 	handle @zigbee2mqtt {
-		reverse_proxy zigbee2mqtt:8080
+		route {
+			import proxy-auth
+			reverse_proxy zigbee2mqtt:8080
+		}
 	}
 
 	@jellyfin host jellyfin.{$DOMAIN}
@@ -62,7 +77,10 @@
 
 	@torrent host torrent.{$DOMAIN}
 	handle @torrent {
-		reverse_proxy transmission:9091
+		route {
+			import proxy-auth
+			reverse_proxy transmission:9091
+		}
 	}
 
 	@auth host auth.{$DOMAIN}