proxy auth for unsecured apps

2025-03-20 12:52:46 +01:00 · 2025-03-20 12:52:46 +01:00 · c009c6e30e
commit c009c6e30e
parent 37dc3b82d9
2 changed files with 25 additions and 6 deletions
--- a/proxy/Caddyfile
+++ b/proxy/Caddyfile
@ -6,6 +6,15 @@
 	}
 }

+(proxy-auth) {
+	reverse_proxy /outpost.goauthentik.io/* http://authentik-server:9000
+	forward_auth http://authentik-server:9000 {
+		uri /outpost.goauthentik.io/auth/caddy
+		copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Entitlements X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
+		trusted_proxies private_ranges
+	}
+}
+
 *.{$DOMAIN} {
 	tls {
 		dns netcup {
@ -21,7 +30,10 @@

 	@whoami host whoami.{$DOMAIN}
 	handle @whoami {
-		reverse_proxy whoami:80
+		route {
+			import proxy-auth
+			reverse_proxy whoami:80
+		}
 	}

 	@dashboard host dashboard.{$DOMAIN}
@ -37,7 +49,10 @@

 	@zigbee2mqtt host zigbee2mqtt.{$DOMAIN}
 	handle @zigbee2mqtt {
-		reverse_proxy zigbee2mqtt:8080
+		route {
+			import proxy-auth
+			reverse_proxy zigbee2mqtt:8080
+		}
 	}

 	@jellyfin host jellyfin.{$DOMAIN}
@ -52,7 +67,10 @@

 	@download host download.{$DOMAIN}
 	handle @download {
-		reverse_proxy pyload:8000
+		route {
+			import proxy-auth
+			reverse_proxy pyload:8000
+		}
 	}

 	@uptime host uptime.{$DOMAIN}
@ -62,7 +80,10 @@

 	@torrent host torrent.{$DOMAIN}
 	handle @torrent {
-		reverse_proxy transmission:9091
+		route {
+			import proxy-auth
+			reverse_proxy transmission:9091
+		}
 	}

 	@auth host auth.{$DOMAIN}
--- a/torrent/docker-compose.yaml
+++ b/torrent/docker-compose.yaml
@ -4,8 +4,6 @@ services:
    image: lscr.io/linuxserver/transmission:${TRANSMISSION_VERSION}
    environment:
      - TZ=Etc/UTC
-      - USER=${USERNAME}
-      - PASS=${PASSWORD}
    volumes:
      - ${VOLUMES_PATH}/torrent/transmission:/config
      - ${DOWNLOAD_PATH}:/downloads