Help to convert a snippet to labels

[wsw70]

I have the following snippet I would like to convert to labels (it works well when in the Caddyfile):

(authenticate-with-authelia) {
	@forceAuth {
		not header x-authelia-whitelist XXX
		}
	forward_auth @forceAuth authelia:9091 {
		uri /api/verify?rd=https://authelia.swtk.eu/
		copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
		trusted_proxies private_ranges
	}
}

I tried to convert it to labels in Caddy's docker-compose (I did several versions, all failed):

      caddy: (authenticate-with-authelia)
      [email protected]: header x-authelia-token XXX
      caddy.authenticate-with-authelia.forward_auth: "@forceAuth authelia:9091"
      caddy.authenticate-with-authelia.forward_auth.uri: /api/verify?rd=https://authelia.swtk.eu/
      caddy.authenticate-with-authelia.forward_auth.copy_headers: Remote-User Remote-Groups Remote-Name Remote-Email
      caddy.authenticate-with-authelia.forward_auth.trusted_proxies: private_ranges

When restarting Caddy, I get for each service that does an import authenticate-with-caddy an error message telling me that the authenticate-with-authelia directive is not recognized.

Since it is not possible to debug snippets via the JSON configuration (they are merged at startup) I have no way to see how it is translated, and I suppose that there is an error in the translation.

[francislavoie]

You need to keep the parentheses in the labels as well.

[wsw70]

You need to keep the parentheses in the labels as well.

Ah! I followed the docs.

caddy: (encode)
caddy.encode: zstd gzip
↓
(encode) {
	encode zstd gzip
}

and

caddy_0: (snippet)
caddy_0.tls: internal
caddy_1: site-a.com
caddy_1.import: snippet
caddy_2: site-b.com
caddy_2.import: snippet
↓
(snippet) {
	tls internal
}
site_a {
	import snippet
}
site_b {
	import snippet
}

I will check this out as soon as I see our election results in France :)

[wsw70]

You need to keep the parentheses in the labels as well.

Unfortunately this does not change the error

[hycday]

hey @wsw70 where you able to make authelia work at the end ?

[wsw70]

hey @wsw70 where you able to make authelia work at the end ?

Authelia is working fine. What I could not (and still cannot) make work was the snippet in the labels.

[hycday]

i am super curious as to how you made Authelia work without that snippet/label part.. i am trying to make it work with Caddy Docker Proxy and struggling, let me know if there is a way you could help (between french :) )

as for the conversion I get something like that, but cannot properly test it as i am struggling to make it work :

  # Define trusted_proxy_list snippet without active trusted_proxies
  caddy_0: (trusted_proxy_list)

  # auth.domain.ltd
  caddy_1: auth.domain.ltd
  caddy_1.reverse_proxy: "{{authelia 9091}}"
  caddy_1.reverse_proxy.import: trusted_proxy_list

  # site.domain.ltd site to protect
  caddy_2: site.domain.ltd
  caddy_2.forward_auth: authelia:9091
  caddy_2.forward_auth.uri: /api/authz/forward-auth
  caddy_2.forward_auth.copy_headers: Remote-User Remote-Groups Remote-Email Remote-Name
  caddy_2.forward_auth.import: trusted_proxy_list
  caddy_2.reverse_proxy: "{{scrapper 80}}"
  caddy_2.reverse_proxy.import: trusted_proxy_list

[wsw70]

i am super curious as to how you made Authelia work without that snippet/label part.. i am trying to make it work with Caddy Docker Proxy and struggling, let me know if there is a way you could help (between french :) )

I am not sure I understand. I do use the snippet but it is defined in the main Caddyfile. I wanted to get rid of that main configuration file and do everything through the labels. This is not a showstopper though.

[hycday]

wasnt able to make it work, so i used Authentik and besides some few config left it works good...

[wsw70]

i used Authentik

Looks really cool. It is a more complicated (and probably - complete) system compared to Authelia, though. Good luck!

[DonDebonair]

I'm using Authelia with caddy-docker-proxy successfully.

These are the relevant labels in the Docker Compose config of my Caddy container:

caddy_90: (secure)
caddy_90.forward_auth: '{args[0]} authelia:9091'
caddy_90.forward_auth.uri: /api/verify?rd=https://auth.example.com
caddy_90.forward_auth.copy_headers: Remote-User Remote-Groups Remote-Name Remote-Email

(The 90 suffix is because I have multiple global configs/snippets etc. and I want to order them specifically. You can leave it off)

And then for each container I want to proxy and put behind Authelia

caddy: my-app.example.com
caddy.reverse_proxy: "{{upstreams 8080}}"
caddy.import: secure *

Obviously you should change the domain and port

[accforgithubtest]

Thank you for this @DonDebonair - helped me out with a solid working example there.

Can you please help me out with another question about this config - What labels do I need to add If I want to bypass certain paths in my-app.example.com ? For e.g if I have my-app.example.com/publicurls/test1.html and my-app.example.com/publicurls/test2.html, and I want to skip authelia authentication checks for everything under the my-app.example.com/publicurls/ path, what labels can help me do that ? I would still like for everything else in my-app.example.com to be authenticated.

TIA for any suggestions, cheers !

[DonDebonair]

@accforgithubtest you wouldn't set labels for it. Instead, you'd have to make changes to your Authelia config to skip certain paths.