After pulling everything together, I thought it would be a good idea to document what ended up working for me with the following setup:
- *darr apps
- Some 3d printers
- MobilRaker
- NZB360
This stack requires the following
- Protecting the sites from unauthorized access
- Allowing the usage of BASIC auth to get to the sites when not using a web browser (items 3 and 4 above)
- Use cloudflare (free is fine) for your DNS, etc.
This is how i ended up making all this work. While Cloudflare would manage all the SSL, I have caddy pull SSL certificates too.
- Install docker and get it working. I use dockge
- Create a new site for caddy with the following config:
services:
caddy:
container_name: caddy
image: ghcr.io/authcrunch/authcrunch:latest
restart: always
environment:
- ACME_EMAIL="<your email to use for domain stuff>"
- CLOUDFLARE_API_TOKEN=<your cloudflare api token>
- ACME_AGREE=true
- JWT="<Some 32 char random string>"
ports:
- 80:80
- 443:443
- 443:443/udp
volumes:
- /data/Caddyfile:/etc/caddy/Caddyfile
- caddy_data:/data
- caddy_config:/config
- /<local path>/:/srv
volumes:
caddy_data: null
caddy_config: null
networks: {}
The /srv mapping is to serve static websites (see the Caddy config file later)
- Start up the docker instance and make sure nothing explodes
- Download and extract the latest from https://github.com/shoenig/bcrypt-tool/releases
- Usage
./bcrypt-tool hash SomeFunkyPassword 10
- Take the resulting string and save it for now. We will use it later where it says
<bcryptpw>(including removing the <>) - In my setup, my configs all live under /data, so create
/data/Caddyfileand make it look like the following. Note that you can adjust theYourDefaultUservalue to be whatever you want your username to be. If you jack this up, delete/data/CaddyUsers.jsonfrom the docker volume and restart the container to reset things.
{
# debug
acme_dns cloudflare {$CLOUDFLARE_API_TOKEN}
email {$ACME_EMAIL}
servers {
trusted_proxies static 173.245.48.0/20 103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 141.101.64.0/18 108.162.192.0/18 190.93.240.0/20 188.114.96.0/20 197.234.240.0/22 198.41.128.0/17 162.158.0.0/15 104.16.0.0/13 104.24.0.0/14 172.64.0.0/13 131.0.72.0/22 2400:cb00::/32 2606:4700::/32 2803:f800::/32 2405:b500::/32 2405:8100::/32 2a06:98c0::/29 2c0f:f248::/32
client_ip_headers CF-Connecting-IP X-Forwarded-For
}
# authcrunch security start
order authenticate before respond
order authorize before basicauth
security {
local identity store localdb {
realm local
path /data/CaddyUsers.json
user YourDefaultUser {
name DefaultUser
email [email protected]
password "bcrypt:10:<bcryptpw>" overwrite
roles authp/admin authp/user
}
}
authentication portal myportal {
#value is in seconds. This value is 3 months
crypto default token lifetime 7884000
crypto key sign-verify {$JWT}
enable identity store localdb
# enable identity provider github
cookie domain yourdomain.com
# If you want session only (ie when browser closes they are gone), comment out the line below.
# Keep cookie around for 3 months
cookie lifetime 7884000
# find other icons at https://icons8.com/line-awesome
ui {
links {
"Sonarr" https://sonarr.yourdomain.com icon "las la-tv"
"Radarr" https://radarr.yourdomain.com icon "las la-video"
"Sabnzb" https://nzb.yourdomain.com icon "las la-cloud-download-alt"
"Voron02" https://vtl.yourdomain.com icon "las la-bookmark"
}
}
transform user {
match origin local
action add role authp/user
ui link "My Identity" "/auth/whoami" icon "las la-id-badge"
ui link "My Profile" "/auth/profile/" icon "las la-user"
}
}
authorization policy users_policy {
#Allow basic and api key auth
with basic auth portal myportal realm local
with api key auth portal myportal realm local
#This url is set below. This is where Authcrunch will be
set auth url https://auth.yourdomain.com/
allow roles authp/admin authp/user
crypto key verify {$JWT}
acl rule {
comment allow users
match role authp/user
allow stop log info
}
acl rule {
comment default deny
match any
deny log warn
}
}
}
}
# this is the url for the authcrunch portal itself
auth.yourdomain.com {
route {
authenticate with myportal
}
}
#authcrunch security end
#define all the hosts to protect
#Adjust this for your location of sonarr, or whatever else you need to reverse proxy
sonarr.yourdomain.com {
route {
authorize with users_policy
reverse_proxy http://192.168.1.14:8989
}
}
# here we see a static site, where the index.html or whatever is in a directory /<local path>/somehost.com
# We reference /srv because thats where /<local path>/ ends up on.
somehost.com {
root * /srv/somehost.com
encode gzip
file_server {
hide .git
}
log {
output file /srv/somehost.com.log
}
header {
?Cache-Control "max-age=1800"
}
}
somestaticsite.com {
respond "Hello, World!"
}
#this site handles its own auth
plex.somedomain.com {
reverse_proxy http://192.168.1.14:32400
}
- Restart Caddy and test things
For the apps that need to talk to these sites, but do not understand JWT tokens and all that, we have to do things a bit differently
- Add the url to your printer, https://voron.somewhere.com. This should obviously be one of the sites you set up in Caddy, like the
sonarr.yourdomain.comexample above - Go to https://gchq.github.io/CyberChef and add the
To Base64recipe - In the right box at the top, enter your username and password in the format
username:password - Note the resulting base64 encoded value in lower right
- In the Http-headers section, add a new header. Enter the following (do not include
<>in the Value
- Header: Authorization
- Value: Basic <your base64 encoded info from step 4>
- Click
Savein the header dialog - Click
Savein lower right
If it worked, you should see your printer's data
- Add a service, like Sonarr
- For the url, the format needs to include basic auth details. Example:
https://user:[email protected] - Enter the API key from your Sonarr instance
- Click
Test Connection - Optionally, set up Local connection handling
Repeat this for every other *arr or Sabnzb setup you have that is protected by Authcrunch.
Thats it! You should now be able to:
- Visit
https://sonarr.somedomain.comand have Authcrunch redirect you to login, then redirect you back to Sonarr - Use mobile apps that need basic auth
- ???
- Profit
You can also auth to your endpoints using an API key you can create in your Authcrunch profile, but theres some bugs as of 2025-03-31 that requires you to make sure your password is 72 characters long. When i tried it I ended up with a 66 character password. Add 8 random chars to the end and you should be able to save it.
You can then authenticate against the endpoint like this:
curl -H "X-Api-Key: <API_KEY>" -v https://app.yourdomain.com
Or any other method, where you pass a header value of
X-Api-Key and the api key <API_KEY> (do not include <> of course)
Tried following along, but had some trouble getting the TLS to work!
How are you setting up your cloudflare DNS configuration? Proxy or DNS only? What are your settings for SSL in cloudflare, are you doing Flexible or Full (Strict)?