Skip to content

Instantly share code, notes, and snippets.

@TetraTsunami

TetraTsunami/!CaddyDockerProxyExample.md

Last active May 1, 2025 12:00
Show Gist options
  • Save TetraTsunami/11dcda9bbbccb56416f773ddda376b99 to your computer and use it in GitHub Desktop.
Save TetraTsunami/11dcda9bbbccb56416f773ddda376b99 to your computer and use it in GitHub Desktop.
Download ZIP
CaddyDockerProxy Authelia example
Raw
!CaddyDockerProxyExample.md

Folder structure:

/services
  /authelia
    docker-compose_authelia.yml # (Includes example service with auth)
  /caddy
    docker-compose_caddy.yml
    Dockerfile # Needed to add the CaddyDockerProxy extension
    Caddyfile # Needed to contain common configuration

Before any of this, you'll need to run docker network create -d bridge caddy to make the caddy network that all these containers will connect to.

I also have a wildcard (*.example.com) A record pointing at my server's IP

Raw
Caddyfile
(auth) {
@notAPI { # This removes auth on things like Jackett and Sonarr's APIs, since they should already require API keys
not {
path /api/*
path /dl/*
path /feed/*
}
}
forward_auth @notAPI authelia:9091 {
uri /api/verify?rd=https://auth.example.com/ # you will want to change this to wherever Authelia is hosted
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
}
}
Raw
docker-compose_authelia.yml
services:
# see the whoami container lower down for a breakdown of what all these lines do
authelia:
image: authelia/authelia
volumes:
- ./authelia:/config
networks:
- default # Allows Authelia to connect to Redis without exposing Redis to the rest of the caddy network
- caddy
labels:
caddy: auth.example.com # You will need to change this to your actual TLD
caddy.reverse_proxy: "{{upstreams 9091}}"
expose:
- 9091
restart: unless-stopped
redis:
image: redis:alpine
container_name: redis
volumes:
- ./redis:/data
expose:
- 6379 # not technically neccesary, but a helpful note of which ports are important
restart: unless-stopped
whoami: # Example service that has auth in front of it. Requires a few things
image: traefik/whoami
networks: # 1. It needs to be connected to the Caddy network.
# This also means you'll have to have "networks: caddy: external: true" at the bottom of the file, so watch out for that!
- caddy
labels:
caddy: whoami.example.com # 2. It needs to have its URL set
caddy.reverse_proxy: "{{upstreams 80}}" # 3. Caddy needs to know which port to forward traffic to (in this case, 80)
caddy.import: auth # 4. For auth, import the configuration from the Caddyfile above
networks:
default: # this is just so Authelia can say it's on the default network to connect to Redis
caddy:
external: true
Raw
docker-compose_caddy.yml
services:
caddy:
build: .
ports:
- 80:80
- 443:443
environment:
- CADDY_INGRESS_NETWORKS=caddy # you could change the network name here, just take care to make a network with that name
- CADDY_DOCKER_CADDYFILE_PATH=/local/Caddyfile # we're using the Caddyfile we made before
networks:
- caddy
volumes:
- /var/run/docker.sock:/var/run/docker.sock # allows Caddy to read the labels on other containers
- caddy_data:/data # allows it to store TLS certs across sessions
- ./:/local # allows it to access the Caddyfile we made above
restart: unless-stopped
extra_hosts:
- "host.docker.internal:host-gateway"
networks:
caddy:
external: true
volumes:
caddy_data: {}
Raw
Dockerfile
ARG CADDY_VERSION=2.6.4
# You might want to change the version
FROM caddy:${CADDY_VERSION}-builder AS builder
RUN xcaddy build \
--with github.com/lucaslorentz/caddy-docker-proxy/v2 \
--with github.com/caddy-dns/cloudflare
# I'm including Cloudflare here because I use it, but you're free to remove that line
FROM caddy:${CADDY_VERSION}-alpine
COPY --from=builder /usr/bin/caddy /usr/bin/caddy
CMD ["caddy", "docker-proxy"]
@jpbaril
Copy link

jpbaril commented Feb 12, 2025

Thanks for these config file examples.
Would you mind explaining this line https://gist.github.com/TetraTsunami/11dcda9bbbccb56416f773ddda376b99#file-caddyfile-L11 ?
It seems different to what Authelia recommand here: https://github.com/authelia/authelia/blob/eede6108b214f6a0dc6a368e11f509a198509191/docs/content/integration/proxies/caddy.md?plain=1#L166

Thank you

@TetraTsunami
Copy link
Author

Good catch! It looks like my setup might be a bit outdated, and /api/verify was depreciated a while ago: https://www.authelia.com/blog/4.38-release-notes/. I'll note that my setup does currently work for me, but I totally understand wanting to do it right when setting up for the first time.
You could probably replace that line with uri /api/authz/forward-auth?authelia_url=https://auth.example.com/ and see if it works. I'm not able to test it currently, though. If it does work for you, please let me know and I'll update the gist!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment