How to use Authelia with ForwardAuth on different server?

[adorakalb]

Hi :)

First of all, I absolutely love Authelia!

I have the following question:
I have my Authelia-Installation working and it has the following Caddy config:

sso.example.com {
    reverse_proxy http://authelia:8080
}

Now I have a webapp without authentication, and I want to handle forward auth via Caddy and Authelia. Currently I have the following config:

app.example.com {
    forward_auth *  http://authelia:8080 {
        uri /api/authz/forward-auth?authelia_url=https://sso.example.com
        copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
    }
    reverse_proxy http://app:8080
}

It all works well. However, my understanding is it only works because caddy knows and can reach http://authelia:8080 for authentication.
If Authelia now ran on a different server where the App caddy only could reach Authelia via https://sso.example.com, how would I configure this?

Thanks in advance :)

[glime-ai[bot]]

Please note this response was created using generative AI leveraging previously available information from the repository. This information may be helpful however it is our strong recommendation that you carefully consider the information before blindly applying it.

---

Hello!

I'm glad to hear you're enjoying Authelia!

Based on your scenario, if Authelia is running on a different server and the App Caddy can only reach Authelia via https://sso.example.com, you would need to adjust your Caddy configuration to point to the HTTPS URL of Authelia. Here's how you can modify your configuration:

app.example.com {
    forward_auth *  https://sso.example.com {
        uri /api/authz/forward-auth
        copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
    }
    reverse_proxy http://app:8080
}

In this configuration:

• The forward_auth directive is updated to use https://sso.example.com instead of http://authelia:8080.
• The uri parameter is set to /api/authz/forward-auth, which is the endpoint for forward authentication in Authelia.

Make sure that the SSL/TLS certificates are properly configured on sso.example.com to allow secure connections from the Caddy server hosting your app.

If you have any more questions or need further assistance, feel free to ask!

This comment was generated by Glime.

[james-d-elliott]

You'd either have to expose the port say 8080, and use http://sso.example.com:8080 or you'd have to configure caddy in a way where it doesn't change the X-Fowarded-* headers for the /api/verify and /api/authz/* paths and use the https://sso.example.com url (with the path suffixes).

[yfe404]

The first option works fine for me thanks