Security App and Plugin for Caddy v2. It includes:
- Authentication Plugin for implementing Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0, SAML Authentication
- Authorization Plugin for HTTP request authorization based on JWT/PASETO tokens
- Credentials Plugin for managing credentials for various integrations
Please show your appreciation for this work and β β β
Please consider sponsoring this project!
Please ask questions either here or via LinkedIn. I am happy to help you! @greenpau
caddy-auth-portal and caddy-authorize (aka caddy-auth-jwt).
Documentation: authp.github.io
Security Policy: SECURITY.md
Please see other plugins:
The caddy-security app allows managing authentication portal,
authorization security policy and credentials. The plugin
enforces the security policy on endpoints with authorize keyword
and serves authentication portal with authenticate keyword.
The app and plugin use Authentication, Authorization, and Accounting (AAA) Security Functions (SF) from github.com/greenpau/authcrunch.
The configuration happens in Caddyfile's
global options block.
- Setting Up Local Authentication: Video and Config Gist
- Login with App Authenticator and Yubico U2F: Video
- Customizing Caddy Auth Portal UI: Video
- Caddy Authorize: Authorizing HTTP Requests: Video
Download Caddy with the plugins enabled:
The following configuration adds SMTP credentials to security app. Subsequently, the app and plugin will be able to use the credentials in its messaging configuration.
{
security {
credentials root@localhost {
username {env.SMTP_USERNAME}
password {env.SMTP_PASSWORD}
}
}
}
The following configuration sets up email messaging provider. It will use
the previously configured root@localhost credentials.
{
security {
messaging email provider localhost-smtp-server {
address 127.0.0.1:1025
protocol smtp
credentials root@localhost
sender root@localhost "My Auth Portal"
bcc greenpau@localhost
}
}
}
It can also be "passwordless":
{
security {
messaging email provider localhost-smtp-server {
address 127.0.0.1:1025
protocol smtp
passwordless
sender root@localhost "My Auth Portal"
bcc greenpau@localhost
}
}
}
It may support TLS:
{
security {
messaging email provider localhost-smtp-server {
address 127.0.0.1:1025
protocol smtps
passwordless
sender root@localhost "My Auth Portal"
bcc greenpau@localhost
}
}
}
The following configuration adds authentication portal.
{
security {
authentication portal myportal {
crypto default token lifetime 3600
crypto key sign-verify {env.JWT_SECRET}
backend local {env.HOME}/.local/caddy/users.json local
cookie domain myfiosgateway.com
ui {
links {
"My Website" https://assetq.myfiosgateway.com:8443/ icon "las la-star"
"My Identity" "/whoami" icon "las la-user"
}
}
transform user {
match origin local
action add role authp/user
ui link "Portal Settings" /settings icon "las la-cog"
}
}
}
}
auth.myfiosgateway.com {
authenticate * with myportal
}
The following configuration adds authorization functionality and handlers.
{
security {
authorization policy mypolicy {
set auth url https://auth.myfiosgateway.com/
crypto key verify {env.JWT_SECRET}
allow roles authp/admin authp/user
}
}
}
www.myfiosgateway.com {
authorize with mypolicy
root * {env.HOME}/public_html
file_server
}
