Add equivalent to nginx's auth_request #1507
Comments
|
This echoes my thoughts exactly. We're using Caddy at our company to proxy all our internal webservices to the world (and because it automatically takes care of TLS certs), but authentication is currently a pain. We're using nginx with |
|
Guessing that you read hacker news as well... I had pretty much the same request wrt #1506 myself... |
|
Why not? |
|
@skorokithakis Why not what? |
|
@mholt I got an email notification from you posting on this thread "This will not be done", but it's not here any more, odd. |
|
@skorokithakis That wasn't me. 😉 https://twitter.com/mholt6/status/857335971733319680 |
|
Huh, damn. How do we know what's real and what's not?! |
|
@skorokithakis My account says "Owner" on comments in this repository. Also my profile won't be empty: https://twitter.com/mholt6/status/857335173012086784 |
|
Ah, right. That's some good masquerading, though. |
|
@skorokithakis Meh, don't give him any credit. My comments usually sound intelligent. 😅 Okay -- back on topic. To be honest, I haven't looked into this issue enough to know how to implement it. I'm guessing this would be a good plugin though? |
|
Yes, it would certainly be a good plugin (and should probably be a plugin rather than something in core). Unfortunately, I'm not very good with Go and worse with Caddy internals, so I can't help much on this one. However, basically:
That's pretty much it. That would enable us to write a small authentication daemon and basically bolt on whatever type of auth we want (Kerberos, IMAP, LDAP) to Caddy. |
|
@mholt is possible to redirect to a different URL if the code is 401 (to allow a custom login page) |
|
@skorokithakis Great, that's helpful -- I think that's a pretty easy plugin to write. Here are instructions: https://github.com/mholt/caddy/wiki/Writing-a-Plugin:-Directives @aledbf And yeah, it could definitely redirect to a different URL if the status is 401. I think I'll close this, though, since we don't use this issue tracker for plugins -- just Caddy itself. But I would be happy to see this put up on the Caddy website if anyone wants to write it! |
|
Sorry for waking the dead, but was this ever implemented? I'm looking at alternatives for bitly's defunct oauth2_proxy, and although there are a few forks in the works, nothing is production ready. If this feature has already been implemented, I'd rather not reinvent the wheel. |
|
@logicfox FYI the "official" successor to bitly's oauth2_proxy is https://github.com/buzzfeed/sso by bitly/oauth2_proxy#628 (comment) |
|
Not sure if helpful, but I did just write an Oauth2 proxy here: https://github.com/mholt/timeliner/blob/master/oauth2client/oauth2proxy/proxy.go (with some inspiration from ncw) |
|
For others on this thread, http.reauth's upstream is basically this: https://github.com/freman/caddy-reauth#upstream |
and others
I have recently seen https://github.com/bitly/oauth2_proxy which is an interesting way to manage access to internal applications. At the end of the readme use of nginx's
auth_requestfunctionality is used to implement authentication without proxying every request. It would be nice to be able to do that in Caddy.It seems to be that two things are missing to achieve equivalence with the nginx example:
Caddy's
errorsdirective does not allow a URL to be given for an error code, only a static file as far as I am aware. This could be worked around with clientside JS on the error, but that's not a nice solution.Caddy lacks support for
auth_request, whilst this could be implemented in middleware I believe, it would be nice functionality to have built in.The text was updated successfully, but these errors were encountered: