Skip to content

Latest commit

 

History

History
279 lines (205 loc) · 9.07 KB

README.md

File metadata and controls

279 lines (205 loc) · 9.07 KB

caddy-security

Publish

Security App and Plugin for Caddy v2. It includes:

  • Authentication Plugin for implementing Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0, SAML Authentication
  • Authorization Plugin for HTTP request authorization based on JWT/PASETO tokens
  • Credentials Plugin for managing credentials for various integrations

Please show your appreciation for this work and ⭐ ⭐ ⭐

Please consider sponsoring this project!

Please ask questions either here or via LinkedIn. I am happy to help you! @greenpau


⚠️ Please open an issue if you need help migrating configurations from caddy-auth-portal and caddy-authorize (aka caddy-auth-jwt).


Documentation: authp.github.io

Security Policy: SECURITY.md

Table of Contents

Overview

The caddy-security app allows managing authentication portal, authorization security policy and credentials. The plugin enforces the security policy on endpoints with authorize keyword and serves authentication portal with authenticate keyword.

The app and plugin use Authentication, Authorization, and Accounting (AAA) Security Functions (SF) from github.com/toowoxx/authcrunch.

Getting Started

The configuration happens in Caddyfile's global options block.

  • Setting Up Local Authentication: Video and Config Gist
  • Login with App Authenticator and Yubico U2F: Video
  • Customizing Caddy Auth Portal UI: Video
  • Caddy Authorize: Authorizing HTTP Requests: Video

Download Caddy with the plugins enabled:

Credentials

The following configuration adds SMTP credentials to security app. Subsequently, the app and plugin will be able to use the credentials in its messaging configuration.

{
  security {
    credentials root@localhost {
      username {env.SMTP_USERNAME}
      password {env.SMTP_PASSWORD}
    }
  }
}

Messaging

The following configuration sets up email messaging provider. It will use the previously configured root@localhost credentials.

{
  security {
    messaging email provider localhost-smtp-server {
      address 127.0.0.1:1025
      protocol smtp
      credentials root@localhost
      sender root@localhost "My Auth Portal"
      bcc greenpau@localhost
    }
  }
}

It can also be "passwordless":

{
  security {
    messaging email provider localhost-smtp-server {
      address 127.0.0.1:1025
      protocol smtp
      passwordless
      sender root@localhost "My Auth Portal"
      bcc greenpau@localhost
    }
  }
}

It may support TLS:

{
  security {
    messaging email provider localhost-smtp-server {
      address 127.0.0.1:1025
      protocol smtps
      passwordless
      sender root@localhost "My Auth Portal"
      bcc greenpau@localhost
    }
  }
}

Authentication

The following configuration adds authentication portal.

{
  security {
    authentication portal myportal {
      crypto default token lifetime 3600
      crypto key sign-verify {env.JWT_SECRET}
      backend local {env.HOME}/.local/caddy/users.json local
      cookie domain myfiosgateway.com
      ui {
        links {
          "My Website" https://assetq.myfiosgateway.com:8443/ icon "las la-star"
          "My Identity" "/whoami" icon "las la-user"
        }
      }
      transform user {
        match origin local
        action add role authp/user
        ui link "Portal Settings" /settings icon "las la-cog"
      }
    }
  }
}

auth.myfiosgateway.com {
  authenticate * with myportal
}

Authorization

The following configuration adds authorization functionality and handlers.

{
  security {
    authorization policy mypolicy {
      set auth url https://auth.myfiosgateway.com/
      crypto key verify {env.JWT_SECRET}
      allow roles authp/admin authp/user
    }
  }
}

www.myfiosgateway.com {
  authorize with mypolicy
  root * {env.HOME}/public_html
  file_server
}

User Interface

User Login

Portal

User Identity (whoami)

User Settings

Password Management

Add U2F Token (Yubico)

Add Authenticator App

Multi-Factor Authentication

License

See LICENSE

   Copyright 2022 Paul Greenberg (@greenpau)
   Copyright 2022 Toowoxx IT GmbH

   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at

       http://www.apache.org/licenses/LICENSE-2.0

   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.