Security App and Plugin for Caddy v2. It includes:
- Authentication Plugin for implementing Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0, SAML Authentication
- Authorization Plugin for HTTP request authorization based on JWT/PASETO tokens
- Credentials Plugin for managing credentials for various integrations
Please show your appreciation for this work and ⭐ ⭐ ⭐
Please consider sponsoring this project!
Please ask questions either here or via LinkedIn. I am happy to help you! @greenpau
caddy-auth-portal
and caddy-authorize
(aka caddy-auth-jwt
).
Documentation: authp.github.io
Security Policy: SECURITY.md
The caddy-security
app allows managing authentication portal,
authorization security policy and credentials. The plugin
enforces the security policy on endpoints with authorize
keyword
and serves authentication portal with authenticate
keyword.
The app and plugin use Authentication, Authorization, and Accounting (AAA) Security Functions (SF) from github.com/toowoxx/authcrunch.
The configuration happens in Caddyfile
's
global options block.
- Setting Up Local Authentication: Video and Config Gist
- Login with App Authenticator and Yubico U2F: Video
- Customizing Caddy Auth Portal UI: Video
- Caddy Authorize: Authorizing HTTP Requests: Video
Download Caddy with the plugins enabled:
The following configuration adds SMTP credentials to security app. Subsequently, the app and plugin will be able to use the credentials in its messaging configuration.
{
security {
credentials root@localhost {
username {env.SMTP_USERNAME}
password {env.SMTP_PASSWORD}
}
}
}
The following configuration sets up email messaging provider. It will use
the previously configured root@localhost
credentials.
{
security {
messaging email provider localhost-smtp-server {
address 127.0.0.1:1025
protocol smtp
credentials root@localhost
sender root@localhost "My Auth Portal"
bcc greenpau@localhost
}
}
}
It can also be "passwordless":
{
security {
messaging email provider localhost-smtp-server {
address 127.0.0.1:1025
protocol smtp
passwordless
sender root@localhost "My Auth Portal"
bcc greenpau@localhost
}
}
}
It may support TLS:
{
security {
messaging email provider localhost-smtp-server {
address 127.0.0.1:1025
protocol smtps
passwordless
sender root@localhost "My Auth Portal"
bcc greenpau@localhost
}
}
}
The following configuration adds authentication portal.
{
security {
authentication portal myportal {
crypto default token lifetime 3600
crypto key sign-verify {env.JWT_SECRET}
backend local {env.HOME}/.local/caddy/users.json local
cookie domain myfiosgateway.com
ui {
links {
"My Website" https://assetq.myfiosgateway.com:8443/ icon "las la-star"
"My Identity" "/whoami" icon "las la-user"
}
}
transform user {
match origin local
action add role authp/user
ui link "Portal Settings" /settings icon "las la-cog"
}
}
}
}
auth.myfiosgateway.com {
authenticate * with myportal
}
The following configuration adds authorization functionality and handlers.
{
security {
authorization policy mypolicy {
set auth url https://auth.myfiosgateway.com/
crypto key verify {env.JWT_SECRET}
allow roles authp/admin authp/user
}
}
}
www.myfiosgateway.com {
authorize with mypolicy
root * {env.HOME}/public_html
file_server
}
See LICENSE
Copyright 2022 Paul Greenberg (@greenpau)
Copyright 2022 Toowoxx IT GmbH
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.