--- layout: default title: Caddy parent: Proxy Integration grand_parent: Deployment nav_order: 1 --- # Caddy [Caddy] is a reverse proxy supported by **Authelia**. _**Important:** Caddy officially supports the forward auth flow in version 2.5.1 and greater. You must be using this version in order to use either Caddyfile._ Authelia offers integration support for the official forward auth integration method Caddy provides, we can't reasonably be expected to offer support for all of the different plugins that exist. ## Configuration Below you will find commented examples of the following configuration: * Authelia portal * Protected endpoint (Nextcloud) ### Basic examples This example is the preferred example for integration with Caddy. There is an [advanced example](#advanced-example) but we _**strongly urge**_ anyone who needs to use this for a particular reason to either reach out to us or Caddy for support to ensure the basic example covers your use case in a secure way. #### Subdomain ```Caddyfile authelia.example.com { reverse_proxy authelia:9091 } nextcloud.example.com { forward_auth authelia:9091 { uri /api/verify?rd=https://authelia.example.com copy_headers Remote-User Remote-Groups Remote-Name Remote-Email } reverse_proxy nextcloud:80 } ``` #### Subpath ```Caddyfile example.com { @authelia path /authelia /authelia/* handle @authelia { reverse_proxy authelia:9091 } @nextcloud path /nextcloud /nextcloud/* handle @nextcloud { forward_auth authelia:9091 { uri /api/verify?rd=https://example.com/authelia copy_headers Remote-User Remote-Groups Remote-Name Remote-Email } reverse_proxy nextcloud:80 } } ``` ## Advanced example The advanced example allows for more flexible customization, however the [basic example](#basic-example) should be preferred in _most_ situations. If you are unsure of what you're doing please don't use this method. _**Important:** Making a mistake when configuring the advanced example could lead to authentication bypass or errors._ ```Caddyfile authelia.example.com { reverse_proxy authelia:9091 } nextcloud.example.com { route { reverse_proxy authelia:9091 { method GET rewrite "/api/verify?rd=https://authelia.example.com" header_up X-Forwarded-Method {method} header_up X-Forwarded-Uri {uri} ## If the auth request: ## 1. Responds with a status code IN the 200-299 range. ## Then: ## 1. Proxy the request to the backend. ## 2. Copy the relevant headers from the auth request and provide them to the backend. @good status 2xx handle_response @good { request_header { Remote-User {http.reverse_proxy.header.Remote-User} Remote-Groups {http.reverse_proxy.header.Remote-Groups} Remote-Name {http.reverse_proxy.header.Remote-Name} Remote-Email {http.reverse_proxy.header.Remote-Email} } } ## If the auth request: ## 1. Responds with a status code NOT IN the 200-299 range. ## Then: ## 1. Respond with the status code of the auth request. ## 1. Copy the response except for several headers. @denied { status 1xx 3xx 4xx 5xx } handle_response @denied { copy_response copy_response_headers { exclude Connection Keep-Alive Te Trailers Transfer-Encoding Upgrade } } } reverse_proxy nextcloud:80 } } ``` [Caddy]: https://caddyserver.com