Authentik with Docker Compose Setup with Caddy Reverse Proxy

Authentik with Docker Compose Setup with Caddy Reverse Proxy

Authentik is a open-source Identity Provider with support for alot of protocols to be able to secure your applications in the best way possible with SSO. It is a very useful tool and I use it myself in my production deployment as it's resistant to attacks and can very easily be configured to protect new applications, and then after this I shall show you how to configure it with the caddy reverse proxy.

We will be setting it up with docker-compose and then I shall be guiding you through how to configure it for the Caddy Reverse Proxy. Because I found the official documentation to be kinda lacking so decided why not show you guys how to do it.

Requirments:

  • Server with Docker Installed
  • Root Terminal Acces

Setup:

First let's go ahead and create a new folder we will call authentik for us to work in. Then when your inside of here go ahead and use your favorite text editor and edit docker-compose.yml and paste in the below compose file into that document.

version: '3'

services:
  postgresql:
    image: postgres:12-alpine
    restart: unless-stopped
    volumes:
      - ./database:/var/lib/postgresql/data
    environment:
      - POSTGRES_PASSWORD=(Insert Postgres Password)
      - POSTGRES_USER=authentik
      - POSTGRES_DB=authentik
  redis:
    image: redis:alpine
    restart: unless-stopped
  server:
    image: ghcr.io/goauthentik/server:2022.9.0
    restart: unless-stopped
    command: server
    container_name: authentik
    environment:
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: authentik
      AUTHENTIK_POSTGRESQL__NAME: authentik
      AUTHENTIK_POSTGRESQL__PASSWORD: (Insert Postgres Password)
      AUTHENTIK_SECRET_KEY: (Insert authentik secret key)
      AUTHENTIK_LOG_LEVEL: trace
    volumes:
      - ./media:/media
      - ./custom-templates:/templates
    ports:
      - 9000:9000 # Authentik Web-UI HTTP Port
      - 9443:9443 # Authentik Web-UI HTTPS Port
  worker:
    image: ghcr.io/goauthentik/server:2022.9.0
    restart: unless-stopped
    command: worker
    environment:
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: authentik
      AUTHENTIK_POSTGRESQL__NAME: authentik
      AUTHENTIK_POSTGRESQL__PASSWORD: (Insert Postgres Password)
      AUTHENTIK_SECRET_KEY: (Insert authentik secret key)
      AUTHENTIK_LOG_LEVEL: trace
    user: root
    volumes:
      - ./media:/media
      - ./certs:/certs
      - /var/run/docker.sock:/var/run/docker.sock
      - ./custom-templates:/templates

Go ahead and replace both the Postgres password and the Authentik secret key with the output from twice running "openssl rand -base64 36". Make sure the values match for the specified requirments. So postgres must match on all of them and so must the secret key. After this go ahead and leave the file and do docker-compose up -d.

Next go to the below URL and create an account so that we can get started. After doing this you can either setup OpenID login for services that support it or continue to follow the guide and I shall show you how to set it up with the caddy reverse proxy.

http://(IP of the Authentik Host):9000/if/flow/initial-setup/

Caddy Configuration:

Now we will get on to the caddy configuration. To start with we will configure the authentik side which starts by going to the admin interface and going to Applications > Providers and making a new provider of the type proxy provider with the below settings. Modifying the domain to the domain that you are using.

Next go to applications and add an application. Selecting the provider to be the provider you just created and the name to be whatever you want.

Then we will next to go Applications > Outposts, select the embedded outpost and make sure that the application you just added is added to the embedded outpost. If you forget to do this it will error out and you will not get it working.

Next step is to do our caddy configuration. Below I have pasted a prebuilt configuration where app1.example.com is protected by authentik. Be sure to update the IP of your authentik host, the IP of the app host and the email at the top as it will be used to acquire certificates.

{
  email example@example.com
}

(authentik) {
    reverse_proxy /outpost.goauthentik.io/* http://(IP of your Authentik Host):9000

    # forward authentication to outpost
    forward_auth http://(IP of your Authentik Host):9000 {
        uri /outpost.goauthentik.io/auth/caddy

        # capitalization of the headers is important, otherwise they will be empty
        copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version

        # optional, in this config trust all private ranges, should probably be set to the outposts IP
        trusted_proxies private_ranges
    }
}

auth.example.com {
  reverse_proxy (IP of your Authentik Host):9000
}

app1.example.com{
  import authentik
  reverse_proxy (IP and Port of your App Host)
}

And then you are complete, now if you restart your caddy server you should be able to go to app1.example.com and be able to acces your app while it is protected by authentik and it will ask you to authenticate to be able to acces it. So now you have a protected app and to add more just copy the app1 configuration, change the hostname and then add the new port.

I hoped this helped whoever is reading and I wish you a very pleasant rest of your day.