Last updated on Mar. 1, 2019
In the video above, you can see that secret.int.localtest.me
† is secured behind a Google OAuth2 login. Unauthenticated requests are redirected to a login portal, auth.int.localtest.me
, which asks the user to log in using Google. With this, we are able to authenticate once for all sites under int.localtest.me
.
† localtest.me
as well as any of its subdomains resolve to 127.0.0.1
. This makes testing local services much easier.
⚠ Note: This post applies to Caddy 1 which was discontinued around mid-2020. Do not follow this if you are using Caddy 2.
🤔 How does this work?
Behind the scenes, authentication is handled using JWT Tokens set as cookies on the int.localtest.me
hostname, making them available to all subdomains. The JWT token is checked on every request to authenticated URLs. This is handled by the http.jwt
plugin.
The login portal is served using the http.loginsrv
plugin, which is a Caddy binding to tarent/loginsrv.
🛠 How do I set this up?
ℹ️ UPDATE Mar. 1, 2019 Due to Google+ being deprecated, it's no longer necesary to enable its API and OAuth scopes. I've removed the sections relating to that below.
We will assume the following:
- All internal services are hosted on
*.int.domain.tld
- The login portal will be served on
login.int.domain.tld
- The OAuth2 provider is Google with a list of approved email addresses
- Caddy is used as the front-facing proxy or webserver for all internal services
🔓 Base unsecured environment
We will start with an internal service, publicly accessible:
Caddyfile
secret.int.domain.tld {
...
}
📸 Install the Caddy plugins
👋🏼 I prefer to run Caddy inside a Docker container. But, you don't have to! You can skip this section, but make sure that your Caddy binary has the http.jwt
and http.login
plugins compiled. You can either compile the binary yourself or download a pre-built binary from Caddy's website making sure to include the plugins I mentioned.
The abiosoft/caddy
image doesn't include the http.jwt
and http.login
plugins, so we will need to build our own image. To do that, run:
docker build -t caddy-jwt-login --build-arg plugins="jwt,login" github.com/abiosoft/caddy-docker.git
Make sure to include any other plugins you might need if you are hosting other sites on the same Caddy instance. Replace caddy-jwt-login
with a different tag if it makes sense for you.
This will be the image that we will base our Caddy container on, instead of abiosoft/caddy
.
🌟 I've built and published an image that you can use, but I can't promise that it will always be up to date! kamaln7/caddy-jwt-login
. As of right now, the latest version is kamaln7/caddy-jwt-login:0.11.0
.
🔑 Set up the Google OAuth2 provider
In order to be able to use Google as an OAuth2 provider, we'll need to create a project in the Developers Console and add an OAuth2 service to it. Start by creating a new project here.
Then, browse to the developer console. Make sure your project is selected in the top-left corner.
Go to the Credentials page, accessible from the left sidebar. Click on the "Oauth consent screen" tab and fill in "Application name".
Scroll down to "Authorized domains" and enter your top-level domain name in the field (domain.tld
). Save and return to the Credentials page.
In the Credentials tab, click on the blue Create credentials button and select OAuth client ID.
The Application type will be Web application. Name it whatever you want, and add https://auth.int.domain.tld/login/google
to the Authorized redirect URIs list. Don't click Create right after filling out the field. Click anywhere else on the page to add it to the list and then click Create. Dumb UX, I know. But it's necessary.
On the following page, you will get a popup with your Client ID and secret. Save those somewhere because we will need them later.
🌐 Create the login portal
Add the following to your Caddy config. Replace YOURCLIENTID
with your Client ID and YOURCLIENTSECRET
with the secret.
auth.int.domain.tld {
tls [email protected]
redir 302 {
if {path} is /
/ /login
}
login {
google client_id=YOURCLIENTID,client_secret=YOURCLIENTSECRET
redirect_check_referer false
redirect_host_file /redirect_hosts.txt
cookie_domain int.domain.tld
}
}
This will configure the http.login
plugin with the Google OAuth2 provider you just created, set the cookies on int.domain.tld
instead of auth.int.domain.tld
, and allow rediretion to hosts in the redirect_hosts.txt
file. More on redirections below.
✅ Now, when you browse to https://auth.int.domain.tld
, you will be able to log in using your Google account. Note that anyone will be able to log in here, but not everyone will have access to the protected services. We will limit service access to specific email addresses in the following section.
🔐 Secure the internal service
All that is left is securing the internal service using the http.jwt
plugin. We will extract this config into its own snippet so we can easily re-use it with other services.
Caddyfile
(int-auth) {
jwt {
path /
redirect https://auth.int.domain.tld/login?backTo=https%3A%2F%2F{host}{rewrite_uri_escaped}
allow sub [email protected]
allow sub [email protected]
}
}
This will enable JWT auth on /
(every request) and redirect unauthenticated requests to our login portal. The backTo
parameter instructs the login portal to redirect back to the internal service on successful login. Repeat the allow sub ...
directives for each email address you want to allow access.
💭 Remember we talked about a redirect_hosts.txt
file? This is where it comes in. This file will contain a list of hosts that the login portal is allowed to redirect back to. By default, it won't allow any external URLs outside of auth.int.domain.tld
. By setting redirect_check_referer false
and providing a list of approved hosts, we are able to redirect users back to our internal services.
Create a file with each internal service on a line and add it to your Docker image or wherever Caddy is running. Just make sure to update the path to it in the Caddy config above (the login {}
block).
redirect_hosts.txt
secret.int.domain.tld
another-service.int.domain.tld
✨ Finally, import this snippet in the internal service config:
Caddyfile
secret.int.domain.tld {
import int-auth
...
}
What now?
That's it! Your internal service(s) are secured using the login portal.
OPTIONAL ⚡ Session persistance across Caddy restarts
JWT tokens are signed using a secret. This allows the server to validate that the tokens weren't tampered with (by anyone who doesn't have access to the secret). http.login
looks for a secret stored in the JWT_SECRET
environment variable:
- if it exists, it uses it
- otherwise, it uses
loginsrv
's default secret and updates the environment variable. The default secret is a randomly generated string
When validating requests, http.jwt
uses the JWT_SECRET
environment variable. This is all fine, because the default secret is randomly generated on startup and not a hard-coded string. However, this means that the secret changes when Caddy restarts, which causes all users to be logged out as their tokens become invalidated.
To make sessions persist across restarts, we need to set our own fixed secret. You can generate two random 16-character-long strings on random.org and put them together as a 32-character-long secret. (You need a paid random.org account to generate strings longer than 20 characters). Set the JWT_SECRET
environment variable to this token and make it available to Caddy.
📚 Resources
- tarent/loginsrv
- http.login - Caddy plugin
- http.jwt - Caddy plugin
- loginsrv ← OAuth2