Skip to content

Instantly share code, notes, and snippets.

@greenpau
Last active November 26, 2024 13:49
Show Gist options
  • Save greenpau/dbfadd3c9fee21dbb0a0d3902a8d0ec0 to your computer and use it in GitHub Desktop.
Save greenpau/dbfadd3c9fee21dbb0a0d3902a8d0ec0 to your computer and use it in GitHub Desktop.
{
http_port 8080
https_port 8443
# debug
security {
authentication portal myportal {
crypto default token lifetime 3600
crypto key sign-verify {env.JWT_SHARED_KEY}
backend local {env.HOME}/.local/caddy/users.json local
backend github {env.GITHUB_CLIENT_ID} {env.GITHUB_CLIENT_SECRET}
cookie domain myfiosgateway.com
ui {
links {
"My Website" https://assetq.myfiosgateway.com:8443/ icon "las la-star"
"Guests" https://assetq.myfiosgateway.com:8443/guests icon "las la-star"
"Users" https://assetq.myfiosgateway.com:8443/users icon "las la-star"
"Admins" https://assetq.myfiosgateway.com:8443/admins icon "las la-star"
"My Identity" "/whoami" icon "las la-user"
}
password_recovery_enabled yes
}
transform user {
match origin local
action add role authp/user
ui link "Portal Settings" /settings icon "las la-cog"
}
transform user {
match realm github
match sub github.com/greenpau
action add role authp/user
}
registration {
dropbox {env.HOME}/.local/caddy/registrations.json
title "User Registration"
code "NY2020"
require accept terms
require domain mx
}
}
authorization policy guests_policy {
# disable auth redirect
set auth url https://auth.myfiosgateway.com:8443/
allow roles authp/admin authp/user
crypto key verify {env.JWT_SHARED_KEY}
acl rule {
comment allow guests only
match role guest authp/guest
allow stop log info
}
acl rule {
comment default deny
always match iss any
deny log warn
}
}
authorization policy users_policy {
set auth url https://auth.myfiosgateway.com:8443/
allow roles authp/admin authp/user
crypto key verify {env.JWT_SHARED_KEY}
acl rule {
comment allow users
match role authp/user
allow stop log info
}
acl rule {
comment default deny
always match role any
deny log warn
}
}
authorization policy admins_policy {
set auth url https://auth.myfiosgateway.com:8443/
allow roles authp/admin authp/user
crypto key verify {env.JWT_SHARED_KEY}
acl rule {
comment allow users
match role authp/user
allow stop log info
}
acl rule {
comment default deny
always match role any
deny log warn
}
}
}
}
(tls_config) {
tls {env.HOME}/.local/caddy/server.crt {env.HOME}/.local/caddy/server.key
}
auth.myfiosgateway.com {
import tls_config
route {
authenticate with myportal
}
}
assetq.myfiosgateway.com {
import tls_config
route /guests* {
authorize with guests_policy
respond * "assetq - guests only" 200
}
route /users* {
authorize with users_policy
respond * "assetq - users" 200
}
route /admins* {
authorize with admins_policy
respond * "assetq - admins" 200
}
route {
respond "assetq is running"
}
}
@kwuite
Copy link

kwuite commented Nov 26, 2024

@greenpau is this still maintained. I tried your config and /settings /admin /guest paths all redirect like full urls instead of paths so the url address in the browser becomes https://test.localhost/test.localhost/guests.

Also the syntax seems to be invalid. password_recovery_enabled yes is not recognized and had to be disabled in order for Caddy to start.

I am using your latest Caddy docker Image. ghcr.io/authcrunch/authcrunch:v1.0.11

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment