mueslimak3r/caddy-security-caddyfile

## caddy-security-caddyfile
{
        admin off

        http_port 80
        https_port 443

        order authenticate before respond
        order authorize before basicauth

        security {
                oauth identity provider google {env.GOOGLE_CLIENT_ID} {env.GOOGLE_CLIENT_SECRET}

                authentication portal myportal {
                        enable identity provider google

                        crypto default token lifetime 3600
                        crypto key sign-verify {env.JWT_SHARED_KEY}
                        cookie domain mydomain.com
                        ui {
                                links {
                                        "My Identity" "/whoami" icon "las la-user"
                                }
                        }

                        transform user {
                                match realm google
                                action add role authp/user
                                ui link "Main Website" https://mydomain.com icon "las la-star"
                        }

                        transform user {
                                match realm google
                                match email myemail@gmail.com
                                action add role authp/admin
                        }
                }

                authorization policy mypolicy {
                        set auth url https://auth.mydomain.com/auth/oauth2/google
                        crypto key verify {env.JWT_SHARED_KEY}
                        allow roles authp/admin authp/user
                        validate bearer header
                        inject headers with claims
                }
        }
}

auth.mydomain.com {
        authenticate with myportal
}

myservice.mydomain.com {
        authorize with mypolicy
        reverse_proxy http://localhost:9000
}

myfileserver.mydomain.com {
        redir / https://mydomain.com

        root * /AppData/webfiles
        file_server

        handle_errors {
                respond "{http.error.status_code} {http.error.status_text}"
        }
}

mydomain.com {
        reverse_proxy http://localhost:8080
}

www.mydomain.com {
        redir https://mydomain.com
}
	{
	admin off

	http_port 80
	https_port 443

	order authenticate before respond
	order authorize before basicauth

	security {
	oauth identity provider google {env.GOOGLE_CLIENT_ID} {env.GOOGLE_CLIENT_SECRET}

	authentication portal myportal {
	enable identity provider google

	crypto default token lifetime 3600
	crypto key sign-verify {env.JWT_SHARED_KEY}
	cookie domain mydomain.com
	ui {
	links {
	"My Identity" "/whoami" icon "las la-user"
	}
	}

	transform user {
	match realm google
	action add role authp/user
	ui link "Main Website" https://mydomain.com icon "las la-star"
	}

	transform user {
	match realm google
	match email myemail@gmail.com
	action add role authp/admin
	}
	}

	authorization policy mypolicy {
	set auth url https://auth.mydomain.com/auth/oauth2/google
	crypto key verify {env.JWT_SHARED_KEY}
	allow roles authp/admin authp/user
	validate bearer header
	inject headers with claims
	}
	}
	}

	auth.mydomain.com {
	authenticate with myportal
	}

	myservice.mydomain.com {
	authorize with mypolicy
	reverse_proxy http://localhost:9000
	}

	myfileserver.mydomain.com {
	redir / https://mydomain.com

	root * /AppData/webfiles
	file_server

	handle_errors {
	respond "{http.error.status_code} {http.error.status_text}"
	}
	}

	mydomain.com {
	reverse_proxy http://localhost:8080
	}

	www.mydomain.com {
	redir https://mydomain.com
	}