TinyauthTinyauth
Community

Caddy

Learn how to setup Tinyauth with the Caddy reverse proxy.

Contributor: @erwinkramer

A Caddy configuration for Docker Compose, based on caddy-docker-proxy, that works with Tinyauth to enable a fully labeled configuration.

Authentication Snippet

Include the following labels anywhere in the Compose file under a service. This creates a reusable snippet, called tinyauth_forwarder, to forward authentication:

caddy: (tinyauth_forwarder)
caddy.forward_auth: tinyauth:3000
caddy.forward_auth.uri: /api/auth/caddy

This results in the following snippet:

(tinyauth_forwarder) {
  forward_auth tinyauth:3000 {
    uri /api/auth/caddy
  }
}

Caddy Configuration

The caddy-docker-proxy service might look like this if the labels are added:

services:
  caddy:
    container_name: caddy
    image: lucaslorentz/caddy-docker-proxy:latest
    restart: unless-stopped
    ports:
      - 80:80
      - 443:443
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./data/caddy:/data
    labels:
      caddy: (tinyauth_forwarder)
      caddy.forward_auth: tinyauth:3000
      caddy.forward_auth.uri: /api/auth/caddy

Tinyauth Configuration

Add Tinyauth and place it behind Caddy with the caddy and caddy.reverse_proxy labels:

services:
  tinyauth:
    container_name: tinyauth
    image: ghcr.io/steveiliop56/tinyauth:v4
    restart: unless-stopped
    environment:
      - APP_URL=http://auth.example.com
      - USERS=your-username-password-hash
    labels:
      caddy: http://auth.example.com
      caddy.reverse_proxy: "{{upstreams 3000}}"

Securing a Service

Place any service behind Tinyauth. The only addition required to secure a service is the reusable snippet, tinyauth_forwarder, created earlier:

caddy.import: tinyauth_forwarder *

Using Whoami as an example, it might look like this:

services:
  whoami:
    container_name: whoami
    image: traefik/whoami:latest
    restart: unless-stopped
    labels:
      caddy: http://whoami.example.com
      caddy.reverse_proxy: "{{upstreams 80}}"
      caddy.import: tinyauth_forwarder *

Complete Example

Here is a complete example with all the services together:

services:
  caddy:
    container_name: caddy
    image: lucaslorentz/caddy-docker-proxy:latest
    restart: unless-stopped
    ports:
      - 80:80
      - 443:443
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./data/caddy:/data
    labels:
      caddy: (tinyauth_forwarder)
      caddy.forward_auth: tinyauth:3000
      caddy.forward_auth.uri: /api/auth/caddy
      caddy.forward_auth.copy_headers: Remote-User Remote-Name Remote-Email Remote-Groups # optional when you want to make headers available to your service

  tinyauth:
    container_name: tinyauth
    image: ghcr.io/steveiliop56/tinyauth:v4
    restart: unless-stopped
    environment:
      - APP_URL=http://auth.example.com
      - USERS=your-username-password-hash
    labels:
      caddy: http://auth.example.com
      caddy.reverse_proxy: "{{upstreams 3000}}"

  whoami:
    container_name: whoami
    image: traefik/whoami:latest
    restart: unless-stopped
    labels:
      caddy: http://whoami.example.com
      caddy.reverse_proxy: "{{upstreams 80}}"
      caddy.import: tinyauth_forwarder *

Using the binary

Use the Tinyauth binary instead of the docker image for more advanced setups.

Kubernetes

Learn how to set up Tinyauth with Kubernetes.

On this page

Authentication SnippetCaddy ConfigurationTinyauth ConfigurationSecuring a ServiceComplete Example