Skip to content
Tinyauth

Caddy

Contributor: @erwinkramer

A Caddy configuration for Docker Compose, based on caddy-docker-proxy, that works with Tinyauth to enable a fully labeled configuration.

Authentication Snippet

Section titled “Authentication Snippet”

Include the following labels anywhere in the Compose file under a service. This creates a reusable snippet, called tinyauth_forwarder, to forward authentication:

caddy: (tinyauth_forwarder)
caddy.forward_auth: tinyauth:3000
caddy.forward_auth.uri: /api/auth/caddy

This results in the following snippet:

(tinyauth_forwarder) {
  forward_auth tinyauth:3000 {
    uri /api/auth/caddy
  }
}

Caddy Configuration

Section titled “Caddy Configuration”

The caddy-docker-proxy service might look like this if the labels are added:

services:
  caddy:
    image: lucaslorentz/caddy-docker-proxy:2.10.0
    restart: unless-stopped
    ports:
      - 80:80
      - 443:443
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - caddy-data:/data
    labels:
      caddy: (tinyauth_forwarder)
      caddy.forward_auth: tinyauth:3000
      caddy.forward_auth.uri: /api/auth/caddy


volumes:
  caddy-data:

Tinyauth Configuration

Section titled “Tinyauth Configuration”

Add Tinyauth and place it behind Caddy with the caddy and caddy.reverse_proxy labels:

services:
  tinyauth:
    image: ghcr.io/steveiliop56/tinyauth:v5
    restart: unless-stopped
    environment:
      - TINYAUTH_APPURL=http://auth.example.com
      - TINYAUTH_AUTH_USERS=your-username-password-hash
    labels:
      caddy: http://auth.example.com
      caddy.reverse_proxy: "{{upstreams 3000}}"

Securing a Service

Section titled “Securing a Service”

Place any service behind Tinyauth. The only addition required to secure a service is the reusable snippet, tinyauth_forwarder, created earlier:

caddy.import: tinyauth_forwarder *

Using Whoami as an example, it might look like this:

services:
  whoami:
    image: traefik/whoami:latest
    restart: unless-stopped
    labels:
      caddy: http://whoami.example.com
      caddy.reverse_proxy: "{{upstreams 80}}"
      caddy.import: tinyauth_forwarder *

Complete Example

Section titled “Complete Example”

Here is a complete example with all the services together:

services:
  caddy:
    image: lucaslorentz/caddy-docker-proxy:2.10.0
    restart: unless-stopped
    ports:
      - 80:80
      - 443:443
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - caddy-data:/data
    labels:
      caddy: (tinyauth_forwarder)
      caddy.forward_auth: tinyauth:3000
      caddy.forward_auth.uri: /api/auth/caddy
      caddy.forward_auth.copy_headers: Remote-User Remote-Name Remote-Email Remote-Groups # optional when you want to make headers available to your service


  tinyauth:
    image: ghcr.io/steveiliop56/tinyauth:v5
    restart: unless-stopped
    environment:
      - TINYAUTH_APPURL=http://auth.example.com
      - TINYAUTH_AUTH_USERS=your-username-password-hash
    labels:
      caddy: http://auth.example.com
      caddy.reverse_proxy: "{{upstreams 3000}}"


  whoami:
    image: traefik/whoami:latest
    restart: unless-stopped
    labels:
      caddy: http://whoami.example.com
      caddy.reverse_proxy: "{{upstreams 80}}"
      caddy.import: tinyauth_forwarder *


volumes:
  caddy-data: