Use Authelia for single-sign on with Caddy as a reverse proxy

For self-hosting enthusiasts, exposing web applications to the internet for private or public use is a recurring problem to solve. Sometimes you might want to expose web applications for just yourself, but don't want the entire world to use those services. A common way of solving this is by using a VPN. However, a VPN is not perfect either because you always have to connect to VPN to be able to use the web service.

A good alternative would be to secure your web applications use a single sign-on portal. Using this method, you can access your private web applications over the internet without need for a VPN, but still have a secure layer in front of the application to restrict access.

Authelia is a popular open-source single sign-on portal that you can easily host yourself.  It works by default with reverse proxies such nginx, Traefix or HAProxy. However, my favourite reverse proxy is Caddy and that one is missing from the list of supported reverse proxies. Luckily, we can easily solve this problem by putting Traefik as a reverse proxy for secure applications behind Caddy (reverse proxy behind a reverse proxy).

Simply create an entry in your Caddyfile for the domains you want to be secured (including the domain for Authelia), and forward all those domains to Traefik. In my case, Caddy is in the same network as Traefik so I can simply forward all requests to the https://traefik:443.,, {
  reverse_proxy {
    to https://traefik:443
    transport http {

A few things to notice here:
1. Internal traffic must be https encrypted because Authelia is not able to set secure cookies without.
2. The tls_insecure_skip_verify flag is added to avoid insecure certificate errors. Normally this is not recommended in production, but since our traffic will be encrypted using HTTPS externally, it's not a problem.

Now proceed to configure Authelia according to the documentation, and enjoy your secured web applications!

Show Comments