/
Caddyfile
69 lines (60 loc) · 1.45 KB
/
Caddyfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
{
http_port 8080
https_port 8443
# debug
order authenticate before respond
order authorize before basicauth
security {
oauth identity provider gitlab {
realm gitlab
driver gitlab
domain_name gitlab.contoso.com
client_id 522a2f714a1e978c52e80909e543e2a51
client_secret d562a48c29a686b343978edbc8ac3d3
scopes openid email profile
user_group_filters barfoo
user_group_filters ^a
}
authentication portal myportal {
crypto default token lifetime 3600
crypto key sign-verify {env.JWT_SHARED_KEY}
enable identity provider gitlab
cookie domain myfiosgateway.com
ui {
links {
"My Identity" "/whoami" icon "las la-user"
}
}
transform user {
match realm gitlab
action add role authp/user
ui link "File Server" https://assetq.myfiosgateway.com:8443/ icon "las la-star"
}
transform user {
match realm gitlab
match email greenpau@contoso.com
action add role authp/admin
}
}
authorization policy mypolicy {
set auth url https://auth.myfiosgateway.com:8443/oauth2/gitlab
crypto key verify {env.JWT_SHARED_KEY}
allow roles authp/admin authp/user
validate bearer header
inject headers with claims
}
}
}
(tls_config) {
tls {$HOME}/.local/caddy/server.crt {$HOME}/.local/caddy/server.key
}
auth.myfiosgateway.com {
import tls_config
authenticate with myportal
}
assetq.myfiosgateway.com {
import tls_config
authorize with mypolicy
root * {env.HOME}/www
file_server
}