caddy-security

Security App and Plugin for Caddy v2. It includes:

Authentication Plugin for implementing Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0, SAML Authentication
Authorization Plugin for HTTP request authorization based on JWT/PASETO tokens
Credentials Plugin for managing credentials for various integrations

Please show your appreciation for this work and ⭐ ⭐ ⭐

Please consider sponsoring this project!

Please ask questions either here or via LinkedIn. I am happy to help you! @greenpau

⚠️ Please open an issue if you need help migrating configurations from caddy-auth-portal and caddy-authorize (aka caddy-auth-jwt).

Documentation: authp.github.io

Security Policy: SECURITY.md

Please see other plugins:

Overview

The caddy-security app allows managing authentication portal, authorization security policy and credentials. The plugin enforces the security policy on endpoints with authorize keyword and serves authentication portal with authenticate keyword.

The app and plugin use Authentication, Authorization, and Accounting (AAA) Security Functions (SF) from github.com/greenpau/authcrunch.

Getting Started

The configuration happens in Caddyfile's global options block.

Setting Up Local Authentication: Video and Config Gist
Login with App Authenticator and Yubico U2F: Video
Customizing Caddy Auth Portal UI: Video
Caddy Authorize: Authorizing HTTP Requests: Video

Download Caddy with the plugins enabled:

Credentials

The following configuration adds SMTP credentials to security app. Subsequently, the app and plugin will be able to use the credentials in its messaging configuration.

{
  security {
    credentials root@localhost {
      username {env.SMTP_USERNAME}
      password {env.SMTP_PASSWORD}
    }
  }
}

Messaging

The following configuration sets up email messaging provider. It will use the previously configured root@localhost credentials.

{
  security {
    messaging email provider localhost-smtp-server {
      address 127.0.0.1:1025
      protocol smtp
      credentials root@localhost
      sender root@localhost "My Auth Portal"
      bcc greenpau@localhost
    }
  }
}

It can also be "passwordless":

{
  security {
    messaging email provider localhost-smtp-server {
      address 127.0.0.1:1025
      protocol smtp
      passwordless
      sender root@localhost "My Auth Portal"
      bcc greenpau@localhost
    }
  }
}

It may support TLS:

{
  security {
    messaging email provider localhost-smtp-server {
      address 127.0.0.1:1025
      protocol smtps
      passwordless
      sender root@localhost "My Auth Portal"
      bcc greenpau@localhost
    }
  }
}

Authentication

The following configuration adds authentication portal.

{
  security {
    authentication portal myportal {
      crypto default token lifetime 3600
      crypto key sign-verify {env.JWT_SECRET}
      backend local {env.HOME}/.local/caddy/users.json local
      cookie domain myfiosgateway.com
      ui {
        links {
          "My Website" https://assetq.myfiosgateway.com:8443/ icon "las la-star"
          "My Identity" "/whoami" icon "las la-user"
        }
      }
      transform user {
        match origin local
        action add role authp/user
        ui link "Portal Settings" /settings icon "las la-cog"
      }
    }
  }
}

auth.myfiosgateway.com {
  authenticate * with myportal
}

Authorization

The following configuration adds authorization functionality and handlers.

{
  security {
    authorization policy mypolicy {
      set auth url https://auth.myfiosgateway.com/
      crypto key verify {env.JWT_SECRET}
      allow roles authp/admin authp/user
    }
  }
}

www.myfiosgateway.com {
  authorize with mypolicy
  root * {env.HOME}/public_html
  file_server
}

Name		Name	Last commit message	Last commit date
Latest commit History 57 Commits
.github		.github
assets		assets
pkg/util		pkg/util
.gitignore		.gitignore
CONTRIBUTING.md		CONTRIBUTING.md
LICENSE		LICENSE
Makefile		Makefile
OWNERS		OWNERS
README.md		README.md
SECURITY.md		SECURITY.md
VERSION		VERSION
app.go		app.go
app_test.go		app_test.go
caddyfile.go		caddyfile.go
caddyfile_authn.go		caddyfile_authn.go
caddyfile_authn_backend_shortcut.go		caddyfile_authn_backend_shortcut.go
caddyfile_authn_backends.go		caddyfile_authn_backends.go
caddyfile_authn_cookie.go		caddyfile_authn_cookie.go
caddyfile_authn_crypto.go		caddyfile_authn_crypto.go
caddyfile_authn_misc.go		caddyfile_authn_misc.go
caddyfile_authn_registration.go		caddyfile_authn_registration.go
caddyfile_authn_test.go		caddyfile_authn_test.go
caddyfile_authn_transform.go		caddyfile_authn_transform.go
caddyfile_authn_ui.go		caddyfile_authn_ui.go
caddyfile_authz.go		caddyfile_authz.go
caddyfile_authz_acl.go		caddyfile_authz_acl.go
caddyfile_authz_acl_shortcuts.go		caddyfile_authz_acl_shortcuts.go
caddyfile_authz_bypass.go		caddyfile_authz_bypass.go
caddyfile_authz_crypto.go		caddyfile_authz_crypto.go
caddyfile_authz_inject.go		caddyfile_authz_inject.go
caddyfile_authz_misc.go		caddyfile_authz_misc.go
caddyfile_authz_test.go		caddyfile_authz_test.go
caddyfile_credentials.go		caddyfile_credentials.go
caddyfile_credentials_test.go		caddyfile_credentials_test.go
caddyfile_messaging.go		caddyfile_messaging.go
caddyfile_messaging_test.go		caddyfile_messaging_test.go
caddyfile_plugin_authn.go		caddyfile_plugin_authn.go
caddyfile_plugin_authz.go		caddyfile_plugin_authz.go
caddyfile_test.go		caddyfile_test.go
go.mod		go.mod
go.sum		go.sum
plugin_authn.go		plugin_authn.go
plugin_authz.go		plugin_authz.go

License

irishismyname/caddy-security

Folders and files

Latest commit

History

Repository files navigation

caddy-security

Table of Contents

Overview

Getting Started

Credentials

Messaging

Authentication

Authorization

User Interface

User Login

Portal

User Identity (whoami)

User Settings

Password Management

Add U2F Token (Yubico)

Add Authenticator App

Multi-Factor Authentication

About

Resources

License

Security policy

Stars

Watchers

Forks

Languages