OAuth2-Proxy behind CaddyV2 with Azure AAD
Looking to secure an internal app with Azure AAD and get the benefits of MFA?
Presumptions;
– You already run Caddy as a reverse proxy into your network
– You have Azure AAD set up and understand App Registrations / Authentication flows
– You have a docker host internally (I’m using Unraid)
Install OAuth2-Proxy as per https://quay.io/repository/oauth2-proxy/oauth2-proxy
Set up an Azure App Registration as per https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/oauth_provider/#azure-auth-provider (Follow instructions for V2 Azure Auth endpoint)
Copy down the Client ID, Secret & your tenant ID
oauth2_proxy.cfg
# OAuth2 Proxy configuration file
email_domains = ["*"] # Change this to restrict to specific domains, if needed
# Provider Configuration
provider = "azure"
client_id = "xxx-xxx-xxx-xxx-xxx"
client_secret = "xxx"
azure_tenant = "xxx-xxx-xxx-xxx-xxx"
oidc_issuer_url = "https://login.microsoftonline.com/${azure_tenant_id}/v2.0" # Replace ${azure_tenant_id} with actual tenantID
# Cookie Settings
cookie_secret = "xxx"
cookie_secure = true
cookie_expire = "24h"
cookie_refresh = "1h"
cookie_name = "_oauth2_proxy"
reverse_proxy = true
# Upstream and Listen Configuration
upstreams = ["http://internal-app-ip:port/"]
http_address = "0.0.0.0:4180"
redirect_url = "https://${domain}/oauth2/callback" # replace ${domain} with your actual domain
# Other settings (optional)
skip_provider_button = true # To skip provider selection page
Caddyfile
domain {
reverse_proxy http://oauth2-proxy-ip:4180
}
The redirect URL must match the one in AAD exactly, ensure both have /oauth2/callback on the end, and ensure caddy picks up that match first in the reverse_proxy config, as per the example.
Any folders you add, all must go through oauth2-proxy, and not direct to the app, this would route around the authentication! Test this a LOT in incognito mode from a separate network.
This will expose one app on one domain.