Add a Module - goes wrong

[dancgn]

Hello there,

I got issues to add another Module to the caddy-file.

Error: cannot auto-upgrade when Go module has been replaced: github.com/fabriziosalmi/caddy-waf => /opt/caddy-waf

I guess caddy-waf work but I try to install caddy-Security. It seems that the plugin is okay, but it doesn’t work probably. See better explained here:
https://www.reddit.com/r/caddyserver/comments/1ied7qp/help_with_securitymodul/

Thanks for helping
Daniel

[fabriziosalmi]

How to fix your Caddyfile:

1. Remove the top-level security block.
2. Use handle and authentication directives. You'll wrap your oauth, authentication portal and authorization policy configurations within a handle directive and specifically use the authenticator plugin for setting them up.
3. Use authorize in the handle block. You'll activate your policies here.

Revised Caddyfile (Example):

home.mydomain.de {

    import common-settings

    handle {

        authentication portal myportal {
            crypto default token lifetime 3600
            enable identity provider generic
            cookie insecure off
            transform user {
                match realm generic
                action add role user
            }
            oauth identity provider generic {
                delay_start 3
                realm generic
                driver generic
                client_id HEREISTHEIDFROMPOCKETID
                client_secret HEREISTHESECRETFROMPOCKETID
                scopes openid email profile
                base_auth_url https://pi.MYDOMAIN.de
                metadata_url https://pi.MYDOMAIN.de/.well-known/openid-configuration
            }

        }

         authorize with mypolicy

         reverse_proxy 192.168.XXX.XXX:3000


         # Make sure that you set the following security header in the outer scope of the site block.
        header {
          Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
          X-Content-Type-Options "nosniff"
          X-Frame-Options "DENY"
          Referrer-Policy "strict-origin-when-cross-origin"
        }
    }

    authorization policy mypolicy {

      set auth url /auth/oauth2/generic
      allow roles user
      inject headers with claims

     }


    log {
        output file /var/log/caddy/home.access.log
        format json
    }


}

Explanation of Changes:

• handle Directive: The handle directive specifies that caddy-security will process the requests.
• authentication portal: The authentication portal configuration is now moved inside the handle and will be activated by the authentication directive.
• authorize Directive: The authorization is set to mypolicy which is defined later on in the Caddyfile.

let me know if this works for you ☕

[dancgn]

Nope, doesn't work yet.

I guess it's a problem to import the caddy-security modul.

EDIT:
security is listet with caddy list-modules but with your opinion and a try to restart:

Feb 01 19:03:01 caddy caddy[36716]: LOGNAME=caddy
Feb 01 19:03:01 caddy caddy[36716]: USER=caddy
Feb 01 19:03:01 caddy caddy[36716]: INVOCATION_ID=26fe143bcbe340d5a50fe25b952132ea
Feb 01 19:03:01 caddy caddy[36716]: JOURNAL_STREAM=8:135879
Feb 01 19:03:01 caddy caddy[36716]: SYSTEMD_EXEC_PID=36716
Feb 01 19:03:01 caddy caddy[36716]: {"level":"info","ts":1738432981.3471448,"msg":"using config from file","file":"/etc/caddy/Caddyfile"}
Feb 01 19:03:01 caddy caddy[36716]: Error: adapting config using caddyfile: parsing caddyfile tokens for 'handle': unrecognized directive: authentication - are you sure your Caddyfile structure (nesting and braces) is correct?, at /etc/caddy/Caddyfile:111
Feb 01 19:03:01 caddy systemd[1]: caddy.service: Main process exited, code=exited, status=1/FAILURE
Feb 01 19:03:01 caddy systemd[1]: caddy.service: Failed with result 'exit-code'.
Feb 01 19:03:01 caddy systemd[1]: Failed to start caddy.service - Caddy.

Sorry, I'm not that good with caddy.