Forward auth to Zelus in Caddy

Zelus is a user interface for Kratos written in Go without Javascript. It manages login, registration, verification, recovery, and user settings. The purpose is to have a secure and lightweight interface like Pomerium without any authentication provider third-party involvement in an identity-aware proxy.

Normally, it would be combined with Oathkeeper, but it is not actively maintained, and its configuration is not user-friendly.

I developed a /check endpoint in Zelus that is compatible with the forward_auth directive of Caddy.

You will find below a example Caddyfile for secure subdomain.

secure.domain.com {
	forward_auth 127.0.0.1:4435 {
		uri /check?return_to=https://{host}{path}
	}

  # reverse_proxy...
}

login.domain.com {
	handle /api/* {
		uri strip_prefix /api
		reverse_proxy 127.0.0.1:4433
	}

	handle {
		reverse_proxy 127.0.0.1:4435
	}
}

# obfuscation wildcard
*.domain.com {
	forward_auth 127.0.0.1:4435 {
		uri /check?return_to=https://{host}{path}
	}
}