diff --git a/roles/vhost/defaults/main.yaml b/roles/vhost/defaults/main.yaml
index 8b532de..d48ace0 100644
--- a/roles/vhost/defaults/main.yaml
+++ b/roles/vhost/defaults/main.yaml
@@ -17,6 +17,9 @@ vhost_proxy_target_host: localhost
 vhost_proxy_headers: {}
 vhost_proxy_delete_headers: []
 vhost_proxy_pass_host_header: true
+vhost_proxy_auth_socket: ""
+vhost_proxy_auth_uri: ""
+vhost_proxy_auth_unauthorized_redir: ""
 
 vhost_redirect_type: temporary
 vhost_redirect_preserve_path: false
diff --git a/roles/vhost/meta/argument_specs.yaml b/roles/vhost/meta/argument_specs.yaml
index 3f1f5e6..e916852 100644
--- a/roles/vhost/meta/argument_specs.yaml
+++ b/roles/vhost/meta/argument_specs.yaml
@@ -119,6 +119,27 @@ argument_specs:
         type: bool
         required: false
         default: true
+      vhost_proxy_auth_socket:
+        description: >-
+          Unix socket path to forward requests to for auhtentication, before
+          proxying them
+        type: str
+        required: false
+        default: ""
+      vhost_proxy_auth_uri:
+        description: >-
+          The authentication endpoint of the auth host. Required if
+          proxy_auth_socket is defined. Does nothing otherwise.
+        type: str
+        required: false
+        default: ""
+      vhost_proxy_auth_unauthorized_redir:
+        description: >-
+          Where to redirect requests if authentication service returns 401
+          unathorized. If not set, returns responses as is.
+        type: str
+        required: false
+        default: ""
 
       vhost_redirect_target:
         description: "Only applicable if vhost_type is redirect. Example: https://www.domain.tld/location"
@@ -282,6 +303,27 @@ argument_specs:
             type: bool
             required: false
             default: "{{ vhost_proxy_pass_host_header }}"
+          proxy_auth_socket:
+            description: >-
+              Unix socket path to forward requests to for auhtentication, before
+              proxying them
+            type: str
+            required: false
+            default: "{{ vhost_proxy_auth_socket }}"
+          proxy_auth_uri:
+            description: >-
+              The authentication endpoint of the auth host. Required if
+              proxy_auth_socket is defined. Does nothing otherwise.
+            type: str
+            required: false
+            default: "{{ vhost_proxy_auth_uri }}"
+          proxy_auth_unauthorized_redir:
+            description: >-
+              Where to redirect requests if authentication service returns 401
+              unathorized. If not set, returns responses as is.
+            type: str
+            required: false
+            default: "{{ vhost_proxy_auth_unauthorized_redir }}"
 
           redirect_target:
             description: "Only applicable if vhost_type is redirect. Example: https://www.domain.tld/location"
@@ -422,6 +464,27 @@ argument_specs:
             type: bool
             required: false
             default: "{{ vhost_proxy_pass_host_header }}"
+          proxy_auth_socket:
+            description: >-
+              Unix socket path to forward requests to for auhtentication, before
+              proxying them
+            type: str
+            required: false
+            default: "{{ vhost_proxy_auth_socket }}"
+          proxy_auth_uri:
+            description: >-
+              The authentication endpoint of the auth host. Required if
+              proxy_auth_socket is defined. Does nothing otherwise.
+            type: str
+            required: false
+            default: "{{ vhost_proxy_auth_uri }}"
+          proxy_auth_unauthorized_redir:
+            description: >-
+              Where to redirect requests if authentication service returns 401
+              unathorized. If not set, returns responses as is.
+            type: str
+            required: false
+            default: "{{ vhost_proxy_auth_unauthorized_redir }}"
 
           redirect_target:
             description: "Only applicable if vhost_type is redirect. Example: https://www.domain.tld/location"
diff --git a/roles/vhost/templates/Caddyfile_block.j2 b/roles/vhost/templates/Caddyfile_block.j2
index b3a5714..f2982ee 100644
--- a/roles/vhost/templates/Caddyfile_block.j2
+++ b/roles/vhost/templates/Caddyfile_block.j2
@@ -28,6 +28,18 @@
             }
           {% endif %}
           {% if matcher.type == 'reverse_proxy' %}
+           {% if matcher.proxy_auth_socket | length > 0 %}
+            forward_auth {
+                to unix//{{ matcher.proxy_auth_socket }}
+                uri {{ matcher.proxy_auth_uri }}
+              {% if matcher.proxy_auth_unauthorized_redir | length > 0 %}
+                @unauthorized status 401
+                handle_response @unauthorized {
+                    redir * {{ matcher.proxy_auth_unauthorized_redir }}
+                }
+              {% endif %}
+            }
+           {% endif %}
             reverse_proxy {
               {% if matcher.proxy_target_netproto == 'tcp' %}
                 to tcp/{{ matcher.proxy_target_host }}:{{ matcher.proxy_target_port }}
diff --git a/roles/vhost/vars/main.yaml b/roles/vhost/vars/main.yaml
index 6aa1e3f..e7f7816 100644
--- a/roles/vhost/vars/main.yaml
+++ b/roles/vhost/vars/main.yaml
@@ -28,6 +28,9 @@ _vhost_location_defaults:
   proxy_headers: "{{ vhost_proxy_headers }}"
   proxy_delete_headers: "{{ vhost_proxy_delete_headers }}"
   proxy_pass_host_header: "{{ vhost_proxy_pass_host_header }}"
+  proxy_auth_socket: "{{ vhost_proxy_auth_socket }}"
+  proxy_auth_uri: "{{ vhost_proxy_auth_uri }}"
+  proxy_auth_unauthorized_redir: "{{ vhost_proxy_auth_unauthorized_redir }}"
 
   redirect_target: "{{ vhost_redirect_target if vhost_type == 'redirect' else '' }}"
   redirect_preserve_path: "{{ vhost_redirect_preserve_path }}"