vhost: Support proxy forward auth

2025-07-13 19:03:02 +03:00
parent 83569c59ee
commit c0753aeaa2
4 changed files with 81 additions and 0 deletions
--- a/roles/vhost/defaults/main.yaml
+++ b/roles/vhost/defaults/main.yaml
@@ -17,6 +17,9 @@ vhost_proxy_target_host: localhost
 vhost_proxy_headers: {}
 vhost_proxy_delete_headers: []
 vhost_proxy_pass_host_header: true
+vhost_proxy_auth_socket: ""
+vhost_proxy_auth_uri: ""
+vhost_proxy_auth_unauthorized_redir: ""

 vhost_redirect_type: temporary
 vhost_redirect_preserve_path: false
--- a/roles/vhost/meta/argument_specs.yaml
+++ b/roles/vhost/meta/argument_specs.yaml
@@ -119,6 +119,27 @@ argument_specs:
        type: bool
        required: false
        default: true
+      vhost_proxy_auth_socket:
+        description: >-
+          Unix socket path to forward requests to for auhtentication, before
+          proxying them
+        type: str
+        required: false
+        default: ""
+      vhost_proxy_auth_uri:
+        description: >-
+          The authentication endpoint of the auth host. Required if
+          proxy_auth_socket is defined. Does nothing otherwise.
+        type: str
+        required: false
+        default: ""
+      vhost_proxy_auth_unauthorized_redir:
+        description: >-
+          Where to redirect requests if authentication service returns 401
+          unathorized. If not set, returns responses as is.
+        type: str
+        required: false
+        default: ""

      vhost_redirect_target:
        description: "Only applicable if vhost_type is redirect. Example: https://www.domain.tld/location"
@@ -282,6 +303,27 @@ argument_specs:
            type: bool
            required: false
            default: "{{ vhost_proxy_pass_host_header }}"
+          proxy_auth_socket:
+            description: >-
+              Unix socket path to forward requests to for auhtentication, before
+              proxying them
+            type: str
+            required: false
+            default: "{{ vhost_proxy_auth_socket }}"
+          proxy_auth_uri:
+            description: >-
+              The authentication endpoint of the auth host. Required if
+              proxy_auth_socket is defined. Does nothing otherwise.
+            type: str
+            required: false
+            default: "{{ vhost_proxy_auth_uri }}"
+          proxy_auth_unauthorized_redir:
+            description: >-
+              Where to redirect requests if authentication service returns 401
+              unathorized. If not set, returns responses as is.
+            type: str
+            required: false
+            default: "{{ vhost_proxy_auth_unauthorized_redir }}"

          redirect_target:
            description: "Only applicable if vhost_type is redirect. Example: https://www.domain.tld/location"
@@ -422,6 +464,27 @@ argument_specs:
            type: bool
            required: false
            default: "{{ vhost_proxy_pass_host_header }}"
+          proxy_auth_socket:
+            description: >-
+              Unix socket path to forward requests to for auhtentication, before
+              proxying them
+            type: str
+            required: false
+            default: "{{ vhost_proxy_auth_socket }}"
+          proxy_auth_uri:
+            description: >-
+              The authentication endpoint of the auth host. Required if
+              proxy_auth_socket is defined. Does nothing otherwise.
+            type: str
+            required: false
+            default: "{{ vhost_proxy_auth_uri }}"
+          proxy_auth_unauthorized_redir:
+            description: >-
+              Where to redirect requests if authentication service returns 401
+              unathorized. If not set, returns responses as is.
+            type: str
+            required: false
+            default: "{{ vhost_proxy_auth_unauthorized_redir }}"

          redirect_target:
            description: "Only applicable if vhost_type is redirect. Example: https://www.domain.tld/location"
--- a/roles/vhost/templates/Caddyfile_block.j2
+++ b/roles/vhost/templates/Caddyfile_block.j2
@@ -28,6 +28,18 @@
            }
          {% endif %}
          {% if matcher.type == 'reverse_proxy' %}
+           {% if matcher.proxy_auth_socket | length > 0 %}
+            forward_auth {
+                to unix//{{ matcher.proxy_auth_socket }}
+                uri {{ matcher.proxy_auth_uri }}
+              {% if matcher.proxy_auth_unauthorized_redir | length > 0 %}
+                @unauthorized status 401
+                handle_response @unauthorized {
+                    redir * {{ matcher.proxy_auth_unauthorized_redir }}
+                }
+              {% endif %}
+            }
+           {% endif %}
            reverse_proxy {
              {% if matcher.proxy_target_netproto == 'tcp' %}
                to tcp/{{ matcher.proxy_target_host }}:{{ matcher.proxy_target_port }}
--- a/roles/vhost/vars/main.yaml
+++ b/roles/vhost/vars/main.yaml
@@ -28,6 +28,9 @@ _vhost_location_defaults:
  proxy_headers: "{{ vhost_proxy_headers }}"
  proxy_delete_headers: "{{ vhost_proxy_delete_headers }}"
  proxy_pass_host_header: "{{ vhost_proxy_pass_host_header }}"
+  proxy_auth_socket: "{{ vhost_proxy_auth_socket }}"
+  proxy_auth_uri: "{{ vhost_proxy_auth_uri }}"
+  proxy_auth_unauthorized_redir: "{{ vhost_proxy_auth_unauthorized_redir }}"

  redirect_target: "{{ vhost_redirect_target if vhost_type == 'redirect' else '' }}"
  redirect_preserve_path: "{{ vhost_redirect_preserve_path }}"