Self hosted SSO with OPNSense, Caddy and Authentik
Javi
August 29th, 2025
First: The auth provider in caddy openDNS needs to be set up to point to the internal IP of authentik and the port.
This part of the caddy docs explains how forward auth works
Caddy's revers_proxy is capable of performing "pre-check requests" to an external service, but this directive is tailored specifically for the authentication use case.
...
This directive makes a GET request to the configured upstream with the uri rewritten:
- If the upstream responds with a
2xxstatus code, then access is granted and the header fields incopy_headersare copied to the original request, and handling continues. - Otherwise, if the upstream responds with any other status code, then the upstream's response is copied back to the client. This response should typically involve a redirect to login page of the authentication gateway.
Caddy plugin settings in OPNSense
Next: You can make a proxy provider in authentik for either a single app or domain level depending on what you want.
Domain level proxies can be a bit of a hassle to get right, so if you don't mind a few extra clicks, I would recommend just setting up a single app proxy per app you want to secure.
Protecting an app
If an app doesn't have it's own authentication system, you can now protect it with authentik following these steps:
Create a single (or domain) level proxy provider in authentik
Create your app in authentik and assign it the provider you created
On your caddy handler click on "advanced mode" at the top left and then check "Forward Auth"
That should be it! Now if you go to your protected app and are not logged in, you'll be redirected to authentik