Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/fuomag9/caddy-proxy-manager/llms.txt

Use this file to discover all available pages before exploring further.

Caddy Proxy Manager includes a built-in forward authentication portal. Instead of installing a separate identity provider like Authentik or Authelia, CPM acts as the IdP: it presents a login page, issues session cookies, and Caddy validates each subsequent request through the forward_auth directive.

How forward auth works

  1. A visitor hits a protected proxy host without a valid session cookie.
  2. Caddy’s forward_auth directive sends the request to CPM for validation.
  3. CPM redirects the visitor to the CPM login page.
  4. After login, CPM sets a session cookie and redirects back to the original URL.
  5. Caddy validates all future requests from that browser through CPM until the session expires.

Enabling forward auth on a proxy host

1

Edit the proxy host

Open the proxy host you want to protect and go to the Forward Auth tab.
2

Enable CPM forward auth

Toggle Enable Forward Auth on.
3

Grant access to users or groups

Add the users or groups that are allowed to access this host. Only explicitly listed users and groups may log in — even admins must be added.
4

Configure path scope (optional)

Set protected_paths to apply auth only to specific URL paths, or add excluded_paths to bypass auth for public assets like /static/* or /health.

Path-based access control

The CpmForwardAuthConfig type exposes two path arrays:
FieldDescription
protected_pathsOnly these paths require authentication (null = all paths)
excluded_pathsThese paths bypass authentication entirely
Example: Protect all paths except the health check endpoint:
  • excluded_paths: /health, /favicon.ico

User and group access

Forward auth access is separate from the user’s dashboard role. A user with the Viewer role can still access a forward-auth-protected app if they are explicitly granted access. Grant access by:
  • Individual user: Add the user to the host’s access list.
  • Group: Add a group — all current and future members of the group gain access automatically.

Managing groups

Navigate to Groups in the sidebar to create and manage groups. Assign users to groups from the group detail page. When you grant a group access to a proxy host, membership changes take effect immediately.

Authentik integration

If you already run Authentik, CPM can use it as the forward auth provider instead of the built-in portal. Enable Authentik on the proxy host’s Forward Auth tab and configure:
FieldDescription
outpostDomainYour Authentik outpost domain
outpostUpstreamUpstream address of the Authentik outpost
authEndpointAuth validation endpoint (auto-derived from outpostDomain if omitted)
copyHeadersHeaders to copy from Authentik’s response to the upstream
trustedProxiesTrusted proxy ranges for correct IP detection
protectedPathsPaths to protect (null = all)
excludedPathsPaths to bypass
The Authentik outpost URL and CPM’s BASE_URL must be reachable from inside the Docker network.

Build docs developers (and LLMs) love

Get started for freeTalk to us