defguard
  • Introduction
  • User documentation (help)
    • Configuring VPN
      • Defguard Desktop Client
        • Update instance
      • Other WireGuard® Clients
        • Configuring manually a device for a new VPN Location
    • Password change / Reset
    • Enrollment & Onboarding
      • With internal Defguard SSO
      • With external SSO (Google/Microsoft/Custom)
    • Setting up 2FA/MFA
    • Desktop Client
    • CLI Client
  • Admin & features
    • Troubleshooting Guide
      • Sending support information
      • Client Windows installer exit codes
    • Deploying your instance
      • Upgrading
      • One-line install script
      • Standalone package based installation
      • Docker images and tags
      • Docker Compose
      • Kubernetes
      • Gateway
        • Running gateway on MikroTik routers
      • Securing gRPC communication
      • OpenID RSA key
      • Configuration
      • Pre-production and development releases
      • High Availability and Failover
      • Health check
    • Features & configuration
      • Zero-Trust VPN with 2FA/MFA
        • Create/manage VPN Location
        • Network overview
        • Executing custom gateway commands
        • Multi-Factor Authentication (MFA/2FA)
          • MFA Architecture
        • Remote desktop client configuration
        • DNS and domains
      • Remote user enrollment
        • User onboarding after enrollment
      • SSO (OpenID Connect)
        • Portainer
        • Grafana setup
        • Proxmox
        • Matrix / Synapse
        • Django
        • MinIO
        • Vault
      • SMTP for email notifications
      • YubiKey Provisioning
      • Webhooks
      • Forward auth
      • SSH Authentication
      • Network devices
      • Gateway notifications
      • New version notifications
  • Enterprise Features
    • License
    • Enteprise features
      • Automatic (real time) desktop client configuration & sync
      • External OpenID providers
        • Google
        • Microsoft
        • Zitadel
        • Keycloak
        • JumpCloud
        • Okta
        • Custom
      • External OIDC secure enrollment
      • VPN & Client behavior customization
      • REST API
      • Access Control List
      • LDAP and Active Directory integration
        • Configuration
        • Settings table
        • Two-way LDAP and Active Directory synchronization
  • Tutorials
    • Step by step setting up a VPN server
      • Adding additional VPN locations
  • In depth
    • Roadmap
    • Architecture
      • How do VPN statistics work
      • Security concepts
  • For Developers
    • Contributing
    • Environment setup
    • Translations (core/web)
      • Switching language
      • Adding translations
  • Translations (client)
    • Adding translations
  • Contact us
    • Community & Support
Powered by GitBook
On this page
  • Example configurations
  • Traefik
  • Caddy

Was this helpful?

Edit on GitHub
  1. Admin & features
  2. Features & configuration

Forward auth

PreviousWebhooksNextSSH Authentication

Last updated 1 year ago

Was this helpful?

defguard supports integration with popular reverse proxies (tested with and ). This allows you to use defguard to secure services which don't provide their own authorization or OAuth integration.

In order for forward auth to work the services you are trying to protect must be available at URLs within the same base domain as your defguard instance.

For example if you are serving your defguard UI at id.yourdomain.com, then your services must use other subdomains of yourdomain.com, e.g. app1.yourdomain.com, `service.yourdomain.com` etc.

Additionally you have to update your to set the cookies domain to yourdomain.com.

Example configurations

For brevity all of the examples below assume you are hosting your defguard instance at defguard.yourdomain.com.

We'll use a basic container as an example service which will be available at whoami.yourdomain.com.

Traefik

docker-compose.yml

version: "3"

services:
  traefik:
    image: traefik:v2.9
    command: --api.insecure=true --providers.docker
    ports:
      - "80:80" # HTTP port
      - "8080:8080" # Web UI port
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
  whoami:
    image: traefik/whoami
    labels:
      - "traefik.http.routers.whoami.rule=Host(`whoami.yourdomain.com`)"
      - "traefik.http.middlewares.defguardauth.forwardauth.address=http://defguard.yourdomain.com/api/v1/forward_auth"
      - "traefik.http.routers.whoami.middlewares=defguardauth"

Caddy

Caddyfile

# Disable HTTPS for this example (WARNING: Do not use in production)
{
    auto_https off
    https_port 80
}

whoami.yourdomain.com {
    forward_auth defguard.yourdomain.com {
      uri /api/v1/forward_auth
    }
    reverse_proxy whoami:80
}

docker-compose.yml

version: "3"

services:
  caddy:
    image: caddy:2.6.4-alpine
    ports:
      - "80:80" # HTTP port
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile
  whoami:
    image: traefik/whoami
forward auth
traefik
caddy
whoami
defguard config