# Forward auth

Defguard supports forward auth integration with popular reverse proxies (tested with [traefik](https://doc.traefik.io/traefik/) and [caddy](https://caddyserver.com/)). This allows you to use Defguard to secure services which don't provide their own authorization or OAuth integration.

{% hint style="warning" %}
In order for forward auth to work the services you are trying to protect must be available at URLs within the same base domain as your Defguard instance.

For example if you are serving your Defguard UI at `id.yourdomain.com`, then your services must use other subdomains of `yourdomain.com`, e.g. ``app1.yourdomain.com, `service.yourdomain.com` etc``.

Additionally you have to update your [Defguard config](/deployment-strategies/configuration.md#auth-cookies-configuration) to set the cookies domain to `yourdomain.com`.
{% endhint %}

## Example configurations

For brevity, all of the examples below assume you are hosting your Defguard instance at `defguard.yourdomain.com`.

We'll use a basic [whoami](https://github.com/traefik/whoami) container as an example service, which will be available at `whoami.yourdomain.com`.

## Traefik

#### docker-compose.yml

```yaml
version: "3"

services:
  traefik:
    image: traefik:v2.9
    command: --api.insecure=true --providers.docker
    ports:
      - "80:80" # HTTP port
      - "8080:8080" # Web UI port
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
  whoami:
    image: traefik/whoami
    labels:
      - "traefik.http.routers.whoami.rule=Host(`whoami.yourdomain.com`)"
      - "traefik.http.middlewares.defguardauth.forwardauth.address=http://defguard.yourdomain.com/api/v1/forward_auth"
      - "traefik.http.routers.whoami.middlewares=defguardauth"
```

## Caddy

#### Caddyfile

```
# Disable HTTPS for this example (WARNING: Do not use in production)
{
    auto_https off
    https_port 80
}

whoami.yourdomain.com {
    forward_auth defguard.yourdomain.com {
      uri /api/v1/forward_auth
    }
    reverse_proxy whoami:80
}
```

#### docker-compose.yml

```yaml
version: "3"

services:
  caddy:
    image: caddy:2.6.4-alpine
    ports:
      - "80:80" # HTTP port
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile
  whoami:
    image: traefik/whoami
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.defguard.net/features/forward-auth.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.