A lightweight Caddy-based authentication proxy that protects upstream services with Basic Auth. Designed to run behind a TLS-terminating edge (e.g., Railway, Cloudflare) and proxy to internal services.
Protect an internal service with basic authentication before exposing it publicly:
User (HTTPS) → Edge/PaaS (TLS) → Caddy (Basic Auth) → Internal Service
The upstream service has no public access. Caddy is the only entry point and enforces authentication.
- Basic Authentication via environment variables
- Automatic password hashing at startup (plain password in, bcrypt hash generated)
- Lightweight Alpine-based image
- Works behind TLS-terminating proxies (Railway, Cloudflare, etc.)
| Environment Variable | Description | Example | Required |
|---|---|---|---|
AUTH_USER |
Basic auth username | admin |
Yes |
AUTH_PASS |
Plain text password (hashed at boot) | mysecurepassword |
Yes |
UPSTREAM_URL |
Backend service URL with port | http://backend.internal:5555 |
Yes |
docker build -t caddy-auth-proxy .docker run -d \
-e AUTH_USER=admin \
-e AUTH_PASS=mysecurepassword \
-e UPSTREAM_URL=http://your-backend:8080 \
-p 80:80 \
caddy-auth-proxy- Deploy this repo to Railway
- Set environment variables:
AUTH_USER,AUTH_PASS,UPSTREAM_URL - Add custom domain pointing to port 80
- Caddy proxies authenticated requests to your internal service
Dockerfile- Builds image with Python/bcrypt for password hashingCaddyfile- Caddy config with Basic Auth and reverse proxyentrypoint.sh- Hashes password at startup, then runs Caddysite/- Static files (optional)
See LICENSE for details.
