Productify Proxy

The proxy component for the Productify Framework provides reverse proxy and authentication using a custom Caddy build with Productify plugins.

Overview

Productify Proxy is a Caddy-based reverse proxy with custom authentication and authorization plugins that integrate with the Productify Manager for application routing and machine user validation.

Key Features

OAuth2 Authentication

• Identity provider integration - Generic OAuth2/OIDC support
• Authentication portal - Centralized login handling
• Token management - Automatic token lifecycle

Authorization

• Policy-based access control - Fine-grained authorization rules
• Role-based access - Role assignment and validation
• Bearer token validation - API authentication support
• Header injection - Claims forwarding to backends

Productify Integration

• Manager API integration - Application routing via Manager
• Machine user validation - Token-based authentication for automated clients
• Application-specific routing - Per-application middleware

TLS/SSL Support

• Automatic HTTPS with Let's Encrypt
• Certificate management - Automatic renewal
• Custom certificates - Support for bring-your-own certificates

Architecture

┌──────────────┐
│   Internet   │
└──────┬───────┘
       │ HTTPS (443)
       ▼
┌─────────────────────────────────────┐
│       Productify Proxy (Caddy)      │
│  - OAuth2 Authentication            │
│  - Authorization Policies           │
│  - TLS Termination                  │
│  - Custom Productify Plugins        │
└─────────────────────────────────────┘
       │
       │ Validates with
       ▼
┌─────────────────────────────────────┐
│         Productify Manager          │
│  - Application lookup               │
│  - Machine user validation          │
│  - Token verification               │
└─────────────────────────────────────┘
       │
       │ Routes to
       ▼
┌─────────────────────────────────────┐
│         Backend Services            │
│  - Application instances            │
│  - Manager API/UI                   │
│  - Identity provider                │
└─────────────────────────────────────┘

How It Works

1. Authentication Flow

User accesses protected route:

route /* {
  authorize with pocketpolicy
  productify with 123
  reverse_proxy backend:8080
}

2. OAuth2 Login

Caddy redirects to identity provider:

security {
  oauth identity provider generic {
    realm generic
    driver generic
    client_id ab098fe1-9bc0-4780-81c6-2ea17f49a3cb
    client_secret pU3ZrOyPTtd4A3ex16dBzBTlDrlxqfpU
    scopes openid email profile
    base_auth_url http://pocketid.localhost
  }
}

3. Manager Integration

Productify plugin communicates with Manager:

productify {
  manager http://172.17.0.1:8080
  token supersecrettoken
}

4. Application Routing

Route to application after validation:

route /* {
  authorize with pocketpolicy
  productify with 123  # Application ID
  file_server {
    root /usr/share/caddy
  }
}

Use Cases

Multi-Tenant SaaS

Route traffic based on authentication and application ID:

http://app.localhost {
  route /* {
    authorize with pocketpolicy
    productify with 123
    reverse_proxy backend:8080
  }
}

Manager UI/API

Protect Manager interface with authentication:

http://manager.localhost {
  @auth {
    path /auth/*
  }

  route @auth {
    authenticate with pocketportal
  }

  route /* {
    authorize with pocketpolicy
    reverse_proxy 172.17.0.1:8080
  }
}

Machine User Authentication

API access with bearer tokens:

api.productify.dev {
  route /api/* {
    authorize with pocketpolicy
    reverse_proxy manager:8080
  }
}

Policy validates bearer header:

authorization policy pocketpolicy {
  set auth url /auth/oauth2/generic
  allow roles user
  validate bearer header
  inject headers with claims
}

Benefits

Authentication & Authorization

• OAuth2/OIDC - Standard protocol support
• Policy-based access - Fine-grained control
• Token validation - Bearer token support for APIs
• Claims injection - Forward user context to backends

Manager Integration

• Application routing - Dynamic routing based on Manager configuration
• Machine users - Automated client authentication
• Centralized control - All routing logic in Manager

Security

• TLS 1.3 by default
• OCSP stapling for certificate validation
• Security headers (HSTS, CSP, etc.)
• Token-based authentication

Monitoring

• Prometheus metrics - Built-in metrics endpoint on :2112
• Custom metrics - Application-specific tracking
• Access logs - Detailed request logging with source, user, and target system
• Request/Response metrics - Optional size and performance tracking

Quick Links

• Quick Start - Get started in minutes
• Caddyfile Configuration - Configure proxy
• Monitoring & Logging - Access logs and metrics
• Deployment - Deploy to production

Requirements

• Caddy 2.7+
• Productify Manager instance for application routing
• Identity Provider (OAuth2/OIDC compatible)
• DNS pointing to proxy instance(s)

Next Steps

1. Follow the Quick Start guide
2. Configure your Caddyfile
3. Deploy to production