really hard time getting tinyauth to start

[patatetom]

hi,

I'm having a really hard time starting the tinyauth@127.0.0.1:3000 service so that it sits between caddy@0.0.0.0:443 and mywebapp@127.0.0.1:8000 and uses lldap@127.0.0.1:3890.

caddy is working fine and allows me to access mywebapp without any issues (reverse_proxy 127.0.0.1:8000).
this section (which links caddy and tinyauth) is then added to the caddy configuration :

forward_auth 127.0.0.1:3000 {
  uri /api/auth/caddy
  copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
}

lldap is working properly, and an alice account has been set up for authentication with mywebapp :

ldapsearch -H ldap://127.0.0.1:3890 -D "uid=observer,ou=people,dc=example,dc=com" -w xxxxxxxx -LLL -b "ou=people,dc=example,dc=com" "uid=observer"
dn: uid=observer,ou=people,dc=example,dc=com
cn: Observer
createtimestamp: 20260617063635Z
entryuuid: 2a5b6bfb-becc-328f-8fd0-8f4e33efab8f
first_name: Observer
givenname: Observer
mail: observer@example.com
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: mailAccount
objectclass: person
uid: observer

I’ve carefully reviewed the various help pages on https://tinyauth.app/docs/getting-started/ (which are very Docker-focused), but unfortunately haven’t found a/the solution : what command(s) should I run to start tinyauth@127.0.0.1:3000 and allow mywebapp to be accessed after lldap authentication ?

regards, lacsaP.

[dosubot]

Hi @patatetom! I'm Dosu and I'm helping the Tinyauth team.

To run tinyauth as a standalone binary (non-Docker) with your LLDAP backend and Caddy forward auth, here's what you need:

Minimum required variable: TINYAUTH_APPURL — without this, tinyauth won't start [1].

Example startup for your setup:

export TINYAUTH_APPURL=https://mywebapp.example.com   # The URL where tinyauth's login page is accessible
export TINYAUTH_SERVER_ADDRESS=127.0.0.1
export TINYAUTH_SERVER_PORT=3000
export TINYAUTH_LDAP_ADDRESS=ldap://127.0.0.1:3890
export TINYAUTH_LDAP_BINDDN="uid=observer,ou=people,dc=example,dc=com"
export TINYAUTH_LDAP_BINDPASSWORD=xxxxxxxx
export TINYAUTH_LDAP_BASEDN="dc=example,dc=com"
export TINYAUTH_LDAP_SEARCHFILTER="(uid=%s)"

./tinyauth

Or equivalently with CLI flags:

./tinyauth \
  --appurl=https://mywebapp.example.com \
  --server.address=127.0.0.1 \
  --server.port=3000 \
  --ldap.address=ldap://127.0.0.1:3890 \
  --ldap.binddn="uid=observer,ou=people,dc=example,dc=com" \
  --ldap.bindpassword=xxxxxxxx \
  --ldap.basedn="dc=example,dc=com" \
  --ldap.searchfilter="(uid=%s)"

Key notes:

• TINYAUTH_APPURL should be the external URL through which users will access tinyauth (i.e., the URL Caddy exposes for it). This is used for redirects after login [1].
• The server defaults to port 3000 and address 0.0.0.0 [2], so you only need to override the address to 127.0.0.1.
• The default search filter is already (uid=%s) [3], which should work with LLDAP.
• For the bind DN, use a service account that has read access to your LLDAP user entries (your observer account should work if it has search permissions).

Your Caddy forward_auth configuration looks correct. Just make sure tinyauth is accessible at 127.0.0.1:3000 before Caddy tries to reach it.

If you'd like to run it as a systemd service, there's also a pattern for that using an EnvironmentFile [4]. Let me know if you'd like more details on that or if you're hitting a specific error message when starting tinyauth.

To reply, just mention @dosu.

---

Share context across your team and agents. Try Dosu.

[steveiliop56]

@patatetom pretty much what the bot said. Keep in mind that for Tinyauth to work you will need a domain. So:

Tinyauth -> tinyauth.mydomain.com
Your app -> myapp.mydomain.com

They both need to be under the same domain for authentication to work. Tinyauth does not work with IP addresses or with domains like localhost. If you are facing a specific issue please share the way you started Tinyauth, your entire proxy config (the Tinyauth and app route), and the logs of Tinyauth (ideally with --log-level=debug.