jidckii
(Eugene Medvedev)
July 11, 2019, 6:20pm
1
Hello everyone,
is there an opportunity to configure an analogue of the behavior of the option to
satisfy any;
how in nginx?
In nginx I have a configuration:
location / {
satisfy any;
allow 192.168.0.0/16;
allow 172.16.0.0/12;
allow 10.0.0.0/8;
deny all;
auth_basic “close_site”;
auth_basic_user_file “/etc/nginx/conf.d/close_site.htpasswd”;
}
but in caddy it doesn’t work, I get 403 anyway:
domain {
ipfilter / {
rule allow
ip 192.168.0.0/16
ip 172.16.0.0/12
ip 10.0.0.0/8
}
basicauth / “admin” “admin”
}
}
Hi @jidckii , welcome to the Caddy community!
What does satisfy any;
actually do?
jidckii
(Eugene Medvedev)
July 12, 2019, 5:01am
3
Hello everyone,
is there an opportunity to configure an analogue of the behavior of the option to
satisfy any;
how in nginx?
In nginx I have a configuration:
location / {
satisfy any;
allow 192.168.0.0/16;
allow 172.16.0.0/12;
allow 10.0.0.0/8;
deny all;
auth_basic “close_site”;
auth_basic_user_file “/etc/nginx/conf.d/close_site.htpasswd”;
}
but in caddy it doesn’t work, I get 403 anyway:
domain {
ipfilter / {
rule allow
ip 192.168.0.0/16
ip 172.16.0.0/12
ip 10.0.0.0/8
…
Here is exactly the same problem described. I need that basicauth worked only for non allowed networks.
I read the first post. You want to know if you can replicate the behaviour of satisfy any;
in Caddy. I was asking if you could explain what that behaviour is, so that I might be able to tell you if Caddy has an equivalent.
jidckii
(Eugene Medvedev)
July 12, 2019, 5:22am
5
Sorry, I copied the link incorrectly)
A similar problem is described here.
Hi all,
I’m in the process of replacing my nginx reverse proxy with caddy. So far, something I haven’t been able to figure out how to do is require authentication based on the requesting host’s IP address. In nginx, the server entry would look something like this:
server {
listen 443;
server_name service.domain.com;
location / {
proxy_pass https://servicehost/;
proxy_redirect off;
satisfy any;
allow 10.0.0.0/8;
de…
And as I understand it here:
opened 12:33AM - 23 Sep 17 UTC
closed 10:06PM - 09 May 19 UTC
feature
What I'm hoping for is a way to add an IP range so that internal users (requests… from the LAN network) bypass basic auth while external requests are required to authenticate.
I've done this on nginx and it was quite nice to have. The plugin should pay attention to the `X-Forwarded-For` IP address, if it exists, otherwise there may be a way to bypass auth depending on how the request comes in.
I'm really loving Caddy and have even converted a couple of people to use it, due to the ease it provides. Thanks!
I understand at the moment it is impossible that
basicauth only worked for not allowed ip / subnets
I think my previous response in the linked thread still holds:
Spitballing here, but what about using:
Two subdomains
redir 302’s with if statements based on the {remote} placeholder
Shuffle 10.0.0.0/8, 172.16.0.0/12 or 192.168.0.0/16 to the correct vhost
Blanket basicauth on the “external” subdomain
Messy, but should work. Use {>X-Remote-IP} instead if you’ve got Caddy behind another proxy.
Replace the private IPs with whatever you want to discriminate by, just make sure you know your if_op setting.
Within one site definition, the basicauth
and the ipfilter
will always both apply; it’s not possible to let either/or access the site. Hence the need to use two sites (on subdomains, maybe?), and redirect between them as necessary for convenience sake.
system
(system)
Closed
October 12, 2019, 11:12pm
7
This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.