Basic auth path exception?

I have a special setup and need a exception from the basic auth configured just for one (sub-)path or source ip addresses.

Is it possible or could it be added as a new feature to the basic auth plugin?

Exceptions add complexity. How would you propose this work with the basicauth plugin?

Hi @matt

if it would add to much complexity just forget my idea :wink:

I try to get direct access for some source ip addresses to the /api path, but all users should be authenticated by basic auth, client cert, … Just to secure the web admin interface :wink:

Any way / idea how to get something like that working? Another way could be a second reverse proxy and a rewrite from api subdomain to the /api path.

Okay :smile: How much or what kind of complexity is still unclear, and I don’t want to dismiss the idea before then.

So you want all users who access /api to have client cert? Or basic auth? (or both?) But not the rest of the site. Right?

The API (/api) doen’t support additional pre-auth (like basic auth or cert auth), because the backend use token auth.

So I try to secure the web admin ("/"), but need an exception for the API path /api without any additional (reverse proxy) auth.

So basic auth required for all, but NO basic auth for path /api :slight_smile:

A workaround could ba a additional revproxy / vhost with a subdomain mapped to the api as workaround if the is no “simple” solution to work with an exception.

I would use the subdomain and then just rewrite: {
    rewrite /

Very simple compared to adding exception rules to the basic auth plugin.

1 Like

I have created a new vhost with a different subdomain which proxies to the api backend server and access restriction by ipfilter.


1 Like

You’re welcome! I’m glad that will work for you :slight_smile:

I needed this functionality for a project of mine that has a Web App Manifest. I wanted the app to be behind basic auth but the manifest file must not be for it to be recognised.

I have simply amended the code and rebuilt from source, with the new (backwards compatible) syntax:

basicauth user pass {
    not /manifest.json

Seems to work fine - the question is (@matt), should I go to the trouble of adding tests and submitting a pull request? I understand you not wanting to add complexity, so won’t bother if you don’t want this in mainline caddy. But I would be happy to if you did.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.