1. The problem I’m having:
I would like to reverse proxy a service (nitter) and have basicauth only when accessed from outside my network. The caddyfile that I am trying to acchieve this with is included below.
I have my router forwarding ports 443 and 80 to my docker host’s local ip and an additional dns-rewrite rule in my local dns server that redirects nitter.example.com directly to the docker host’s local ip.
No matter whether I am accessing nitter locally or externaly, basicauth is always active. I guess that the implicit “*” in the second reverse_proxy statement somehow overrules the @local part. What am I missing here? I guess there is no not_remote_ip, is there?
I am pretty confident that the overal network setup and the individual parts of the caddyfile work, and that the issue is with the combination in the caddyfile due to the following tests I did:
- remove the local part of the caddy file
→ I am asked for a password when accessing both locally and externally - remove the other part of the caddy file with basicauth
→ I am not asked for a password when accessing locally and I cannot access externally at all.
2. Error messages and/or full log output:
log output not relevant here imho, will add upon request.
3. Caddy version:
v2.6.4 via docker
4. How I installed and ran Caddy:
installd via docker. The CMD inside docker is caddy run --config /etc/caddy/Caddyfile --adapter caddyfile
a. System environment:
docker runing inside a Fedora CoreOS VM on a TrueNAS Core host.
b. Command:
docker start caddy_ext
c. Service/unit/compose file:
$ docker run \
-v $PWD/Caddyfile:/etc/caddy/Caddyfile \
--network=host \
caddy:latest
d. My complete Caddy config:
Caddyfile:
nitter.example.com{
@local {
remote_ip forwarded 192.168.178.0/24
}
reverse_proxy @local http://192.168.178.111:8080
reverse_proxy http://192.168.178.111:8080
basicauth {
user pw_hash
}
}
5. Links to relevant resources:
I found this similar question here, but it was never really solved: