I have this section in my main snippet. The client_auth is how I leverage Authenticated Origin Pulls from Cloudflare. This is great for forcing connections to come through Cloudflare and prevent direct-IP access to my sites, among other things.
Unfortunately, this also means that I can’t access any of my sites via localhost or LAN without first going out through the entire Internet and through Cloudflare. I’m wondering what the best solution or approach is to have client_auth for external requests but not for localhost and LAN.
4. Error messages and/or full log output:
Don’t have anything to provide at the moment, but if you try to bypass client_auth, you get invalid or internal SSL errors.
5. What I already tried:
N/A — I’m mostly looking for ideas/strategies and haven’t really committed to any approach at the moment.
The end goal would be: if I type xnaas.info on my phone or laptop at home, I would load the resource on LAN, but typing the same domain off LAN would load over the internet, through Cloudflare.
Edit: I control a DNS server on LAN, so DNS rewrites are a possible thing.
Edit 2: Additionally, Caddy would need to be able to “reach out to itself” so to speak. If irc.xnaas.info is trying to load a resource from itself or xnaas.info/tmp/, it should be reaching out to localhost (like what would be accomplished by adding 127.0.0.1 irc.xnaas.info to /etc/hosts), not over the Internet.
For fun, I was thinking of some janky ways one could handle this. Multiple Caddy instances would be one way. One Caddy instance could have all sites on :4443 or something (but :443 on the actual router or something to map the port) and then run the LAN/localhost Caddy instance on :443.
Wait, I’m not entirely clear on what is needed. If you want to access properties of an HTTP request before a TLS connection, that’s not possible because TLS handshakes have to happen first. (That’s not a Caddy or Go restriction, that’s just how the Internet works.)
Or do you need to match on remote IP of the connection instead?
I believe what @xnaas wants here is to require the client certificate when the request is coming from any IP that isn’t their LAN/local connection.
That way they can have Cloudflare origin pulls authenticated by their certificate but LAN traffic be permitted since it wont have it.