Block access to certain paths when using Caddy as reverse proxy

1. Output of caddy version:

v2.6.2

2. How I run Caddy:

a. System environment:

Ubuntu 22.04
Systemd
Installed via APT

b. Command:

Paste command here.

c. Service/unit/compose file:

Paste full file contents here.
Make sure backticks stay on their own lines,
and the post looks nice in the preview pane. -->

d. My complete Caddy config:

gotify.******.com {
@notblacklisted {
not {
path */#/login
}
}

reverse_proxy @notblacklisted 10.0.0.20:8080

}

Paste your config here, replacing this text.
Use `caddy fmt` to make it readable.
DO NOT REDACT anything except credentials.
LEAVE DOMAIN NAMES INTACT.
Make sure the backticks stay on their own lines.

3. The problem I’m having:

Trying to block access to certain paths when using Caddy as a reverse proxy.
Gotify’s admin interface is mygotifydomain.com/#/login and I want to block/not proxy the path “/#/login” from the outside world. All other paths I want allowed to be accessed by the internet/proxied by Caddy.

I’ve tried following the “Blacklist” config here: https://caddy.community/t/v1-block-or-allow-certain-paths-to-a-backend-using-caddy-proxy/7089.

4. Error messages and/or full log output:

No Errors - Access to /#/login is still allowed

Paste logs/commands/output here.
USE THE PREVIEW PANE TO MAKE SURE IT LOOKS NICELY FORMATTED.

5. What I already tried:

https://caddy.community/t/v1-block-or-allow-certain-paths-to-a-backend-using-caddy-proxy/7089

6. Links to relevant resources:

https://caddy.community/t/v1-block-or-allow-certain-paths-to-a-backend-using-caddy-proxy/7089

The part at and including # is called the “fragment” in the URI. That part is never sent to the server. That’s purely in the frontend. It’s not possible for the server to filter based on that.

2 Likes

Hi Francis, thanks for the response.

So is there no way I can restrict access using Caddy?

I guess the alternative is to go with a whitelist model and block all access and whitelist paths without that fragment?

Thanks

It’s impossible for the server to be aware of the fragment, because the browser never sends it to the server.

All Caddy will see is / and that’s it.

I’m not sure I understand what you’re trying to do. But it seems like you have a JS SPA which is a frontend router. With that setup, it’s not possible to block specific paths on the server, because it’s not the server that does the routing decisions.

You can probably block paths for your API though.

1 Like

Fair enough, thank you for your help :slight_smile: