I have Caddy setup with Autheia. My desire is to have access from the WAN require login for my various services and access from the LAN to not require login.
There are two ways to set this up:
Is one of these more secure than the other? Is there a “best practice” for this?
I think you’d be okay doing either.
Consider the risks of splitting up where you implement your auth logic, though, from the human perspective. When all auth logic is in one place (Authelia), the human only needs to consider that one place when adjusting, configuring, or accounting for auth concerns. It reduces the complexity of Caddy’s configuration.
Personally I’d weigh the human risk of split auth logic higher than the probably-nil overhead of passing requests through to Authelia that might not strictly be required since Caddy could’ve figured it out first.
But I think these are academic and not particularly practical concerns.
I like the idea of concentrating things in one place (Authelia). It also requires “two steps” for me to open a site without auth: 1) make the site in caddy, and then 2) go to authelia and explicitly list is as a bypass rule.
Thanks!