Caddy request matcher based on iframe from a specific app

1. The problem I’m having:

Hi, I am currently using Caddy to reverse proxy and do forward_auth to Authentik to secure my apps (Zigbee2MQTT, Grocy…). I am a begginer.

Now, I want to incorporate those apps as iframes into Home Assistant UI. But in that case, I don’t want Caddy to do forward_auth, as users are already authenticated to access Home Assistant UI. So I thought about Request Matchers. I am already using some so that api calls on /api/* paths, on some apps, can get through without forward_auth. I would like to use the same concept but this time, only if the request comes through an iframe in Home Assistant. To configure an iframe in Home Assistant, I just set an URL. I there a way to set like a token in the URL I give to Home Assistant, and create a Request Matcher in Caddy based on this token ? Would that be secure ? How would I do that ?

Thanks in advance for any suggestion. I may or may not have been clear, so I can give more details if needed.

2. Error messages and/or full log output:

I am not trying to fix an error.

PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.

3. Caddy version:

v2.7.6 h1:w0NymbG2m9PcvKWsrXO6EEkY9Ru4FJK8uQbYcev1p3A=

4. How I installed and ran Caddy:

a. System environment:

Docker

b. Command:

PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.

c. Service/unit/compose file:

PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.

d. My complete Caddy config:

PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.

5. Links to relevant resources:

From a technological perspective, Caddy simply needs some way of telling which requests it should or shouldn’t apply forward authentication to. How could it inspect a HTTP request and filter out the ones that come from an iframe?

Your capabilities in this regard are limited. In a normal HTML iframe, the browser still controls all of the aspects of the request, and for the most part it makes a perfectly normal request.

You could inspect the referer, because all the requests inside an iframe should be referred from the Home Assistant URL. But this is a wildly insecure way to disable authentication that would allow any mildly competent attacker to completely bypass your security almost effortlessly; as simple as curl -H "Referer: <HA URL>" <protected URL>.

If you were coding the website which embeds the iframe, you could instead opt for AJAX loading of the website in the frame, which would give you more control - in JavaScript - over the manner of request you send. You could have all such AJAX requests include some kind of special header with a token that Caddy can recognize, much like you thought to include one in the URL.

The problem with your URL approach is that you could include that in the form of something like a query string, for example. But that only applies to the first load of the index - all the asset hrefs, and any links you click, would not include this token and would thus be subject to redirection for authentication.

And the problem with the AJAX method is that I don’t think you have that level of control over Home Assistant’s web interface.

Another issue is that even if Caddy did have some kind of reliable method to determine if a request came from an iframe - can it really trust that this iframe user really was authenticated? Can it trust that user actually logged in to HA and can be trusted with the contents of the otherwise-protected site Caddy is serving? In terms of good security, this… isn’t, very much.

The good thing with forward auth to Authentik is that it should, at least, set the cookie for the site going forwards so that once they’ve authenticated to it once, they should remain authenticated until that cookie times out.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.