Can caddy do the following?

I am currently not using Caddy. I am curious to know if Caddy can do the following:

A) Conditionally allow / deny incoming HTTP requests based on the origin / IP

B) If the request is allowed, generate a dynamic Authorization header that contains an OIDC JWT (bearer token authentication)

C) Proxy pass that request to an internal service with this additional Authorization header

Additional Info Regarding Point B

I am trying to forward a particular unauthenticated HTTP request to an authenticated internal server within our infra.

This private server requires that I send over a bearer authentication token within a Authorization header.

The token is short-lived, so I actually need to regenerate this token on a pretty consistent basis (every one hour or so, I believe).

Can this be done purely within Caddy? And if yes, would it have to be a “hack” to achieve B?

Yes, with the remote_ip matcher:

Probably, with this plugin (I don’t use it myself, so I can’t elaborate too much on the featureset):

Maybe @greenpau can comment.

1 Like

@supermacro , I am not sure I understood the flow. Nevertheless, will try to help out. {
  @internal {
  handle @internal {
    header +Authorization "Bearer TOKEN"
  respond 403

The above would inject authorization header of your choice and that would be sent to the internally proxied service.

If you want to authenticate to Google, then yes, look into using caddy-auth-portal AND caddy-authorize plugins.

Thank you @francislavoie and @greenpau

One thing I should have mentioned is that the entity making the request is:

A) a non-human user

B) will always be unauthenticated / not have any credentials. I am simply granting permissions to a very specific unauthenticated, but trusted, request.

In your example, you have a hard-coded string for the Authorization header value … rather than hard-coding it, would there be a way to dynamically generate it? or have caddy read from a file?

Create a feature request by clicking here, describe exactly what you want to accomplish and who is that “non-human” user. Details matter here. Please reference this topic. I will try helping you out. It is doable.

I think what I’m trying to accomplish is quite “custom” and not sure if it makes the most sense to add to something such as caddy-authorize … Also, given our deadlines, we simply went with writing a simple proxy server in NodeJS for now. But switching to a proper proxy server may be something we do in the future.

Really appreciate the support and inclusiveness!

1 Like