Is it possible to change the behavior of the web server depending on the group of ip addresses making the request? My task is to provide client authentication with a security certificate from the global network (client_auth), while the site should open from the local network without any checks.
TLS connection policies may be configured to match the remote_ip, but only using JSON config (not with the Caddyfile) due to the complexity involved in configuring that in the Caddyfile. See JSON Config Structure - Caddy Documentation
2 Likes
Thank you for your time!
Did I understand correctly that this kind of configuration will provide me with unhindered access from the local network, while in order to log in from global network I will need a certificate?
example.kz {
@local remote_ip 192.168.0.0/16
reverse_proxy @local 127.0.0.1:7070
tls {
client_auth {
trusted_ca_cert_file /etc/caddy/gpscert/ca.crt
}
}
reverse_proxy 127.0.0.1:7070 {
header_up X-Real-IP {remote_host}
}
}
No, this will not work.
Like I said, what you’re asking to do is not possible with a Caddyfile, because we haven’t implemented that functionality. You need to use a JSON config instead.
You’re asking for TLS connection policy matching by remote IP. That’s not the same as request matching by remote IP. The TLS handshake happens before the HTTP request handlers are reached. Request matchers happen too late for deciding what to do in the TLS handshake.
To add to that, the TLS directive is not an http handler, so it’s not like that will only be applied after the remote IP matcher in your case. The tls directive applies to the whole site/server regardless of http requests.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.