Disable basic auth for internal IPs?

I’m really interested in using Caddy instead of nginx but I am suspecting that my configuration might not be achievable with Caddy. What I would like to do is have urls protected by basic auth when they aren’t accessed from my internal network, e.g. that is exempt from basic auth.

Is this at all possible? If it isn’t directly supported is it possible to achieve it by some workaround? Combining basic auth with the ipfilter module? Having multiple vhosts with different settings and separating them with ipfilter or something like that?

1 Like

Hi Stefan,

Have a look at this post for an idea on how to achieve this using a “secure” external subdomain and an “insecure” internal subdomain:

And here for an example of the kind of redirection you’d want to use, just change the if statements:

1 Like

Thank you for the suggestions and link. Not quite as graceful as I would like so if this is the only solution I think I will have to wait a bit more before starting to use Caddy. But since I would really like to try Caddy I’ve been trying to think of other possibilities.

Would it be possible to give the server two IPs and then have two Caddy processes, one for external requests (with basic auth) and one for internal requests (without basic auth). It’s then up to my internal dns-server to make sure the request goes to the correct IP. I’ve seen that Caddy has a bind-command but I don’t really understand if it works the way I want.

Can I have two Caddy processes bound to different IPs while both are serving multiple vhosts?

While I haven’t used the bind directive myself yet, I believe binding works on a per-vhost basis, and you can specify which host they will listen on (as by default they listen on the wildcard).

So instead of using two subdomains, you should be able to set up two IPs and have one version of the vhost binding to the first IP, and the other to the second, and basic auth one of them. All other vhosts would still respond to requests to any IP (unless you specified bindings for them too).

Took a while before I could test it but now I have. Unfortunately I must report that it doesn’t seem to work (at least not the way I want). If I add two vhosts to Caddy (same hostname) with different bind adresses Caddy won’t start. It complains about duplicate vhosts.

So it seems like I would have to create two reverse proxie machines, one for internal requests and one for external request to be able to disable basic auth for internal requests. I will have to think about if I want to do that. Wonder if that would affect Let’s Encrypt?

You could set up one Caddy instance available to the local network serving HTTP, and then another Caddy instance publically accessible on the edge of your network, terminating HTTPS and proxying to the HTTP Caddy with basicauth configured?

Unfortunately the only other way I know to achieve this is by bouncing people between vhosts based on their IP block.

That did indeed work. Was a little bit thrown off by the fact that if no binds are specified then Caddy binds to So after specifying binds for all my vhosts it works.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.