How do i restrict to /admin* by IP and proxy that to one port while allowing open access to everything else and proxying that to another port?

northport · May 1, 2023, 12:52am

1. The problem I’m having:

I’m using the reverse proxy function and I want to restrict access to the /admin* path by IP address. The problem is that I need wide open access on everything else. Also worth mentioning that the /admin* path routes to a different port than /*. Any advice on how I can achieve this? Thanks.

2. Error messages and/or full log output:

-- Logs begin at Sun 2023-04-30 00:30:21 UTC, end at Mon 2023-05-01 00:47:53 UTC. --
Apr 30 01:06:22 localhost systemd[1]: Starting Caddy...
Apr 30 01:06:22 localhost caddy[40459]: caddy.HomeDir=/var/lib/caddy
Apr 30 01:06:22 localhost caddy[40459]: caddy.AppDataDir=/var/lib/caddy/.local/share/caddy
Apr 30 01:06:22 localhost caddy[40459]: caddy.AppConfigDir=/var/lib/caddy/.config/caddy
Apr 30 01:06:22 localhost caddy[40459]: caddy.ConfigAutosavePath=/var/lib/caddy/.config/caddy/autosave.json
Apr 30 01:06:22 localhost caddy[40459]: caddy.Version=v2.6.4 h1:2hwYqiRwk1tf3VruhMpLcYTg+11fCdr8S3jhNAdnPy8=
Apr 30 01:06:22 localhost caddy[40459]: runtime.GOOS=linux
Apr 30 01:06:22 localhost caddy[40459]: runtime.GOARCH=amd64
Apr 30 01:06:22 localhost caddy[40459]: runtime.Compiler=gc
Apr 30 01:06:22 localhost caddy[40459]: runtime.NumCPU=2
Apr 30 01:06:22 localhost caddy[40459]: runtime.GOMAXPROCS=2
Apr 30 01:06:22 localhost caddy[40459]: runtime.Version=go1.20
Apr 30 01:06:22 localhost caddy[40459]: os.Getwd=/
Apr 30 01:06:22 localhost caddy[40459]: LANG=en_US.UTF-8
Apr 30 01:06:22 localhost caddy[40459]: PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
Apr 30 01:06:22 localhost caddy[40459]: NOTIFY_SOCKET=/run/systemd/notify
Apr 30 01:06:22 localhost caddy[40459]: HOME=/var/lib/caddy
Apr 30 01:06:22 localhost caddy[40459]: LOGNAME=caddy
Apr 30 01:06:22 localhost caddy[40459]: USER=caddy
Apr 30 01:06:22 localhost caddy[40459]: INVOCATION_ID=6077d175142d4c239a636fdbceaf2c72
Apr 30 01:06:22 localhost caddy[40459]: JOURNAL_STREAM=9:68616
Apr 30 01:06:22 localhost caddy[40459]: {"level":"info","ts":1682816782.4003525,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":""}
Apr 30 01:06:22 localhost caddy[40459]: {"level":"info","ts":1682816782.4039261,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
Apr 30 01:06:22 localhost caddy[40459]: {"level":"warn","ts":1682816782.404729,"logger":"http","msg":"server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server","server_name":"srv0","http_port":80}
Apr 30 01:06:22 localhost caddy[40459]: {"level":"info","ts":1682816782.4049404,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc0004c5960"}
Apr 30 01:06:22 localhost caddy[40459]: {"level":"info","ts":1682816782.4051547,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/var/lib/caddy/.local/share/caddy"}
Apr 30 01:06:22 localhost caddy[40459]: {"level":"info","ts":1682816782.405287,"logger":"tls","msg":"finished cleaning storage units"}
Apr 30 01:06:22 localhost caddy[40459]: {"level":"info","ts":1682816782.4054787,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
Apr 30 01:06:22 localhost caddy[40459]: {"level":"info","ts":1682816782.4056044,"msg":"autosaved config (load with --resume flag)","file":"/var/lib/caddy/.config/caddy/autosave.json"}
Apr 30 01:06:22 localhost systemd[1]: Started Caddy.
Apr 30 01:06:22 localhost caddy[40459]: {"level":"info","ts":1682816782.4068897,"msg":"serving initial configuration"}
Apr 30 21:24:11 localhost caddy[40459]: {"level":"info","ts":1682889851.5214434,"logger":"admin.api","msg":"received request","method":"POST","host":"localhost:2019","uri":"/stop","remote_ip":"127.0.0.1","remote_port":"52482","headers":{"Accept-Encoding":["gzip"],"Content-Length":["0"],"Origin":["http://localhost:2019"],"User-Agent":["Go-http-client/1.1"]}}
Apr 30 21:24:11 localhost caddy[40459]: {"level":"warn","ts":1682889851.526561,"logger":"admin.api","msg":"exiting; byeee!! 👋"}
Apr 30 21:24:11 localhost caddy[40459]: {"level":"info","ts":1682889851.529081,"logger":"tls.cache.maintenance","msg":"stopped background certificate maintenance","cache":"0xc0004c5960"}
Apr 30 21:24:11 localhost caddy[40459]: {"level":"info","ts":1682889851.5551808,"logger":"admin","msg":"stopped previous server","address":"localhost:2019"}
Apr 30 21:24:11 localhost caddy[40459]: {"level":"info","ts":1682889851.5556314,"logger":"admin.api","msg":"shutdown complete","exit_code":0}
Apr 30 21:24:11 localhost systemd[1]: caddy.service: Succeeded.

3. Caddy version:

v2.6.4

4. How I installed and ran Caddy:

via instructions here

a. System environment:

Linux localhost 5.4.0-137-generic #154-Ubuntu SMP Thu Jan 5 17:03:22 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux (Ubuntu 20.04)

b. Command:

caddy start

c. Service/unit/compose file:

[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target

[Service]
Type=notify
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile --force
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateDevices=yes
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

d. My complete Caddy config:

https://demo.example.domain {
    reverse_proxy /admin* http://127.0.0.1:5000
    reverse_proxy * http://127.0.0.1:8081
}

5. Links to relevant resources:

francislavoie · May 1, 2023, 4:36pm

You need named request matchers to match by remote_ip:

northport · May 1, 2023, 7:00pm

That does work but it not only blocks the /admin* uri but also everything else. I want to block the /admin* uri by IP address, but leave everything else (*) wide open.

francislavoie · May 1, 2023, 7:17pm

What did you try, exactly? Did you read the docs? You can use multiple matchers together with a named matcher.

system · May 31, 2023, 7:17pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.