A named matcher definition constitutes a matcher set . Matchers in a set are AND’ed together; i.e. all must match. For example, if you have both a header and path matcher in the set, both must match.
Is there a way to use an OR?
An example could be the Authelia’s forward_auth which in my case is
I would like, in @forceAuth, to say “when remote_ip is not in my private range (that one is there) OR when there is no match on header X-Authelia-Token having the value of a_big_secret” (in other words: allow an authenticated call from within my LAN or if there is a specific header).
Is this possible?
I thought that a boolean NOT (a AND b) === (NOT a) OR (NOT b) would make it, but apparently not (I still get authenticated when passing the header, interestingly I am also authenticated from outside the LAN):
Matchers in the Caddyfile are a bit more limited/handicapped from what can be expressed in JSON config.
Unless Francis or Matthew have clever ideas, my suggestion would be to either use the CEL matcher (which lets you combine matchers with advanced boolean logic) or switch to JSON config (which lets you define more matcher sets per handler which do get OR’ed).
It looks all right to me: ¬(header ∧ remote_ip) ⇒ ¬header ∨ ¬remote_ip, which means “force authentication when no header or not LAN”. Which is what I am looking for.
Not sure why it does not work, I will continue to investigate. I will also look at CEL, I do not know this language (yet :))
Close, but you have only one matcher set there: header AND remote_ip (inside not) i.e.: “NOT (header AND remote_ip)”. Different matchers IN a set get “ANDed” together, that’s what lets you combine multiple different parts of a request.
Matcher sets themselves get OR’ed together, though:
Oh that’s cool.
And the event was in Lille, 90 minutes from Paris. Hope you enjoyed your first trip to Europe (even though Lille is just one facet of France, one of many)
