"if" statement in tls block

(Maciej świć) #1

Hi,
I have a couple reverse proxies for internal services i’m exposing online. When accessed internally i don’t want the client certificate to be required but when i do the below Caddy complains that “if” is an invalid directive at that position. Is there another way to solve this?

tls ***@***.name {
    if {remote} not_starts_with 10.0.0.
    clients /mnt/user/appdata/caddy/conf/ca.crt
}
(Matthew Fay) #2

Not really, tls has no if subdirective, and can’t really be made conditional.

You need to run two listeners, one that requires authentication from external clients, one that allows access without authentication for internal clients. There’s a few ways I can think of:

  1. Use bind to listen with auth on an external IP, without auth internally;
  2. Run a different hostname for internal access, redirect between the two as necessary depending on {remote}, and rewrite to a status 403 for external clients;
  3. Run two Caddy instances - one for internal clients, one for external clients - the internal instance is the actual reverse proxy, the external instance is an authentication layer on top that proxies to the internal instance - use split DNS internally so private clients get the internal instance.