"if" statement in tls block

maciekish · May 26, 2019, 10:15am

Hi,
I have a couple reverse proxies for internal services i’m exposing online. When accessed internally i don’t want the client certificate to be required but when i do the below Caddy complains that “if” is an invalid directive at that position. Is there another way to solve this?

tls ***@***.name {
    if {remote} not_starts_with 10.0.0.
    clients /mnt/user/appdata/caddy/conf/ca.crt
}

Whitestrake · May 26, 2019, 11:44pm

Not really, tls has no if subdirective, and can’t really be made conditional.

You need to run two listeners, one that requires authentication from external clients, one that allows access without authentication for internal clients. There’s a few ways I can think of:

Use bind to listen with auth on an external IP, without auth internally;
Run a different hostname for internal access, redirect between the two as necessary depending on {remote}, and rewrite to a status 403 for external clients;
Run two Caddy instances - one for internal clients, one for external clients - the internal instance is the actual reverse proxy, the external instance is an authentication layer on top that proxies to the internal instance - use split DNS internally so private clients get the internal instance.

system · August 24, 2019, 11:44pm

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.