Best will be to describe my specific case: I serve several services in docker containers and they are all proxied through caddy. It allows me to expose a URL and TLS.
Some of the services are not authenticated natively and I recently tested putting them behind Authelia (an authentication intermediate), which works great.
forward_auth authelia:9091 {
uri /api/verify?rd=https://auth.something.eu
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
}
I now need to put some “conditional routes” so to speak, to address the problem of internal networks and monitoring. Specifically I would like
- all LAN traffic to bypass the authelia step (so no authentication)
- except if there is a specific header which would trigger the authentication nevertheless
- all non-LAN traffic goes through authelia
The reason for this pipe is that I want local clients to connect freely. At the same time, I have a monitoring service (I wrote it myself so I can influence how it works) that is supposed to check the services “internally” → they would respond with a 200 and “external” → they (or actually authelia) would respond with a 401.
TLDR; how can I put conditions on the configuration pieces under the definition of a site?