Is it possible to set a processing pipe based on conditions?

Best will be to describe my specific case: I serve several services in docker containers and they are all proxied through caddy. It allows me to expose a URL and TLS.

Some of the services are not authenticated natively and I recently tested putting them behind Authelia (an authentication intermediate), which works great.

forward_auth authelia:9091 {
		uri /api/verify?rd=https://auth.something.eu
		copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
	}

I now need to put some “conditional routes” so to speak, to address the problem of internal networks and monitoring. Specifically I would like

  • all LAN traffic to bypass the authelia step (so no authentication)
    • except if there is a specific header which would trigger the authentication nevertheless
  • all non-LAN traffic goes through authelia

The reason for this pipe is that I want local clients to connect freely. At the same time, I have a monitoring service (I wrote it myself so I can influence how it works) that is supposed to check the services “internally” → they would respond with a 200 and “external” → they (or actually authelia) would respond with a 401.

TLDR; how can I put conditions on the configuration pieces under the definition of a site?

Use a remote_ip matcher and apply it to your forward_auth directive. Use the not matcher to invert the condition so you basically say “not a remote IP from private ranges, and does not have this specific header”. Might look like this:

@skipAuth not {
	remote_ip private_ranges
	header Your-Special-Header *
}
forward_auth @skipAuth ...

This topic was automatically closed after 30 days. New replies are no longer allowed.