Limit access to subdirectory

1. Output of caddy version:

v2.5.2 h1:eCJdLyEyAGzuQTa5Mh3gETnYWDClo1LjtQm2q9RNZrs=

2. How I run Caddy:

I am using Caddy as a reverse proxy for a Vaultwarden instance running on a separate host at

a. System environment:

Both Caddy and Vaultwarden are running in their own Ubuntu Server 20.04.4 LXC instances on a Proxmox 7.2 hypervisor behind an OpenBSD internet facing Router which is forwarding ports from external hosts and internal hosts on other subnets to the Caddy reverse proxy instance.

b. Command:

Caddy is set to autostart as a service. I can also use this command if the service is not already running.

caddy run

c. Service/unit/compose file:


ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile --force


d. My complete Caddy config: {
	log {
		level INFO
		format json
		output file /var/log/caddylogs/vault {
			roll_size 10MB
			roll_keep 10
	encode gzip
	reverse_proxy /notifications/hub/negotiate
	reverse_proxy /notifications/hub
	reverse_proxy {
		header_up X-Real-IP {remote_host}

3. The problem I’m having:

What I want to do might not even be possible. I am hoping it is but haven’t found any examples of anyone trying to do it. Vaultwarden has a separate admin page available at and for security reasons I would like regular requests to to continue working as they are but any request to to get a page not found error or otherwise be blocked unless the request comes from a particular ip range such as

4. Error messages and/or full log output:

5. What I already tried:

I have not tried anything yet because I am not sure what to try. I have done some google searching, and looked at the remote_ip request matcher in the documentation which seems like it should do what I need if it can be used in this way, but have not found anything that references working with a subdirectory rather than a subdomain so I don’t know what syntax to experiment with. Before I risk breaking the password manager I thought I should ask here if what I want to do is even possible first.

6. Links to relevant resources:

It’s possible.

The remote_ip matcher is what you want.

You also want a path matcher to specify the directory. You can combine the two in a single named matcher and then use respond to instruct Caddy to return some error.

A named matcher definition constitutes a matcher set. Matchers in a set are AND’ed together; i.e. all must match. For example, if you have both a header and path matcher in the set, both must match.

Request matchers (Caddyfile) — Caddy Documentation

The simple option would be to specify a matcher for the set of conditions that you want to reject, e.g. IF (path IS /admin) AND (remote NOT, THEN return 404.

1 Like