Limit access to subdirectory

kocherjj · September 11, 2022, 7:16pm

1. Output of `caddy version`:

v2.5.2 h1:eCJdLyEyAGzuQTa5Mh3gETnYWDClo1LjtQm2q9RNZrs=

2. How I run Caddy:

I am using Caddy as a reverse proxy for a Vaultwarden instance running on a separate host at vault.thisdomain.net.

a. System environment:

Both Caddy and Vaultwarden are running in their own Ubuntu Server 20.04.4 LXC instances on a Proxmox 7.2 hypervisor behind an OpenBSD internet facing Router which is forwarding ports from external hosts and internal hosts on other subnets to the Caddy reverse proxy instance.

b. Command:

Caddy is set to autostart as a service. I can also use this command if the service is not already running.

caddy run

c. Service/unit/compose file:

[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target

[Service]
Type=notify
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile --force
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

d. My complete Caddy config:

https://vault.thisdomain.net {
	log {
		level INFO
		format json
		output file /var/log/caddylogs/vault {
			roll_size 10MB
			roll_keep 10
		}
	}
	encode gzip
	reverse_proxy /notifications/hub/negotiate 10.20.30.40:8000
	reverse_proxy /notifications/hub 10.20.30.40:3012
	reverse_proxy 10.20.30.40:8000 {
		header_up X-Real-IP {remote_host}
	}
}

3. The problem I’m having:

What I want to do might not even be possible. I am hoping it is but haven’t found any examples of anyone trying to do it. Vaultwarden has a separate admin page available at vault.thisdomain.net/admin and for security reasons I would like regular requests to vault.thisdomain.net to continue working as they are but any request to vault.thisdomain.net/admin to get a page not found error or otherwise be blocked unless the request comes from a particular ip range such as 10.20.40.1/26.

4. Error messages and/or full log output:

5. What I already tried:

I have not tried anything yet because I am not sure what to try. I have done some google searching, and looked at the remote_ip request matcher in the documentation which seems like it should do what I need if it can be used in this way, but have not found anything that references working with a subdirectory rather than a subdomain so I don’t know what syntax to experiment with. Before I risk breaking the password manager I thought I should ask here if what I want to do is even possible first.

6. Links to relevant resources:

Whitestrake · September 14, 2022, 12:20am

It’s possible.

The remote_ip matcher is what you want.

You also want a path matcher to specify the directory. You can combine the two in a single named matcher and then use respond to instruct Caddy to return some error.

A named matcher definition constitutes a matcher set. Matchers in a set are AND’ed together; i.e. all must match. For example, if you have both a header and path matcher in the set, both must match.

—Request matchers (Caddyfile) — Caddy Documentation

The simple option would be to specify a matcher for the set of conditions that you want to reject, e.g. IF (path IS /admin) AND (remote NOT 10.20.40.1/26), THEN return 404.

system · October 11, 2022, 7:16pm

This topic was automatically closed after 30 days. New replies are no longer allowed.