I’m thinking if I could have a way to avoid bot from brute force login that a user will login from /secure-url which is rewrite by Caddy and when post to the /actual-url, how do Caddy detect the referrer header and /secure-url and accept it?
Hi @Winson! Matchers are very powerful and can pretty easily achieve what you’ve indicated.
It sounds like to me you want to have authorised users send POST requests for a specific URL with their Referer [sic] containing an expected value (the secure url path). More specifically, you want to DENY any POST requests to that location that don’t have the value.
There’s a few checks here you need:
method is POST
path is /actual-url
NOT ( Referer has /secure-url )
Once you’ve got a matcher that filters those requests, you can respond however you like! 404 Not Found, or maybe 403 Forbidden?