Login from a designated url

I’m thinking if I could have a way to avoid bot from brute force login that a user will login from /secure-url which is rewrite by Caddy and when post to the /actual-url, how do Caddy detect the referrer header and /secure-url and accept it?

Direct post to actual-url will return an error?

Hi @Winson! Matchers are very powerful and can pretty easily achieve what you’ve indicated.

It sounds like to me you want to have authorised users send POST requests for a specific URL with their Referer [sic] containing an expected value (the secure url path). More specifically, you want to DENY any POST requests to that location that don’t have the value.

There’s a few checks here you need:

  • method is POST
  • path is /actual-url
  • NOT ( Referer has /secure-url )

Once you’ve got a matcher that filters those requests, you can respond however you like! 404 Not Found, or maybe 403 Forbidden?

https://caddyserver.com/docs/caddyfile/matchers#path
https://caddyserver.com/docs/caddyfile/matchers#method
https://caddyserver.com/docs/caddyfile/matchers#header
https://caddyserver.com/docs/caddyfile/matchers#not
https://caddyserver.com/docs/caddyfile/directives/respond

1 Like