There is a 2 year old closed question on this same topic that does not look to be resolved:
https://nginx.org/en/docs/http/ngx_http_auth_request_module.html
I am migrating from NGINX and I had a very simple setup to authenticate the static support pages I had via my existing Rails Devise authentication:
location /support {
auth_request /auth;
auth_request_set $auth_status $upstream_status;
error_page 403 https://$host;
}
/auth
from my site returns :ok if logged in. The static files are then only served to authenticated users.
Looking to do the same thing with Caddy.
There’s no built-in support for that in Caddy (yet). None of the maintainers have needed the feature and nobody has contributed it yet.
It’s possible that @greenpau ’s auth plugins might support this, but I haven’t played around with them to know if it would support this exact usecase or not.
🔐 Authentication, Authorization, and Accounting (AAA) App and Plugin for Caddy v2. 💎 Implements Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0 (Github, Google, Facebook, Okta, etc.), SAM...
Hmmm… it might - here is the example:
{
security {
authorization policy mypolicy {
set auth url https://auth.myfiosgateway.com/
crypto key verify {env.JWT_SECRET}
allow roles authp/admin authp/user
}
}
}
www.myfiosgateway.com {
authorize with mypolicy
root * {env.HOME}/public_html
file_server
}
Is it as simple as this (for my case):
{
security {
authorization policy mypolicy {
set auth url https://myfiosgateway.com/auth
allow roles authp/user
}
}
}
www.myfiosgateway.com {
authorize with mypolicy
root * {env.HOME}/support
file_server
}
matt
(Matt Holt)
January 21, 2022, 7:52pm
4
I wonder if reverse_proxy
with handle_response
could be used to wrangle a solution…
@matt Unfortunately not because the original request body can’t be reused for the new attempt in handle_response
.
1 Like
greenpau
(Paul G.)
January 21, 2022, 10:42pm
6
@dantappin , basically you need exactly that authorize with policy
. Here is an example config caddy_security_local.Caddyfile · GitHub
You just need to change respond to the file_server
.
If running into problems, open Sign in to GitHub · GitHub
1 Like
greenpau
(Paul G.)
January 21, 2022, 11:46pm
7
@dantappin , I personally prefer more control over routes. So, I use route
in this way.
When I browse to fileserver.myfiosgateway.com/app
, I get the stuff in /var/lib/gatekeeper
directory.
fileserver.myfiosgateway.com {
route /app/* {
authorize with app_policy
uri strip_prefix /app
file_server {
root /var/lib/gatekeeper
browse
}
}
}
Thanks @greenpau !
IMO configs are cleaner without route
, so I recommend using the order
global option instead to set the order of the plugin’s directives.
In this case it also means you can use handle_path
instead to avoid the uri strip_prefix
line.
1 Like
system
(system)
Closed
February 20, 2022, 7:20pm
9
This topic was automatically closed after 30 days. New replies are no longer allowed.