Not able to make named matchers work

tgbnhy · August 30, 2024, 4:01pm

1. The problem I’m having:

There is an unauthenticated API I would like to protect with Caddy. I would like to be able to allow access if the request is either coming from a whitelisted IP address, or if a secret is provided in the Authorization header.

Here’s the caddyfile I wrote to achieve this:

mydomain.example.com {

  @notAuthIP not client_ip 192.168.1.2 192.168.1.6

  @authHeader `{header.Authorization} == 'mysecret'`
  @notAuthHeader `{header.Authorization} != 'mysecret'`

  @notWhitelisted {
    @notAuthIP
    @notAuthHeader
  }
  
  handle @notWhitelisted {
    respond 403
  }

  handle @authHeader {
    reverse_proxy http://internal.example.com
  }
  
  handle {
    reverse_proxy http://internal.example.com
  }
}

2. Error messages and/or full log output:

When I try to validate my configuration, I get this error:

caddy validate --adapter caddyfile --config api.caddyfile
Error: adapting config using caddyfile: getting matcher module '@notAuthHeader': module not registered: http.matchers.@notAuthHeader

3. Caddy version:

caddy version 
v2.8.4 h1:q3pe0wpBj1OcHFZ3n/1nl4V4bxBrYoSoab7rL9BMYNk=

4. How I installed and ran Caddy:

I used the official method to install the caddy-stable repo on an up-to-date Debian 12.6 (x86_64).

Mohammed90 · August 30, 2024, 4:06pm

This is the issue

Nested matchers isn’t supported. You will have to be explicit with the matcher here.

tgbnhy · August 30, 2024, 4:14pm

Oh my god thank you!
I ended up with this so I won’t have to maintain two IP addresses lists:

mydomain.example.com {

  @authHeader `{header.Authorization} == 'mysecret'`

  @notWhitelisted {
    not client_ip 192.168.1.2
    expression {header.Authorization} != 'mysecret'
  }
  
  handle @notWhitelisted {
    respond 403
  }

  handle @authHeader {
    reverse_proxy http://internal.example.com
  }
  
  handle {
    reverse_proxy http://internal.example.com
  }
}

francislavoie · August 31, 2024, 5:19am

You can do this:

@notWhitelisted `!client_ip('192.168.1.2') && {header.Authorization} != 'mysecret'`

system · September 30, 2024, 5:20am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.