Currently I’m using a VPN to access my internal network from outside locations (i.e. moble phone, etc). However, it’s a bit inconvenient to enable/disable the VPN whenever I need to access my home network.
It sounds like a reverse proxy with client certificates is a reasonable alternative. (I’m currently using Traefik as a simple reverse proxy with docker, but I don’t have much experience with client SSL).
Is it possible to setup Caddy as a reverse proxy where any connections from inside my local network do not prompt/force client SSL certificates? I’d like only connections an outside network (i.e. mobile phone, etc) to prompt for the SSL certificate.
You can bind on different interfaces; the one that binds to an open interface should require certificate authentication; the one that binds to the internal interface does not require it:
example.com {
bind 1.2.3.4 # public IP here
tls {
# configure client auth here
}
}
# different port, is annoying, not sure why we require that
example.com:1234 {
bind 10.0.0.5 # private IP here
# no client auth
}
Requiring a different port is somewhat unfortunate.
For the record, what you are asking will be possible in Caddy 2 without any hacks and without needing to use different ports. Already got that part done (except the actual client auth; but the architecture supports it).