Possible to only prompt for client certificates on public WAN? (i.e. no client SSL on private LAN)

Currently I’m using a VPN to access my internal network from outside locations (i.e. moble phone, etc). However, it’s a bit inconvenient to enable/disable the VPN whenever I need to access my home network.

It sounds like a reverse proxy with client certificates is a reasonable alternative. (I’m currently using Traefik as a simple reverse proxy with docker, but I don’t have much experience with client SSL).

Is it possible to setup Caddy as a reverse proxy where any connections from inside my local network do not prompt/force client SSL certificates? I’d like only connections an outside network (i.e. mobile phone, etc) to prompt for the SSL certificate.

1 Like

You can bind on different interfaces; the one that binds to an open interface should require certificate authentication; the one that binds to the internal interface does not require it:

example.com {
    bind # public IP here
    tls {
        # configure client auth here

# different port, is annoying, not sure why we require that
example.com:1234 {
    bind # private IP here
    # no client auth

Requiring a different port is somewhat unfortunate.

For the record, what you are asking will be possible in Caddy 2 without any hacks and without needing to use different ports. Already got that part done (except the actual client auth; but the architecture supports it).

1 Like

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.