Reach parts of webapp based on presence of user-specified cookie

Pheggas · February 16, 2025, 12:04pm

This is just a technical question as part of my research before doing anything.

1. The problem I’m having:

I want to define a user specified cookie that is forwarded from client (user) to reverse proxy (caddy) in order to gain access to some parts of the webapp.

To be straight forward and avoid the XY problem, i am reinforcing my homelab so i am about to deploy Keycloak and expose it via proxy (instance in AWS) so clients (users) that use my services can log in via Keycloak instead of per-app authentication method. Setting up it like this has some vurneabilities like any user can potentially reach the admin panel (they may be refused because of not providing right credentials but still). I would like to restrict it using secret cookie or header (or some sort of additional key) to prevent them from reaching such places of Keycloak. I found module into Caddy that would select backend server based on cookie. Did someone set it up and could you maybe share the config with me so i can have better insight into how things are set?

2. Error messages and/or full log output:

None yet

3. Caddy version:

caddy-cloudflare:2.8.4 (in docker container)

4. How I installed and ran Caddy:

a. System environment:

Running on Docker version 26.1.4, build 5650f9b via Portainer 2.27.0-rc3 LTS

b. Command:

PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.

c. Service/unit/compose file:

version: '3.3'

services:
  caddy:
    image: iarekylew00t/caddy-cloudflare:2.8.4
    restart: unless-stopped
    container_name: caddy
    ports:
      - 80:80
      - 443:443
    volumes:
      - /home/docker/docker_caddy/caddy:/etc/caddy
      - /home/docker/docker_caddy/site:/srv
      - /home/docker/docker_caddy/caddy_data:/data
      - /home/docker/docker_caddy/caddy_config:/config
    environment:
      CLOUDFLARE_API_TOKEN: "REDACTED"
    networks:
      - caddy
networks:
  caddy:
    name: proxy

d. My complete Caddy config:

{
  debug
  email my_email@gmail.com
}

immich.dashrave.eu {
  reverse_proxy 10.19.3.29:5436
}

*.internal.dashrave.eu {
  tls {
    dns cloudflare {env.CLOUDFLARE_API_TOKEN}
  }

  @services host services.internal.dashrave.eu
  handle @services {
    reverse_proxy 10.19.3.29:1324
  }
}

5. Links to relevant resources:

This is the module i found that can potentially help reaching what i need to do.

brucejo · February 16, 2025, 6:21pm

Not sure the scope of what you are doing, but I was able to use a cloudflare tunnel to provide authenticated access to my home network. Very slick.

Instructional: https://www.youtube.com/watch?v=ZvIdFs3M5ic&t=1676s

Pheggas · February 17, 2025, 7:05pm

I found this post. That is basically what i needed. Now i just need to apply it only on some paths within the webapp.