Require authentication based on request IP?

Hi all,
I’m in the process of replacing my nginx reverse proxy with caddy. So far, something I haven’t been able to figure out how to do is require authentication based on the requesting host’s IP address. In nginx, the server entry would look something like this:

 server {
     listen 443;
     location / {
             proxy_pass https://servicehost/;
             proxy_redirect off;
             satisfy any;
             deny all;
             auth_basic "Restricted";
             auth_basic_user_file /etc/nginx/.htpasswd;

In caddy though, I can’t figure out how to do this. I know how to use basicauth and ipfilter, but I can’t figure out how to combine them. Is there a way I can cascade these with a sort of if/else setup? Right now I’m using two different subdomains and two sets of directives, but that’s not optimal. I’ve tried duplicating the same directive with different settings, but that fails, which is to be expected.


I’d be very interested in this as well, for what seems to be the same reason (Sites available internally without auth, externally requiring it).

Spitballing here, but what about using:

  • Two subdomains
  • redir 302’s with if statements based on the {remote} placeholder
  • Shuffle, or to the correct vhost
  • Blanket basicauth on the “external” subdomain

Messy, but should work. Use {>X-Remote-IP} instead if you’ve got Caddy behind another proxy.

Replace the private IPs with whatever you want to discriminate by, just make sure you know your if_op setting.

1 Like

That’s an interesting idea. I’ll take a stab at it and let you know how it turns out.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.