Require authentication based on request IP?

millerjs2 · November 23, 2016, 4:09pm

Hi all,
I’m in the process of replacing my nginx reverse proxy with caddy. So far, something I haven’t been able to figure out how to do is require authentication based on the requesting host’s IP address. In nginx, the server entry would look something like this:

 server {
     listen 443;
     server_name service.domain.com;
     location / {
             proxy_pass https://servicehost/;
             proxy_redirect off;
             satisfy any;
             allow 10.0.0.0/8;
             deny all;
             auth_basic "Restricted";
             auth_basic_user_file /etc/nginx/.htpasswd;
     }
}

In caddy though, I can’t figure out how to do this. I know how to use basicauth and ipfilter, but I can’t figure out how to combine them. Is there a way I can cascade these with a sort of if/else setup? Right now I’m using two different subdomains and two sets of directives, but that’s not optimal. I’ve tried duplicating the same directive with different settings, but that fails, which is to be expected.

Thanks!

ShaRose · November 23, 2016, 7:37pm

I’d be very interested in this as well, for what seems to be the same reason (Sites available internally without auth, externally requiring it).

Whitestrake · November 24, 2016, 9:56am

Spitballing here, but what about using:

Two subdomains
redir 302’s with if statements based on the {remote} placeholder
Shuffle 10.0.0.0/8, 172.16.0.0/12 or 192.168.0.0/16 to the correct vhost
Blanket basicauth on the “external” subdomain

Messy, but should work. Use {>X-Remote-IP} instead if you’ve got Caddy behind another proxy.

Replace the private IPs with whatever you want to discriminate by, just make sure you know your if_op setting.

millerjs2 · November 24, 2016, 9:41pm

That’s an interesting idea. I’ll take a stab at it and let you know how it turns out.

system · February 22, 2017, 9:41pm

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.