Require authentication based on request IP?

Spitballing here, but what about using:

  • Two subdomains
  • redir 302’s with if statements based on the {remote} placeholder
  • Shuffle 10.0.0.0/8, 172.16.0.0/12 or 192.168.0.0/16 to the correct vhost
  • Blanket basicauth on the “external” subdomain

Messy, but should work. Use {>X-Remote-IP} instead if you’ve got Caddy behind another proxy.

Replace the private IPs with whatever you want to discriminate by, just make sure you know your if_op setting.

1 Like