Spitballing here, but what about using:
- Two subdomains
-
redir 302’s with
ifstatements based on the {remote} placeholder - Shuffle 10.0.0.0/8, 172.16.0.0/12 or 192.168.0.0/16 to the correct vhost
- Blanket
basicauthon the “external” subdomain
Messy, but should work. Use {>X-Remote-IP} instead if you’ve got Caddy behind another proxy.
Replace the private IPs with whatever you want to discriminate by, just make sure you know your if_op setting.