V2: basicauth + ip-based whitelisting

1. Caddy version (caddy version):

v2.0.0 h1:pQSaIJGFluFvu8KDGDODV8u4/QRED/OPyIR+MWYYse8=

2. How I run Caddy:

caddy run --config /srv/caddy/Caddyfile --adapter caddyfile

a. System environment:

macOS

d. My complete Caddyfile or JSON config:


3. The problem I’m having:

I need to reverse proxy a backend service (Jenkins). All users should be required to provide a basic auth login but some IP-ranges should be able to bypass this.

It’s not possible for me to implement another virtual host and to split both “views”.

With nginx there is a “satisfy” command available that solves this problem.

For v1 there was once a PR that was never merged. in this issue a solution for v2 based on routing was held out in prospect.

4. Error messages and/or full log output:

5. What I already tried:

Here is my attempt:

https://jenkins.example.com {

  # default
  reverse_proxy / jenkins.intranet.example.com:8080 {
    basicauth / {
      Bob JDJhJDEwJEVCNmdaNEg2Ti5iejRMYkF3MFZhZ3VtV3E1SzBWZEZ5Q3VWc0tzOEJwZE9TaFlZdEVkZDhX
    }
    header_up -Authorization
  }
  
  # subnets with bypass access
  @jenkinsauthenticated {
     remote_ip 10.0.2.0/24
     remote_ip 10.1.2.0/24
     remote_ip 10.2.2.0/24
  }
    
  reverse_proxy @jenkinsauthenticated jenkins.intranet.example.com:8080 {
    header_up -Authorization
  }
}

which leads to the error:

Error during parsing: unrecognized subdirective basicauth

What am I doing it wrong?

Just like the error says: you have basicauth inside reverse_proxy, but basicauth is not a subdirective of reverse_proxy: reverse_proxy (Caddyfile directive) — Caddy Documentation

This page describes the Caddyfile structure: Caddyfile Concepts — Caddy Documentation

So it’s not possible?

It is possible, you just structured your Caddyfile incorrectly.

Ok, thought it was easy with v2 but clearly your brusque answers suggest it isn’t.

It is pretty easy, you just need to take a closer look at the documentation.

Here’s a few hints:

In Caddy v2, path matching is exact, so reverse_proxy / jenkins.intranet.example.com:8080 will only match requests to the root of your site. Instead, you should omit the / which is the same as specifying * as the matcher (i.e. any path). If you need a prefix-match, then you would do /prefix/*.

basicauth is a standard Caddy directive. If needs to be at the same level as reverse_proxy, not within it (subdirectives go within directives).

2 Likes

I’m intentionally not giving the copy+paste solution here because I’m trying to help our users learn how the software works. It’s a very simple fix, and it definitely is possible, with a slight change to your config. All it takes is a little understanding from the docs. :+1:

If you still can’t figure it out after trying for a few hours (hint: it should only take a few minutes of docs reading + a few seconds to make the change), then definitely come back and ask about what is still unclear, and we’ll help.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.