caddy-security
caddy-security copied to clipboard
greenpau
Bypass Auth for Internal Addresses
I've got the authentication all setup and I am very happy with the protection it gives me. My only question is if it's possible for me to allow either an internal network to bypass the authentication or if I can somehow use certificates on my devices to auto auth? I looked through the documentation, and I saw some stuff that might be what I wanted but I wasn't sure.
Thanks!
is if it's possible for me to allow either an internal network to bypass the authentication or if I can somehow use certificates on my devices to auto auth?
@jjmoffitt , not at the moment. Currently, you can setup to bypass auth for a specific URL, i.e. not based on the source of HTTP request. See bypass uri at https://authp.github.io/docs/authorize/bypass
I long wanted to implement a network filter as part of this plugin. Perhaps it is time 😄
I was able to bypass auth on the local network by using handles:
test.example.com {
@internal_network {
remote_ip 192.168.0.0/24
}
handle @internal_network {
reverse_proxy destination:80
}
handle {
authorize with adminpolicy
reverse_proxy destination:80
}
}
The internal network IPs will match the first handle which doesn't have the authorize policy, all the others will match the second that has.
@CruzMarcio I also wanted to bypass auth on local network, by using handles, but I get this error: parsing caddyfile tokens for 'handle': directive 'authorize' is not an ordered HTTP handler, so it cannot be used here
@CruzMarcio I also wanted to bypass auth on local network, by using handles, but I get this error: parsing caddyfile tokens for 'handle': directive 'authorize' is not an ordered HTTP handler, so it cannot be used here
Can you paste your Caddyfile here? Remove the private info like addresses or keys.
{ debug
security {
local identity store localdb {
realm local
path {env.HOME}/.local/caddy/users.json
}
authentication portal myportal {
crypto default token lifetime 14400
crypto key sign-verify {env.AUTHP_SHARED_KEY}
enable identity store localdb
cookie domain ...*.com
ui {
links {
"Jellyfin" https://...*.com/jellyfin/ icon "las la-star"
"Admins" https://...*.com/admins icon "las la-star"
"Users" https://...*.com/users icon "las la-star"
"My App" https://...*.com/myapp/
"My Identity" "/whoami" icon "las la-user"
}
}
transform user {
match origin local
# require mfa
action add role authp/user
ui link "Portal Settings" /settings icon "las la-cog"
}
}
authorization policy users_policy {
set auth url https://....*.com/auth/
allow roles authp/admin authp/user
crypto key verify {env.AUTHP_SHARED_KEY}
}
authorization policy admins_policy {
set auth url https://...*.com/admins/
allow roles authp/admin
crypto key verify {env.AUTHP_SHARED_KEY}
}
}
}
(tls_config) { tls { dns gandi {env.GANDI_API_TOKEN} } }
...*.com { import tls_config @internal { remote_ip 192.168.1.254 192.168.0.128/25 }
handle @internal {
reverse_proxy 127.0.0.1:8096
}
handle {
authenticate with myportal
reverse_proxy 127.0.0.1:8096
}
log {
output file /var/log/caddy/portal.log {
roll_size 10MiB
roll_keep 10
roll_keep_for 2160h
}
}
} caddy[188083]: Error: adapting config using caddyfile: parsing caddyfile tokens for 'handle': directive 'authenticate' is not an ordered HTTP handler, so it cannot be used here
handle { authenticate with myportal reverse_proxy 127.0.0.1:8096 }
Should be "authorize" not "authenticate"
handle { authorize with myportal reverse_proxy 127.0.0.1:8096 }
It makes no difference at all. authorize or authenticate: not an ordered HTTP handler, so it cannot be used here I can use handle with basic auth setup, no problem, but I wanted something more configurable, with session management.
I just found out how to make it work. Great ! @internal { remote_ip 192.168.... }
handle @internal {
reverse_proxy 127.0.0.1:8096
}
route /auth/* {
authenticate with myportal
}
route /jellyfin/* {
authorize with users_policy
reverse_proxy 127.0.0.1:8096
}