caddy-security icon indicating copy to clipboard operation
caddy-security copied to clipboard
verified publisher icon greenpau

question: Lock authentication to specific IP addresses

Open Gunni opened this issue 1 year ago • 4 comments

I am using SAML auth with Entra ID/Azure AD, but I want to prevent anyone not on a specific IP (or multiple IPs/CIDRs) from trying to authenticate or access the webserver.

How can I do that?

Defense in depth.

I used to have something like

@blocked not remote_ip <ip1> <ip2> <ip3>
respond @blocked "Nope" 403

But then I added caddy-security and it stopped working. I can get exact config on Monday.

Gunni avatar Oct 05 '24 20:10 Gunni

@Gunni , not sure whether I understand the use case and how it is related to this plugin.

greenpau avatar Oct 05 '24 20:10 greenpau

Basically:

  1. check if user in in access list
  2. check saml/redirect user
  3. forward request to reverse proxy

In that order. Again if i need to post config, i can do it on Monday.

Gunni avatar Oct 05 '24 20:10 Gunni

In that order. Again if i need to post config, i can do it on Monday.

@Gunni , let's see your config.

greenpau avatar Oct 06 '24 17:10 greenpau

Here it is: https://gist.github.com/Gunni/c00b0eab5115eed846e04b66dfa85662

Gunni avatar Oct 08 '24 14:10 Gunni