caddy-security icon indicating copy to clipboard operation
caddy-security copied to clipboard
verified publisher icon greenpau

breakfix: Auth and rate limiting

Open drake9696 opened this issue 5 months ago β€’ 2 comments

Describe the issue

I am trying to get caddy to limit auth attempts to mitigate brute force and bots.

Configuration

Paste full Caddyfile below:

{ http_port 8080 https_port 8443

order authenticate before respond
order authorize before basicauth

}

security { local identity store sd_users { realm "Stable Diffusion" path /path/to/your/users.json }

authentication portal sd_portal {
	cookie domain sd.riftz.duckdns.org
	crypto key sign-verify your-very-long-jwt-secret-here
	enable identity store sd_users

	ui {
		links {
			"Launch SD" /
		}
	}

	security {
		login_rate_limit {
			zone login_throttle
			key username
			events 3
			duration 1m
			ban_duration 2m
		}
	}

	transform user {
		match origin local
		action add role authenticated
	}
}

authorization policy sd_policy {
	set auth url https://sd.riftz.duckdns.org
	allow roles authenticated
	crypto key verify your-very-long-jwt-secret-here
	acl rule {
		match role authenticated
		allow stop
	}
	acl rule {
		match any
		deny
	}
}

}

sd.riftz.duckdns.org { tls /path/to/server.crt /path/to/server.key

route {
	authenticate with sd_portal
	authorize with sd_policy

	reverse_proxy http://192.168.1.6:7860 {
		transport http {
			tls_insecure_skip_verify
		}
	}
}

}

Paste configuration here ... running exe from folder in windows

Version Information v2.10.0

Provide output of caddy list-modules --versions | grep -E "(auth|security)" below:

Paste output here ...
caddy list-modules --versions | findstr /R "auth security"
http.authentication.hashes.bcrypt v2.10.0
http.authentication.providers.http_basic v2.10.0
http.handlers.authentication v2.10.0
tls.client_auth.verifier.leaf v2.10.0
http.authentication.providers.authorizer v1.1.31
http.handlers.authenticator v1.1.31
security v1.1.31


**Expected behavior**

just a simple login window that will block the users ip after too many attempts. 

**Additional context**

I had this working with the basic rate limiter but i had to set the limits really high since it was looking at all incoming connections and not specifically for login attempts. Sorry Im really new to Caddy and Reverse proxies but have been trying with the "help" of chatgpt for over a week ;(

drake9696 avatar Jul 18 '25 21:07 drake9696

The β€œlogin_rate_limit” is not something that exists. Is this a new feature you are asking for?

greenpau avatar Jul 19 '25 15:07 greenpau

Sorry, it looks like I may have posted in the wrong place then. I am pretty new to all this. I have got Caddy setup as the reverse proxy using basic auth but I want to prevent brute force attempts but that is the part I can't get working. Do you know if there is already a module available if yours doesn't do that? Or is it possible to get it added to yours?

drake9696 avatar Jul 20 '25 17:07 drake9696