Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

IP whitelist in basicauth plugin #1891

Closed
mdcollins05 opened this issue Sep 23, 2017 · 9 comments

Comments

Projects
None yet
4 participants
@mdcollins05
Copy link

commented Sep 23, 2017

What I'm hoping for is a way to add an IP range so that internal users (requests from the LAN network) bypass basic auth while external requests are required to authenticate.

I've done this on nginx and it was quite nice to have. The plugin should pay attention to the X-Forwarded-For IP address, if it exists, otherwise there may be a way to bypass auth depending on how the request comes in.

I'm really loving Caddy and have even converted a couple of people to use it, due to the ease it provides. Thanks!

@mholt

This comment has been minimized.

Copy link
Member

commented Sep 23, 2017

Thanks, glad you like using Caddy.

Do you think there's a way to do this with a plugin currently? I know some plugins are related to IP addresses and auth.

@mdcollins05

This comment has been minimized.

Copy link
Author

commented Sep 26, 2017

I've taken a look at the plugins within the Caddy documentation and it doesn't seem that any could do so without writing or running some sort of backend authentication service to do the work. For my own home use, that would be over the top.

Not being familiar enough with the Caddy code, I'm not sure how simple of a request this is.

@mholt

This comment has been minimized.

Copy link
Member

commented Sep 26, 2017

Maybe better is to set up a site like this:

example.com {
    proxy / backend:1234
    basicauth / user pass
}

192.168.1.3:80 {
    bind 192.168.1.3
    proxy / backend:1234
}

Or something. The point is, have two sites that listen on different interfaces: the LAN interface and the global one.

@mdcollins05

This comment has been minimized.

Copy link
Author

commented Oct 10, 2017

Honestly, that makes things more complicated than I'd like. It'd require me to enter in the correct name/IP based on location and wouldn't scale for more than a single name on a host.

@mholt

This comment has been minimized.

Copy link
Member

commented Oct 10, 2017

I think you'll have to be more specific with what you want, then. To me, this is an elegant solution, and scalability was never mentioned before.

@gucki

This comment has been minimized.

Copy link

commented Oct 12, 2017

I was looking for this too. Basically it should be possible to combine different authentication schemes.

For example allow users from certain countries using the ipfilter plugin automatically and require basic auth for others. Of course is not 100% secure then (ex. fake ip address), but it's a good basic protection is some scenarios.

@mholt

This comment has been minimized.

Copy link
Member

commented Oct 12, 2017

I think the best way to solve this would be to have more powerful request matching in the Caddyfile, including the ability to conditionally apply a middleware based on an IP range in a header. It's on our TODO list. I'll add this use case specifically...

@agrrh

This comment has been minimized.

Copy link

commented Jan 2, 2018

Looking for this feature too!

It's not always fine to set up 2 sites. Sometimes you would like to close resource from outer world but let someone take a look: some legacy software w/o auth support, grandpa, etc.

I also suppose a couple of questions to think of:

  • Should basicauth plugin have option like allow_cidr or should it be combined somehow with ipfilter plugin rules?
  • Which policy should be default: allow if any of auth/ip passed or both of those satisfied? I've seen both of those cases in real life.

Thanks for great web server though!

@mholt

This comment has been minimized.

Copy link
Member

commented May 9, 2019

This will be possible with Caddy 2's improved routing design.

@mholt mholt closed this May 9, 2019

@mholt mholt added this to the 2.0 milestone May 9, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.