Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

question: Work with maxmind-geolocation #111

Closed
noobydp opened this issue May 25, 2022 · 4 comments
Closed

question: Work with maxmind-geolocation #111

noobydp opened this issue May 25, 2022 · 4 comments
Assignees
@greenpau
Labels
need triage question Further information is requested

Comments

@noobydp
Copy link

noobydp commented May 25, 2022

Hi,
I want to implement geolocation filtering provided by https://github.com/porech/caddy-maxmind-geolocation, but I don't understand how to get the filtering to work before the auth / login page is loaded?

I use caddy to reverse proxy a number of internal hosts, and I was able to get the geo filtering on each reverse proxy endpoint (not shown below), but the auth page is always available.

Here's part of my caddy file

{
	order authenticate before respond
	order authorize before basicauth
	order geo_ip first

	debug

	security {
		local identity store localdb {
			realm local
			path {$HOME}/.config/caddy/users.json
		}

		authentication portal myportal {
			crypto default token lifetime 86400
			cookie lifetime 2592000
			crypto key sign-verify {env.JWT_SHARED_KEY}
			enable identity store localdb

			ui {
				links {
				}
				# password_recovery_enabled no
			}
		}

		authorization policy users_policy {
			allow roles authp/admin authp/user
			crypto key verify {env.JWT_SHARED_KEY}
			acl rule {
				comment allow users
				match role authp/user
				allow stop log info
			}
			acl rule {
				comment default deny
				match any
				deny log warn
			}
		}
	}
}
my.domain.com {
	@mygeofilter {
		maxmind_geolocation {
			db_path "/Users/me/.config/caddy/GeoLite2_Country/GeoLite2-Country.mmdb"
			allow_countries JP
		}
		not remote_ip 192.168.1.1
	}
	authenticate with myportal
	redir /myhost /myhost/
       route /myhost/* {
		authorize with users_policy
		reverse_proxy localhost:7878
	}
}
@noobydp noobydp added need triage question Further information is requested labels May 25, 2022
@greenpau
Copy link
Owner

@noobydp , try this. Editibg in iphone browser.

my.domain.com {
	route /auth* {
		maxmind_geolocation {
			db_path "/Users/me/.config/caddy/GeoLite2_Country/GeoLite2-Country.mmdb"
			allow_countries JP
		}
		not remote_ip 192.168.1.1
authenticate with myportal
	}
	
	
       route /myhost/* {
		authorize with users_policy
		reverse_proxy localhost:7878
	}
route {
redir /myhost/ 302
}
}

@greenpau
Copy link
Owner

@noobydp, in short, I think you need to better understand the difference between routes, matchers, conditionals in caddy.

above, I converted your config to be “route-based”

@noobydp
Copy link
Author

noobydp commented May 26, 2022

Thank you. I struggled to understand how routes, matchers and conditionals worked in this scenario but your example was helpful.

Adding maxmind_geolocation {..} threw errors, I ended up adding this to my config:

route /* {
		respond @mygeofilter 404
		authenticate with myportal
	}

@noobydp noobydp closed this as completed May 26, 2022
@greenpau
Copy link
Owner

@noobydp , @dbranco , I am looking to add testimonial sections to https://authcrunch.com. Could you please write one and send it to me at greenpau@outlook.com?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@greenpau greenpau

Labels
need triage question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@greenpau @noobydp