Bypass Auth for Internal Addresses

[jjmoffitt]

I've got the authentication all setup and I am very happy with the protection it gives me. My only question is if it's possible for me to allow either an internal network to bypass the authentication or if I can somehow use certificates on my devices to auto auth? I looked through the documentation, and I saw some stuff that might be what I wanted but I wasn't sure.

Thanks!

[greenpau]

is if it's possible for me to allow either an internal network to bypass the authentication or if I can somehow use certificates on my devices to auto auth?

@jjmoffitt , not at the moment. Currently, you can setup to bypass auth for a specific URL, i.e. not based on the source of HTTP request. See bypass uri at https://authp.github.io/docs/authorize/bypass

I long wanted to implement a network filter as part of this plugin. Perhaps it is time 😄

[CruzMarcio]

I was able to bypass auth on the local network by using handles:

test.example.com {
	@internal_network {
	        remote_ip 192.168.0.0/24
	}
	handle @internal_network {
	        reverse_proxy destination:80
	}
	handle {
	        authorize with adminpolicy
	        reverse_proxy destination:80
	}
}

The internal network IPs will match the first handle which doesn't have the authorize policy, all the others will match the second that has.

[ebigaignon]

@CruzMarcio I also wanted to bypass auth on local network, by using handles, but I get this error:
parsing caddyfile tokens for 'handle': directive 'authorize' is not an ordered HTTP handler, so it cannot be used here

[CruzMarcio]

@CruzMarcio I also wanted to bypass auth on local network, by using handles, but I get this error: parsing caddyfile tokens for 'handle': directive 'authorize' is not an ordered HTTP handler, so it cannot be used here

Can you paste your Caddyfile here? Remove the private info like addresses or keys.

[ebigaignon]

{
debug

security {
        local identity store localdb {
                realm local
                path {env.HOME}/.local/caddy/users.json
        }
        authentication portal myportal {
                crypto default token lifetime 14400
                crypto key sign-verify {env.AUTHP_SHARED_KEY}
                enable identity store localdb
                cookie domain ...*.com
                ui {
                        links {
                                "Jellyfin" https://...*.com/jellyfin/ icon "las la-star"
                                "Admins" https://...*.com/admins icon "las la-star"
                                "Users" https://...*.com/users icon "las la-star"
                                "My App" https://...*.com/myapp/
                                "My Identity" "/whoami" icon "las la-user"
                        }
                }
                transform user {
                        match origin local
                        # require mfa
                        action add role authp/user
                        ui link "Portal Settings" /settings icon "las la-cog"
                }
        }
        authorization policy users_policy {
                set auth url https://....*.com/auth/
                allow roles authp/admin authp/user
                crypto key verify {env.AUTHP_SHARED_KEY}
        }
        authorization policy admins_policy {
                set auth url https://...*.com/admins/
                allow roles authp/admin
                crypto key verify {env.AUTHP_SHARED_KEY}
        }
}

}

(tls_config) {
tls {
dns gandi {env.GANDI_API_TOKEN}
}
}

...*.com {
import tls_config
@internal {
remote_ip 192.168.1.254 192.168.0.128/25
}

handle @internal {
        reverse_proxy 127.0.0.1:8096
}

handle {

        authenticate with myportal
        reverse_proxy 127.0.0.1:8096

}
log {
        output file /var/log/caddy/portal.log {
                roll_size 10MiB
                roll_keep 10
                roll_keep_for 2160h
        }
}

}
caddy[188083]: Error: adapting config using caddyfile: parsing caddyfile tokens for 'handle': directive 'authenticate' is not an ordered HTTP handler, so it cannot be used here

[CruzMarcio]

handle {
authenticate with myportal
reverse_proxy 127.0.0.1:8096
}

Should be "authorize" not "authenticate"

handle {
authorize with myportal
reverse_proxy 127.0.0.1:8096
}

[ebigaignon]

It makes no difference at all.
authorize or authenticate: not an ordered HTTP handler, so it cannot be used here
I can use handle with basic auth setup, no problem, but I wanted something more configurable, with session management.

[ebigaignon]

I just found out how to make it work.
Great !
@internal {
remote_ip 192.168....
}

    handle @internal {
            reverse_proxy 127.0.0.1:8096
    }
    route /auth/* {
            authenticate with myportal
    }
    route /jellyfin/* {
            authorize with users_policy
            reverse_proxy 127.0.0.1:8096
    }