Since implementing this feature properly would take a redesign how the current handle/reverse_proxy structure works, it is unfeasible for now.
I am unsure the usecase is really there either. With basic_auth implemented, it's far easier to restrict access in a less convoluted way.
Combining basic_auth with http logs and crowdsec, makes bruteforcing also impossible, IP addresses are banned quite swiftly.
**Subdomain** Select a subdomain. This will put the handler on the subdomain instead of the domain. Use only with wildcard domains and subdomains.
**Handle Type**`handle` or `handle path` can be chosen. If in doubt, always use `handle`, the most common option. `handle path` is used to strip the path from the URI.
**Handle Path** Leave this empty to create a catch all location or enter a location like `/foo/*` or `/foo/bar*`.
**Handle Directive** In most cases, leaving this as "reverse_proxy" will be the best choice. "forward_auth" is an advanced scenario, read the documentation here: https://caddyserver.com/docs/caddyfile/directives/forward_auth
**>Header** Header options
**Header Manipulation** Select one or multiple header manipulations. These will be set to this handler. When using "forward_auth", a combination of "header_up" and "copy_headers" is also supported.
**Header Manipulation** Select one or multiple header manipulations. These will be set to this handler.
**>Upstream** Upstream options
**Upstream Domain** Should be an internal domain name or an IP Address of the upstream destination that should receive the reverse proxied traffic.
**Upstream Port** Should be the port the upstream destination listens on. This can be left empty to use Caddy default port 80.
**Upstream Path** When using "reverse_proxy" (default), in case the backend application resides in a sub-path of the web root and its path shouldn't be visible in the frontend URL, this setting can be used to prepend an initial path starting with '/' to every backend request. Java applications running in a servlet container like Tomcat are known to behave this way, so set it to e.g. '/guacamole' to access Apache Guacamole at the frontend root URL without needing a redirect. When using "forward_auth" and "copy_headers" to send pre-check requests to an authentication provider, e.g. Authelia, enter an uri like: ``/api/verify?rd=https://auth.example.com``.
**Upstream Path** When using "reverse_proxy" (default), in case the backend application resides in a sub-path of the web root and its path shouldn't be visible in the frontend URL, this setting can be used to prepend an initial path starting with '/' to every backend request. Java applications running in a servlet container like Tomcat are known to behave this way, so set it to e.g. '/guacamole' to access Apache Guacamole at the frontend root URL without needing a redirect.
**>Trust** Certificate options
**TLS** If the upstream destination only accepts HTTPS, enable this option. If the upstream destination has a globally trusted certificate, this TLS option is the only needed one.
**NTLM** If the upstream destination needs NTLM authentication, enable this option together with TLS. For example: Exchange Server.
**Header**``header_up`` sets, adds (with the + prefix), deletes (with the - prefix), or performs a replacement (by using two arguments, a search and replacement) in a request header going upstream to the backend. ``header_down`` sets, adds (with the + prefix), deletes (with the - prefix), or performs a replacement (by using two arguments, a search and replacement) in a response header coming downstream from the backend. ``copy_headers`` is a list of HTTP header fields to copy from the response to the original request, when the request has a success status code. For more information: https://caddyserver.com/docs/caddyfile/directives/reverse_proxy#headers.
**Header Type** Enter a header, for example ``Host``. Use the ``+`` or ``-`` prefix to add or remove this header, for example ``-Host`` or ``+Host``. A suffix match like ``-Host-*`` is also supported. To replace a header, use ``Some-Header`` without ``+`` or ``-``. When using ``copy_headers``, input one header to copy here. For additional entries, create a new header entry.
**Header Value** Enter a value for the above header. One of the most common options is ``{upstream_hostport}``. It's also possible to use a regular expression to search for a specific value in a header. For example: ``^prefix-([A-Za-z0-9]*)$`` which uses the regular expression language RE2 included in Go. When using ``copy_headers``, leave this field empty.
**Header Replace** If a regular expression is used to search for a `Header Value`, here the replacement string can be set. For example: ``replaced-$1-suffix`` which expands the replacement string, allowing the use of captured values, ``$1`` being the first capture group. When using ``copy_headers``, optionally input the replacement for the copied header here.
**Header**``header_up`` sets, adds (with the + prefix), deletes (with the - prefix), or performs a replacement (by using two arguments, a search and replacement) in a request header going upstream to the backend. ``header_down`` sets, adds (with the + prefix), deletes (with the - prefix), or performs a replacement (by using two arguments, a search and replacement) in a response header coming downstream from the backend. For more information: https://caddyserver.com/docs/caddyfile/directives/reverse_proxy#headers.
**Header Type** Enter a header, for example ``Host``. Use the ``+`` or ``-`` prefix to add or remove this header, for example ``-Host`` or ``+Host``. A suffix match like ``-Host-*`` is also supported. To replace a header, use ``Some-Header`` without ``+`` or ``-``.
**Header Value** Enter a value for the above header. One of the most common options is ``{upstream_hostport}``. It's also possible to use a regular expression to search for a specific value in a header. For example: ``^prefix-([A-Za-z0-9]*)$`` which uses the regular expression language RE2 included in Go.
**Header Replace** If a regular expression is used to search for a `Header Value`, here the replacement string can be set. For example: ``replaced-$1-suffix`` which expands the replacement string, allowing the use of captured values, ``$1`` being the first capture group.
..Attention:: Setting headers to handlers should be considered an advanced option for experts. Please don't set them without any reason. Caddy uses safe defaults. https://caddyserver.com/docs/caddyfile/directives/reverse_proxy#defaults
@ -505,127 +503,6 @@ Options Values
..Tip:: Since (most) headers retain their original value when being proxied, it is often necessary to override the Host header with the configured upstream address when proxying to HTTPS, such that the Host header matches the TLS ServerName value. https://caddyserver.com/docs/caddyfile/directives/reverse_proxy#https
---------------------------------
Authelia as forward_auth provider
---------------------------------
..Attention:: Delegating authentication to Authelia, before serving an app via a reverse proxy, is an advanced usecase. Since the GUI configuration is a little more complicated, an example configuration based on https://caddyserver.com/docs/caddyfile/directives/forward_auth#authelia is provided in this tutorial section.
Go to `Services - Caddy Web Server - Reverse Proxy - Domains` to create two new domains.
Monviech
1 month ago
committed by
GitHub