question: Lock authentication to specific IP addresses #360

Gunni · 2024-10-05T20:38:15Z

I am using SAML auth with Entra ID/Azure AD, but I want to prevent anyone not on a specific IP (or multiple IPs/CIDRs) from trying to authenticate or access the webserver.

How can I do that?

Defense in depth.

I used to have something like

@blocked not remote_ip <ip1> <ip2> <ip3>
respond @blocked "Nope" 403

But then I added caddy-security and it stopped working. I can get exact config on Monday.

greenpau · 2024-10-05T20:41:05Z

@Gunni , not sure whether I understand the use case and how it is related to this plugin.

Gunni · 2024-10-05T20:44:30Z

Basically:

check if user in in access list
check saml/redirect user
forward request to reverse proxy

In that order. Again if i need to post config, i can do it on Monday.

greenpau · 2024-10-06T17:34:22Z

In that order. Again if i need to post config, i can do it on Monday.

@Gunni , let's see your config.

Gunni · 2024-10-08T14:50:35Z

Here it is: https://gist.github.com/Gunni/c00b0eab5115eed846e04b66dfa85662

Gunni added need triage question Further information is requested labels Oct 5, 2024

Gunni assigned greenpau Oct 5, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

question: Lock authentication to specific IP addresses #360

question: Lock authentication to specific IP addresses #360

Gunni commented Oct 5, 2024 •

edited

Loading

greenpau commented Oct 5, 2024

Gunni commented Oct 5, 2024

greenpau commented Oct 6, 2024

Gunni commented Oct 8, 2024

question: Lock authentication to specific IP addresses #360

question: Lock authentication to specific IP addresses #360

Comments

Gunni commented Oct 5, 2024 • edited Loading

greenpau commented Oct 5, 2024

Gunni commented Oct 5, 2024

greenpau commented Oct 6, 2024

Gunni commented Oct 8, 2024

Gunni commented Oct 5, 2024 •

edited

Loading