question: Lock authentication to specific IP addresses

Question

question: Lock authentication to specific IP addresses

Opened this issue a year ago · 4 comments

I am using SAML auth with Entra ID/Azure AD, but I want to prevent anyone not on a specific IP (or multiple IPs/CIDRs) from trying to authenticate or access the webserver.

How can I do that?

Defense in depth.

I used to have something like

@blocked not remote_ip <ip1> <ip2> <ip3>
respond @blocked "Nope" 403

But then I added caddy-security and it stopped working. I can get exact config on Monday.

Answer 1 · 2024-10-05T20:41:05.000Z

@Gunni , not sure whether I understand the use case and how it is related to this plugin.

Answer 2 · 2024-10-05T20:44:30.000Z

Basically:

check if user in in access list
check saml/redirect user
forward request to reverse proxy

In that order. Again if i need to post config, i can do it on Monday.

Answer 3 · 2024-10-06T17:34:22.000Z

In that order. Again if i need to post config, i can do it on Monday.

@Gunni , let's see your config.

Answer 4 · 2024-10-08T14:50:35.000Z

Here it is: https://gist.github.com/Gunni/c00b0eab5115eed846e04b66dfa85662