question: How to reverse proxy to different server based on multiple policy

greenpau / caddy-security

🔐 Authentication, Authorization, and Accounting (AAA) App and Plugin for Caddy v2. 💎 Implements Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0 (Github, Google, Facebook, Okta, etc.), SAML Authentication. MFA/2FA with App Authenticators and Yubico. 💎 Authorization with JWT/PASETO tokens. 🔐

https://authcrunch.com/

Apache License 2.0

1.42k stars 70 forks source link

question: How to reverse proxy to different server based on multiple policy #341

Closed write3371 closed 4 months ago

write3371 commented 4 months ago

A clear and concise description of what you want to accomplish.

How to reverse proxy to different server based on multiple policy? say i have configured

    authorize with mypolicy1
    route * {
        reverse_proxy  apiserver1:8080 
    }

can I add mypolicy2 at the same URL but routing to a different apiserver2? Or can I set different envs when mypolicy1 or mypolicy2 is matched?

greenpau commented 4 months ago

can I add mypolicy2 at the same URL but routing to a different apiserver2? Or can I set different envs when mypolicy1 or mypolicy2 is matched?

@write3371 , it is done with route handlers, which have matchers. then, you execute only the plugin you want.

handle x with condition a {
  authorize with mypolicy1
  reverse_proxy  apiserver1:8080 
}

handle x with condition b {
  authorize with mypolicy2
  reverse_proxy  apiserver2:8080 
}

It is caddy thing, not something specific to this plugin.

write3371 commented 4 months ago

Thanks for answering! Can I use username or roles as the condition ?

greenpau commented 4 months ago

@write3371 , i think you could do it, by authorizing first, passing roles/username via x headers, and then matching on the x headers.

The username is also being populated inside caddy context. In theory, you could match there too.