Merge pull request #17 from docuteam/add-option-to-not-apply-allowlis…

…t-to-a-route Add option to ignore `allow_list` for a certain route
simplificator · Jan 12, 2024 · 3b9f928 · 3b9f928
2 parents 21d02f3 + bfe069d
commit 3b9f928
Show file tree

Hide file tree

Showing 4 changed files with 46 additions and 7 deletions.
diff --git a/README.md b/README.md
@@ -21,6 +21,7 @@ If you only want to install Caddy, you don't need to set any variables. If you w
 Afterwards, you can define a list of `routes` composing of the following values:
 
 * `path`: Path that should be matched. Let it empty for everything or e.g. `/api/*` for something specific.
+* `ignore_allowlist`: If `true` the site's `allowlist` will not be applied to this route, thus making this route publicly available. Defaults to `false`.
 * `reverse_proxy_destination`: Where the requested should be proxied.
 * `strip_prefix`: If set, the matched `path` will be removed from the request to the destination system. This means, if somebody requests the route `/api/v1/hello` at the reverse proxy and you set `/api/*` as path, the request will be sent as `/v1/hello` to the destination system.
 

diff --git a/molecule/reverse-proxy/converge.yml b/molecule/reverse-proxy/converge.yml
@@ -28,3 +28,13 @@
         routes:
           - path: ''
             reverse_proxy_destination: 192.168.50.1
+      - domain: mixed.example.com
+        routes:
+          - path: '/public/*'
+            ignore_allowlist: true
+            reverse_proxy_destination: 192.168.50.3
+          - path: '/protected/*'
+            strip_prefix: true
+            reverse_proxy_destination: 192.168.50.4
+        allowlist:
+          - 8.8.8.8/32
diff --git a/molecule/reverse-proxy/files/Caddyfile.expected b/molecule/reverse-proxy/files/Caddyfile.expected
@@ -12,12 +12,13 @@ example.com {
     not remote_ip  8.8.8.8/32
   }
 
-  handle /basic/auth* {        
+  handle /basic/auth* {
   basicauth {
     Bob $2a$14$Zkx19XLiW6VYouLHR5NmfOFU0z2GTNmpkT/5qqR7hx4IjWJPDhjvG
-  }        
-  
+  }
+
   uri replace /basic/auth /api/auth
+
   reverse_proxy @allowlist the-api.com:3000
   respond @not_allowlist 404
 }
@@ -29,7 +30,8 @@ example.com {
     respond @not_allowlist 404
   }
 
-  }
+
+}
 
 
 http://example.com:8080, http://example.com:1337 {
@@ -43,7 +45,33 @@ test.com {
     reverse_proxy 192.168.50.1
   }
 
+
+}
+
+
+
+
+mixed.example.com {
+  @allowlist {
+    remote_ip  8.8.8.8/32
+  }
+
+  @not_allowlist {
+    not remote_ip  8.8.8.8/32
+  }
+
+
+  handle /public/* {
+    reverse_proxy 192.168.50.3
+  }
+
+  handle_path /protected/* {
+    reverse_proxy @allowlist 192.168.50.4
+    respond @not_allowlist 404
   }
+
+
+}
 
 
 
diff --git a/templates/Caddyfile.j2 b/templates/Caddyfile.j2
@@ -28,10 +28,10 @@
   {%- for route in site.routes %}
   {% if route.strip_prefix is defined and route.strip_prefix %}
   handle_path {{ route.path }} {
-  {% else %}
+  {%- else %}
   handle {{ route.path }} {
   {%- endif %}
-    {%- if site.allowlist is defined %}
+    {%- if site.allowlist is defined and not (route.ignore_allowlist| default(false)) %}
     reverse_proxy @allowlist {{ route.reverse_proxy_destination }}
     respond @not_allowlist 404
     {%- else %}
@@ -42,7 +42,7 @@
 
   {% if site.certificate_file is defined %}
   tls {{ site.certificate_file }} {{ site.certificate_key }}
-  {% endif -%}
+  {%- endif %}
 }
 
 {% if (site.additional_forwarding_ports is defined) and (site.additional_forwarding_ports | length > 0) %}