The use case behind this revolves around my homelab. I have several services running behind Caddy2 which require authentication via Google OAuth. This is an easy way to protect your services and is highly recommended (even on your personal, private home network). However, what do you do when you have a client that needs to bypass authentication?
For me, this situation came up when I tried to use the app LunaSea (website). LunaSea is a fantastic app that provides a nice, mobile friendly user interface to manage several services such as Radarr, Sonarr, etc. By default, the app can do basic authentication and provide custom headers with all of its outgoing requests.
In this article, we're going to allow LunaSea to bypass Caddy's authentication as long as it injects/provides a custom header. Is this the most secure way of doing things? Absolutely not. Will it be fine for a home network? Most definitely. Furthermore, if your service requires an API token, bypassing the traditional Caddy auth is understandable as your service is still secured behind the token.
radarr.example.com {
@hasSPECIALHeader {
header BypassAuth 1234567890
}
handle @hasSPECIALHeader {
reverse_proxy radarr:7878
}
handle {
reverse_proxy radarr:7878
authorize with admin
}
}