From 23cc5ea843dcde5ebeba4e005d7b421486668c6e Mon Sep 17 00:00:00 2001
From: Thomas Bernhart <t.bernhart@docuteam.ch>
Date: Thu, 11 Jan 2024 15:25:54 +0100
Subject: [PATCH 1/4] Add optional variable `public` to routes to ignore
 `site.allowlist`

There are cases where most of the routes should only be allowed for
the IP addresses defined in `allowlist`, but certain routes should be
available publicly.
---
 README.md              | 1 +
 templates/Caddyfile.j2 | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index c643239..71936d2 100644
--- a/README.md
+++ b/README.md
@@ -21,6 +21,7 @@ If you only want to install Caddy, you don't need to set any variables. If you w
 Afterwards, you can define a list of `routes` composing of the following values:
 
 * `path`: Path that should be matched. Let it empty for everything or e.g. `/api/*` for something specific.
+* `public`: If `true` the site's `allowlist` will not be applied to this route, thus making this route publicly available. Defaults to `false`.
 * `reverse_proxy_destination`: Where the requested should be proxied.
 * `strip_prefix`: If set, the matched `path` will be removed from the request to the destination system. This means, if somebody requests the route `/api/v1/hello` at the reverse proxy and you set `/api/*` as path, the request will be sent as `/v1/hello` to the destination system.
 
diff --git a/templates/Caddyfile.j2 b/templates/Caddyfile.j2
index e6b3d15..d66d712 100644
--- a/templates/Caddyfile.j2
+++ b/templates/Caddyfile.j2
@@ -31,7 +31,7 @@
   {% else %}
   handle {{ route.path }} {
   {%- endif %}
-    {%- if site.allowlist is defined %}
+    {%- if site.allowlist is defined and not (route.public | default(false)) %}
     reverse_proxy @allowlist {{ route.reverse_proxy_destination }}
     respond @not_allowlist 404
     {%- else %}

From 3798334b4769b7c5d5fee7b716fa22ef346a9f45 Mon Sep 17 00:00:00 2001
From: Thomas Bernhart <t.bernhart@docuteam.ch>
Date: Thu, 11 Jan 2024 16:17:40 +0100
Subject: [PATCH 2/4] Fix minor indentation issues

---
 templates/Caddyfile.j2 | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/templates/Caddyfile.j2 b/templates/Caddyfile.j2
index d66d712..65681e1 100644
--- a/templates/Caddyfile.j2
+++ b/templates/Caddyfile.j2
@@ -28,7 +28,7 @@
   {%- for route in site.routes %}
   {% if route.strip_prefix is defined and route.strip_prefix %}
   handle_path {{ route.path }} {
-  {% else %}
+  {%- else %}
   handle {{ route.path }} {
   {%- endif %}
     {%- if site.allowlist is defined and not (route.public | default(false)) %}
@@ -42,7 +42,7 @@
   
   {% if site.certificate_file is defined %}
   tls {{ site.certificate_file }} {{ site.certificate_key }}
-  {% endif -%}
+  {%- endif %}
 }
 
 {% if (site.additional_forwarding_ports is defined) and (site.additional_forwarding_ports | length > 0) %}

From 3e1d72289d495191e2bbaab8bf7a91a989425f0b Mon Sep 17 00:00:00 2001
From: Thomas Bernhart <t.bernhart@docuteam.ch>
Date: Fri, 12 Jan 2024 18:32:39 +0100
Subject: [PATCH 3/4] Test new variable in molecule test scenario reverse-proxy

---
 molecule/reverse-proxy/converge.yml           | 10 ++++++
 .../reverse-proxy/files/Caddyfile.expected    | 36 ++++++++++++++++---
 2 files changed, 42 insertions(+), 4 deletions(-)

diff --git a/molecule/reverse-proxy/converge.yml b/molecule/reverse-proxy/converge.yml
index 48df7c5..30ff6a8 100644
--- a/molecule/reverse-proxy/converge.yml
+++ b/molecule/reverse-proxy/converge.yml
@@ -28,3 +28,13 @@
         routes:
           - path: ''
             reverse_proxy_destination: 192.168.50.1
+      - domain: mixed.example.com
+        routes:
+          - path: '/public/*'
+            ignore_allowlist: true
+            reverse_proxy_destination: 192.168.50.3
+          - path: '/protected/*'
+            strip_prefix: true
+            reverse_proxy_destination: 192.168.50.4
+        allowlist:
+          - 8.8.8.8/32
diff --git a/molecule/reverse-proxy/files/Caddyfile.expected b/molecule/reverse-proxy/files/Caddyfile.expected
index 6e8c569..a22865b 100644
--- a/molecule/reverse-proxy/files/Caddyfile.expected
+++ b/molecule/reverse-proxy/files/Caddyfile.expected
@@ -12,12 +12,13 @@ example.com {
     not remote_ip  8.8.8.8/32
   }
   
-  handle /basic/auth* {        
+  handle /basic/auth* {
   basicauth {
     Bob $2a$14$Zkx19XLiW6VYouLHR5NmfOFU0z2GTNmpkT/5qqR7hx4IjWJPDhjvG
-  }        
-  
+  }
+
   uri replace /basic/auth /api/auth
+
   reverse_proxy @allowlist the-api.com:3000
   respond @not_allowlist 404
 }
@@ -29,7 +30,8 @@ example.com {
     respond @not_allowlist 404
   }
   
-  }
+  
+}
 
 
 http://example.com:8080, http://example.com:1337 {
@@ -43,7 +45,33 @@ test.com {
     reverse_proxy 192.168.50.1
   }
   
+  
+}
+
+
+
+
+mixed.example.com {
+  @allowlist {
+    remote_ip  8.8.8.8/32
+  }
+
+  @not_allowlist {
+    not remote_ip  8.8.8.8/32
+  }
+  
+  
+  handle /public/* {
+    reverse_proxy 192.168.50.3
+  }
+  
+  handle_path /protected/* {
+    reverse_proxy @allowlist 192.168.50.4
+    respond @not_allowlist 404
   }
+  
+  
+}
 
 
 

From bfe069de89e6ee648e116d7e5035ba6ac7487075 Mon Sep 17 00:00:00 2001
From: Thomas Bernhart <t.bernhart@docuteam.ch>
Date: Fri, 12 Jan 2024 18:33:46 +0100
Subject: [PATCH 4/4] Rename variable `public` to `ignore_allowlist`

---
 README.md              | 2 +-
 templates/Caddyfile.j2 | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 71936d2..b66a57c 100644
--- a/README.md
+++ b/README.md
@@ -21,7 +21,7 @@ If you only want to install Caddy, you don't need to set any variables. If you w
 Afterwards, you can define a list of `routes` composing of the following values:
 
 * `path`: Path that should be matched. Let it empty for everything or e.g. `/api/*` for something specific.
-* `public`: If `true` the site's `allowlist` will not be applied to this route, thus making this route publicly available. Defaults to `false`.
+* `ignore_allowlist`: If `true` the site's `allowlist` will not be applied to this route, thus making this route publicly available. Defaults to `false`.
 * `reverse_proxy_destination`: Where the requested should be proxied.
 * `strip_prefix`: If set, the matched `path` will be removed from the request to the destination system. This means, if somebody requests the route `/api/v1/hello` at the reverse proxy and you set `/api/*` as path, the request will be sent as `/v1/hello` to the destination system.
 
diff --git a/templates/Caddyfile.j2 b/templates/Caddyfile.j2
index 65681e1..c065baf 100644
--- a/templates/Caddyfile.j2
+++ b/templates/Caddyfile.j2
@@ -31,7 +31,7 @@
   {%- else %}
   handle {{ route.path }} {
   {%- endif %}
-    {%- if site.allowlist is defined and not (route.public | default(false)) %}
+    {%- if site.allowlist is defined and not (route.ignore_allowlist| default(false)) %}
     reverse_proxy @allowlist {{ route.reverse_proxy_destination }}
     respond @not_allowlist 404
     {%- else %}