We recently ran into an issue where — boiled down — we had two servers:
- A Node.js server that would authenticate API users via the
Authorizationheader. It exposes an/auth/verifyendpoint, which returns2xxif this header is valid. - A websocket server we had no control over with no authentication mechanism
How could we expose this websocket server without it being unprotected?
After researching a bit, we found Caddy has a directive called forward_auth. We could leverage this to forward all requests to our upstream node server's token verification endpoint before they're passed along (if successful) to our upstream websockets server.
Caddyfile:9000forward_auth {$UPSTREAM_NODE_SERVER} {uri /auth/verify}reverse_proxy {$UPSTREAM_WEBSOCKETS_SERVER} {header_up -Authorization}
Now, by only exposing our Caddy server, we've essentially added auth to our websocket server.