[hasel]

Is this supposed to be used to put entire domains behind basic auth or should you use it for specific end points?

[g_p]

You can do this for specific endpoints in Caddy, or whole domains/sites.

If you create a matcher like

@wp-admin {

  path /wp-admin\*

  path /wp-login\*

}

Then you can just service up that handler's endpoints:

handle @wp-admin {

    basicauth {

       username pwhash_goes_here

       username2 pwhash2

    }

    # reverse proxy config etc, e.g.

    reverse_proxy http://127.0.0.1:8080

}

And now only the wp-admin and wp-login endpoints are protected, but the rest of the site is unaffected.

[mholt]

You can do either. To Caddy, "entire domain" or "specific endpoints" are all the same thanks to request matchers. You can precisely customize which requests have basic auth applied to them: https://caddyserver.com/docs/caddyfile/matchers

[makeworld]

It can be used for either. Depends what you'd like to do. Maybe the domain is admin.mysite.com and so you want to wall the whole thing off. I've used it for specific endpoints as well though, like to protect certain folders of a file server.