Advice needed on configuration & security

Hey guys, new to caddy and I need a second opinion on my setup regarding my security in my config file if anyone could give me some advice :slight_smile:

Is there anything I can do better?
I couldn’t get roll_size, keep to work under logs for some reason.

(crowdsec) {
    crowdsec
}


(auth) {
    forward_auth http://192.168.1.51:9091 {
        uri /api/verify?rd=https://auth.domain.com
        copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
    }
}


{

	# order webdav before file_server
	order crowdsec before forward_auth
	order crowdsec before reverse_proxy

    servers {
            trusted_proxies cloudflare {
            interval 12h
            timeout 15s
            }
	}

	# Logging
	log stdout_logger {
        output stdout
        format console
        exclude http.log.access
	}
	log file_logger {
        output file /var/log/caddy/access.log
        include http.log.access
        #roll_size 10mb
        #roll_keep 20
        #roll_keep_for 720h
	}

    crowdsec {
        api_key redacted
        api_url http://192.168.1.19:8080/
        ticker_interval 15s
    }

}

*.domain.com {
	tls {
		dns cloudflare redacted
        resolvers 1.1.1.1
	}

    #Authelia
    @authelia host auth.domain.com
    handle @authelia {
    import crowdsec
    #import auth
    reverse_proxy @authelia http://192.168.1.51:9091
    }

    # homepage
    @homepage host homepage.domain.com
    handle @homepage {
    import crowdsec
    import auth
    reverse_proxy @homepage http://192.168.1.23:3000
    }

    #Home Assistant
    @homeassistant host ha.domain.com
    handle @homeassistant {
    import crowdsec
    #import auth
    reverse_proxy @homeassistant http://192.168.1.20:8123
    }

    #Mealie
    @mealie host food.domain.com
    handle @mealie {
    import crowdsec
    #import auth
    reverse_proxy @mealie http://192.168.1.23:9925
    }

    #Meshcentral
    @meshcentral host remote.domain.com
    handle @meshcentral {
    import crowdsec
    #import auth
    reverse_proxy @meshcentral http://192.168.1.17:8443
    }

	# Fallback for otherwise unhandled domains
	handle {
		abort
	}

}

I’m curious, are you using any services in a container?

Proxmox LXC containers and 1-2 Docker containers.

Are these containers using the host network?

Hmm, yes!

Since you made it sound like you want recommendations for better security, host networking kinda ruins the security aspect of containerization.

Bridge networking (default) is better since it relies on ports to communicate on the local network. Even better is using a socket-activated socket for networking, but I don’t think Docker can do that. Maybe I’m wrong.

Anyway, moving away from host networking, and even having an internal network for local services, is much more secure.

If you’d like even more security, Podman is daemonless and can run in rootless mode. And sockets are possible with Caddy in Podman which reduces resource usage and allows multiple applications to use that port if needed.

This is just a summary of a whole bunch you can do, so if you’d like more info, let me know.

I appreciate the answer but I was asking regarding my caddy configuration and if I should consider changing anything in my config file.

9/10 stuff I run unprivileged in Proxmox so I’m fine.

1 Like