1. Caddy version (caddy version
):
2.4.6 (Latest)
2. How I run Caddy:
I am running it inside a docker container. I just supply the Caddyfile and ssl folder to docker mount path. And then I start my container using below command.
a. System environment:
Docker on Ubuntu v20 on Azure VM.
b. Command:
docker-compose up
c. Service/unit/compose file:
version: "3.7"
services:
caddy:
image: caddy:2-alpine
restart: unless-stopped
ports:
- "80:80"
- "443:443"
volumes:
- ./caddy/caddy-data/Caddyfile:/etc/caddy/Caddyfile
- ./caddy/ssl:/etc/caddy/ssl
# - /data/caddy/data:/data # Optional
# - /data/caddy/config:/config # Optional
networks:
- primary-net
networks:
primary-net:
d. My complete Caddyfile or JSON config:
portainer.winoff.ml {
tls /etc/caddy/ssl/winoffrg.ml/cert.pem /etc/caddy/ssl/winoffrg.ml/cert.key {
client_auth {
mode require_and_verify
trusted_ca_cert_file /etc/caddy/ssl/origin-pull-ca.pem
}
}
reverse_proxy portainer:9000
}
3. The problem I’m having:
- I want to block the access to site by direct IP Address. For example if somone enter’s by IP Address I just shouldn’t resolve the request and simply block it with error code
444
. And allow only by hostname. I also don’t want if someone opens postman and manually setHost
header and get’s the response. - Currently, whenever I curl the IP Address of server the response in terminal is
* Trying 20.198.67.202:443...
* TCP_NODELAY set
* connect to 20.198.67.202 port 443 failed: Connection timed out
* Failed to connect to 20.198.67.202 port 443: Connection timed out
* Closing connection 0
curl: (28) Failed to connect to 20.198.67.202 port 443: Connection timed out
and in brower the response is ERR_SSL_PROTOCOL_ERROR
;
4. Error messages and/or full log output:
{"level":"error","ts":1644679326.8757384,"logger":"http.log.error","msg":"dial tcp: lookup portainer on 127.0.0.11:53: server misbehaving","request":{"remote_addr":"172.70.189.146:28474","proto":"HTTP/2.0","method":"GET","host":"portainer.winoff.ml","uri":"/favicon.ico","headers":{"X-Forwarded-For":["2405:201:4022:30c1:7d32:c499:1dba:e7af"],"Sec-Ch-Ua":["\" Not A;Brand\";v=\"99\", \"Chromium\";v=\"98\", \"Google Chrome\";v=\"98\""],"Sec-Fetch-Mode":["no-cors"],"Accept-Language":["en,en-US;q=0.9"],"Cookie":["cf_use_ob=0"],"Sec-Fetch-Dest":["image"],"Cdn-Loop":["cloudflare"],"Cf-Connecting-Ip":["2405:201:4022:30c1:7d32:c499:1dba:e7af"],"X-Forwarded-Proto":["https"],"Sec-Ch-Ua-Mobile":["?0"],"Accept":["image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8"],"Sec-Fetch-Site":["same-origin"],"Accept-Encoding":["gzip"],"Cf-Ray":["6dc6cf8009856bf7-SIN"],"Sec-Ch-Ua-Platform":["\"Windows\""],"Cf-Ipcountry":["IN"],"Cf-Visitor":["{\"scheme\":\"https\"}"],"Dnt":["1"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36"],"Referer":["https://portainer.winoff.ml/"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","proto_mutual":true,"server_name":"portainer.winoff.ml","client_common_name":"origin-pull.cloudflare.net","client_serial":"590972600064187615923117765527414994083281880359"}},"duration":0.009194602,"status":502,"err_id":"v0iqkc87m","err_trace":"reverseproxy.statusError (reverseproxy.go:886)"}
5. What I already tried:
6. Links to relevant resources:
- Filtering direct IP accesses (" - #4 by francislavoie
- https://github.com/caddyserver/caddy/issues/3815
7. Other Information:
- My DNS is managed by cloudflare where I have just added an A record for
portainer.winoff.ml
for20.198.67.202
. - On
portainer.winoff.ml
I am getting the correct response. If Issue A is solved I believe B will be also solved automatically. I just don’t want anyone to access site from IP Address. - On my Azure only port 443 is open.