Caddy does not answer to host in different subnet

1. The problem I’m having:

Im using caddy to reverse proxy a gitea-instance to the internet. This is working as intended and without any issues.
When im trying to access this site via another subnet, caddy does not seem to answer any requests. I have a DNS override in opnsense, that redirects my gitea-domain to the internal ip. I can see in the firewall that requests (curl, telnet) are not beeing blocked between the two nets.

2. Error messages and/or full log output:

No error messages are visible in caddylog, even with debug loggin enabled. I can however see the connection when using tcpdump.

3. Caddy version:

v2.7.6 with plugins for wildcard dns validation

4. How I installed and ran Caddy:

a. System environment:

Centos 9 Stream, native as a systemd service.

b. Command:

systemctl start caddy.service

c. Service/unit/compose file:

# caddy.service
#
# For using Caddy with a config file.
#
# Make sure the ExecStart and ExecReload commands are correct
# for your installation.
#
# See https://caddyserver.com/docs/install for instructions.
#
# WARNING: This service does not use the --resume flag, so if you
# use the API to make changes, they will be overwritten by the
# Caddyfile next time the service is restarted. If you intend to
# use Caddy's API to configure it, add the --resume flag to the
# `caddy run` command or use the caddy-api.service file instead.

[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target

[Service]
Type=notify
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile --force
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateDevices=yes
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

d. My complete Caddy config:

pw.domain1.de {
	@admin {
		path /admin*
	}
	redir @admin /
	reverse_proxy 192.168.169.5:10008 {
		header_up X-Real-IP {remote_host}
	}
	reverse_proxy /notifications/hub 192.168.169.5:10009
        reverse_proxy /notifications/hub/negotiate 192.168.169.5:10008
}

pwadmin.domain1.de {
	import /etc/caddy/caddy_certauth
	reverse_proxy 192.168.169.5:10008/admin
}

todo.domain1.de {
	import /etc/caddy/caddy_securityheaders
	reverse_proxy 192.168.169.5:3456
}

wiki.domain1.de {
	import /etc/caddy/caddy_securityheaders
	reverse_proxy 192.168.169.5:10001
}

gitea.domain2.de {
	import /etc/caddy/caddy_securityheaders
	reverse_proxy 192.168.169.5:3000
}

sync.domain1.de {
	import /etc/caddy/caddy_securityheaders
	redir /.well-known/carddav /remote.php/dav 301
	redir /.well-known/caldav /remote.php/dav 301
	
	reverse_proxy 192.168.169.5:10002
	
}

domain3.de {
        import /etc/caddy/caddy_securityheaders
	@blocked {
                path /xmlrpc.php
        }
	respond @blocked 404
        reverse_proxy 192.168.169.5:10003
}

*.domain2.de {
	tls {
		issuer acme {
			dns netcup {
				customer_number secret
				api_key secret
				api_password secret
			}
		resolvers 8.8.8.8 1.1.1.1
		propagation_timeout 30m
		propagation_delay 25m
		}
	}

	@invidious host invidious.domain2.de
	handle @invidious {
		import /etc/caddy/caddy_securityheaders
		reverse_proxy 192.168.169.20:3000
	}

	@beatbump host beatbump.domain2.de
	handle @beatbump {
		import /etc/caddy/caddy_securityheaders
		reverse_proxy 192.168.169.20:3001
	}

	@wedding host wedding.domain2.de
	handle @wedding {
		import /etc/caddy/caddy_securityheaders
		reverse_proxy 192.168.169.5:10006
	}
}

the caddy_securityheaders

header {
	### caddy security via https://caddyserver.com/docs/caddyfile/directives/header
	# disable FLoC tracking
	Permissions-Policy interest-cohort=()

	# enable HSTS
	Strict-Transport-Security max-age=31536000;

	# disable clients from sniffing the media type
	X-Content-Type-Options nosniff

	# clickjacking protection
	X-Frame-Options DENY

	# keep referrer data off of HTTP connections
	Referrer-Policy no-referrer-when-downgrade

	### additional security via https://cyberhost.uk/caddy-advanced-setup/
	X-XSS-Protection "1; mode=block;"
	X-Robots-Tag none
}

5. Links to relevant resources:

I have found the issue in the meantime.
It turns out the caddy vm got an additional route via netbird, that was throwing it off. I have modified this and its working as expected.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.