1. The problem I’m having:
Im using caddy to reverse proxy a gitea-instance to the internet. This is working as intended and without any issues.
When im trying to access this site via another subnet, caddy does not seem to answer any requests. I have a DNS override in opnsense, that redirects my gitea-domain to the internal ip. I can see in the firewall that requests (curl, telnet) are not beeing blocked between the two nets.
2. Error messages and/or full log output:
No error messages are visible in caddylog, even with debug loggin enabled. I can however see the connection when using tcpdump.
3. Caddy version:
v2.7.6 with plugins for wildcard dns validation
4. How I installed and ran Caddy:
a. System environment:
Centos 9 Stream, native as a systemd service.
b. Command:
systemctl start caddy.service
c. Service/unit/compose file:
# caddy.service
#
# For using Caddy with a config file.
#
# Make sure the ExecStart and ExecReload commands are correct
# for your installation.
#
# See https://caddyserver.com/docs/install for instructions.
#
# WARNING: This service does not use the --resume flag, so if you
# use the API to make changes, they will be overwritten by the
# Caddyfile next time the service is restarted. If you intend to
# use Caddy's API to configure it, add the --resume flag to the
# `caddy run` command or use the caddy-api.service file instead.
[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target
[Service]
Type=notify
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile --force
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateDevices=yes
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE
[Install]
WantedBy=multi-user.target
d. My complete Caddy config:
pw.domain1.de {
@admin {
path /admin*
}
redir @admin /
reverse_proxy 192.168.169.5:10008 {
header_up X-Real-IP {remote_host}
}
reverse_proxy /notifications/hub 192.168.169.5:10009
reverse_proxy /notifications/hub/negotiate 192.168.169.5:10008
}
pwadmin.domain1.de {
import /etc/caddy/caddy_certauth
reverse_proxy 192.168.169.5:10008/admin
}
todo.domain1.de {
import /etc/caddy/caddy_securityheaders
reverse_proxy 192.168.169.5:3456
}
wiki.domain1.de {
import /etc/caddy/caddy_securityheaders
reverse_proxy 192.168.169.5:10001
}
gitea.domain2.de {
import /etc/caddy/caddy_securityheaders
reverse_proxy 192.168.169.5:3000
}
sync.domain1.de {
import /etc/caddy/caddy_securityheaders
redir /.well-known/carddav /remote.php/dav 301
redir /.well-known/caldav /remote.php/dav 301
reverse_proxy 192.168.169.5:10002
}
domain3.de {
import /etc/caddy/caddy_securityheaders
@blocked {
path /xmlrpc.php
}
respond @blocked 404
reverse_proxy 192.168.169.5:10003
}
*.domain2.de {
tls {
issuer acme {
dns netcup {
customer_number secret
api_key secret
api_password secret
}
resolvers 8.8.8.8 1.1.1.1
propagation_timeout 30m
propagation_delay 25m
}
}
@invidious host invidious.domain2.de
handle @invidious {
import /etc/caddy/caddy_securityheaders
reverse_proxy 192.168.169.20:3000
}
@beatbump host beatbump.domain2.de
handle @beatbump {
import /etc/caddy/caddy_securityheaders
reverse_proxy 192.168.169.20:3001
}
@wedding host wedding.domain2.de
handle @wedding {
import /etc/caddy/caddy_securityheaders
reverse_proxy 192.168.169.5:10006
}
}
the caddy_securityheaders
header {
### caddy security via https://caddyserver.com/docs/caddyfile/directives/header
# disable FLoC tracking
Permissions-Policy interest-cohort=()
# enable HSTS
Strict-Transport-Security max-age=31536000;
# disable clients from sniffing the media type
X-Content-Type-Options nosniff
# clickjacking protection
X-Frame-Options DENY
# keep referrer data off of HTTP connections
Referrer-Policy no-referrer-when-downgrade
### additional security via https://cyberhost.uk/caddy-advanced-setup/
X-XSS-Protection "1; mode=block;"
X-Robots-Tag none
}