Caddy won't block external traffic while allowing internal

kaalme · November 10, 2024, 4:25pm

1. The problem I’m having:

Hey Caddy community! I’m not able to block all external traffic while only allowing internal traffic to reach my paperless-ngx. I’m using Wireguard (or rather wg-easy) to establish a VPN to my (VP)Server to access paperless-ngx, but it still sees me as external. Please guide me in the right direction as i am lost (and pretty new to this all).
I should VPN into the system with the IP-Adress 10.8.0.x/24-network.

2. Error messages and/or full log output:

Oct 11 05:01:04 ubuntu systemd[1]: Starting caddy.service - Caddy...
Oct 11 05:01:04 ubuntu caddy[41609]: caddy.HomeDir=/var/lib/caddy
Oct 11 05:01:04 ubuntu caddy[41609]: caddy.AppDataDir=/var/lib/caddy/.local/share/caddy
Oct 11 05:01:04 ubuntu caddy[41609]: caddy.AppConfigDir=/var/lib/caddy/.config/caddy
Oct 11 05:01:04 ubuntu caddy[41609]: caddy.ConfigAutosavePath=/var/lib/caddy/.config/caddy/autosave.json
Oct 11 05:01:04 ubuntu caddy[41609]: caddy.Version=2.6.2
Oct 11 05:01:04 ubuntu caddy[41609]: runtime.GOOS=linux
Oct 11 05:01:04 ubuntu caddy[41609]: runtime.GOARCH=amd64
Oct 11 05:01:04 ubuntu caddy[41609]: runtime.Compiler=gc
Oct 11 05:01:04 ubuntu caddy[41609]: runtime.NumCPU=4
Oct 11 05:01:04 ubuntu caddy[41609]: runtime.GOMAXPROCS=4
Oct 11 05:01:04 ubuntu caddy[41609]: runtime.Version=go1.22.2
Oct 11 05:01:04 ubuntu caddy[41609]: os.Getwd=/
Oct 11 05:01:04 ubuntu caddy[41609]: LANG=C.UTF-8
Oct 11 05:01:04 ubuntu caddy[41609]: PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/snap/bin
Oct 11 05:01:04 ubuntu caddy[41609]: NOTIFY_SOCKET=/run/systemd/notify
Oct 11 05:01:04 ubuntu caddy[41609]: USER=caddy
Oct 11 05:01:04 ubuntu caddy[41609]: LOGNAME=caddy
Oct 11 05:01:04 ubuntu caddy[41609]: HOME=/var/lib/caddy
Oct 11 05:01:04 ubuntu caddy[41609]: INVOCATION_ID=66d7a55bab5b4bb88f6a3bf22fc054cf
Oct 11 05:01:04 ubuntu caddy[41609]: JOURNAL_STREAM=8:169544
Oct 11 05:01:04 ubuntu caddy[41609]: SYSTEMD_EXEC_PID=41609
Oct 11 05:01:04 ubuntu caddy[41609]: MEMORY_PRESSURE_WATCH=/sys/fs/cgroup/system.slice/caddy.service/memory.pressure
Oct 11 05:01:04 ubuntu caddy[41609]: MEMORY_PRESSURE_WRITE=c29tZSAyMDAwMDAgMjAwMDAwMAA=
Oct 11 05:01:04 ubuntu caddy[41609]: {"level":"info","ts":1728622864.251538,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":""}
Oct 11 05:01:04 ubuntu caddy[41609]: {"level":"info","ts":1728622864.2527974,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127
.0.0.1:2019"]}
Oct 11 05:01:04 ubuntu caddy[41609]: {"level":"warn","ts":1728622864.2529042,"logger":"http","msg":"server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server","server_name":"srv0","http_po
rt":80}
Oct 11 05:01:04 ubuntu caddy[41609]: {"level":"info","ts":1728622864.2530026,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc00023bd50"}
Oct 11 05:01:04 ubuntu caddy[41609]: {"level":"info","ts":1728622864.2530506,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/var/lib/caddy/.local/share/caddy"}
Oct 11 05:01:04 ubuntu caddy[41609]: {"level":"info","ts":1728622864.2530708,"logger":"tls.cache.maintenance","msg":"stopped background certificate maintenance","cache":"0xc00023bd50"}
Oct 11 05:01:04 ubuntu caddy[41609]: {"level":"info","ts":1728622864.253084,"logger":"tls","msg":"finished cleaning storage units"}
Oct 11 05:01:04 ubuntu caddy[41609]: Error: loading initial config: loading new config: http app module: start: listening on :80: listen tcp :80: bind: address already in use
Oct 11 05:01:04 ubuntu systemd[1]: caddy.service: Main process exited, code=exited, status=1/FAILURE
Oct 11 05:01:04 ubuntu systemd[1]: caddy.service: Failed with result 'exit-code'.
Oct 11 05:01:04 ubuntu systemd[1]: Failed to start caddy.service - Caddy.
-- Boot 2595a465e3c44269990175a869d1b10d --
Oct 11 13:51:01 ubuntu systemd[1]: Starting caddy.service - Caddy...
Oct 11 13:51:02 ubuntu caddy[678]: caddy.HomeDir=/var/lib/caddy
Oct 11 13:51:02 ubuntu caddy[678]: caddy.AppDataDir=/var/lib/caddy/.local/share/caddy
Oct 11 13:51:02 ubuntu caddy[678]: caddy.AppConfigDir=/var/lib/caddy/.config/caddy
Oct 11 13:51:02 ubuntu caddy[678]: caddy.ConfigAutosavePath=/var/lib/caddy/.config/caddy/autosave.json
Oct 11 13:51:02 ubuntu caddy[678]: caddy.Version=2.6.2
Oct 11 13:51:02 ubuntu caddy[678]: runtime.GOOS=linux
Oct 11 13:51:02 ubuntu caddy[678]: runtime.GOARCH=amd64
Oct 11 13:51:02 ubuntu caddy[678]: runtime.Compiler=gc
Oct 11 13:51:02 ubuntu caddy[678]: runtime.NumCPU=4
Oct 11 13:51:02 ubuntu caddy[678]: runtime.GOMAXPROCS=4
Oct 11 13:51:02 ubuntu caddy[678]: runtime.Version=go1.22.2
Oct 11 13:51:02 ubuntu caddy[678]: os.Getwd=/
Oct 11 13:51:02 ubuntu caddy[678]: LANG=C.UTF-8
Oct 11 13:51:02 ubuntu caddy[678]: PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/snap/bin
Oct 11 13:51:02 ubuntu caddy[678]: NOTIFY_SOCKET=/run/systemd/notify
Oct 11 13:51:02 ubuntu caddy[678]: USER=caddy
Oct 11 13:51:02 ubuntu caddy[678]: LOGNAME=caddy
Oct 11 13:51:02 ubuntu caddy[678]: HOME=/var/lib/caddy
Oct 11 13:51:02 ubuntu caddy[678]: INVOCATION_ID=4af3fbc4be9247ff893c8a5d43f26e3d
Oct 11 13:51:02 ubuntu caddy[678]: JOURNAL_STREAM=8:11836
Oct 11 13:51:02 ubuntu caddy[678]: SYSTEMD_EXEC_PID=678
Oct 11 13:51:02 ubuntu caddy[678]: MEMORY_PRESSURE_WATCH=/sys/fs/cgroup/system.slice/caddy.service/memory.pressure
Oct 11 13:51:02 ubuntu caddy[678]: MEMORY_PRESSURE_WRITE=c29tZSAyMDAwMDAgMjAwMDAwMAA=
Oct 11 13:51:02 ubuntu caddy[678]: {"level":"info","ts":1728654662.4313338,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":""}
Oct 11 13:51:02 ubuntu caddy[678]: {"level":"info","ts":1728654662.4431522,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0
.0.1:2019"]}
Oct 11 13:51:02 ubuntu caddy[678]: {"level":"warn","ts":1728654662.4433417,"logger":"http","msg":"server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server","server_name":"srv0","http_port
":80}
Oct 11 13:51:02 ubuntu caddy[678]: {"level":"info","ts":1728654662.4434328,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc0002ddb20"}
Oct 11 13:51:02 ubuntu caddy[678]: {"level":"info","ts":1728654662.4441922,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/var/lib/caddy/.local/share/caddy"}
Oct 11 13:51:02 ubuntu caddy[678]: {"level":"info","ts":1728654662.444988,"logger":"tls","msg":"finished cleaning storage units"}
Oct 11 13:51:02 ubuntu caddy[678]: {"level":"info","ts":1728654662.4455442,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
Oct 11 13:51:02 ubuntu caddy[678]: {"level":"info","ts":1728654662.4458385,"msg":"autosaved config (load with --resume flag)","file":"/var/lib/caddy/.config/caddy/autosave.json"}
Oct 11 13:51:02 ubuntu caddy[678]: {"level":"info","ts":1728654662.4459343,"msg":"serving initial configuration"}
Oct 11 13:51:02 ubuntu systemd[1]: Started caddy.service - Caddy.
Oct 11 14:03:38 ubuntu caddy[678]: {"level":"info","ts":1728655418.9608684,"logger":"admin.api","msg":"received request","method":"POST","host":"localhost:2019","uri":"/stop","remote_ip":"127.0.0.1","remote_port":"42316","head
ers":{"Accept-Encoding":["gzip"],"Content-Length":["0"],"Origin":["http://localhost:2019"],"User-Agent":["Go-http-client/1.1"]}}
Oct 11 14:03:38 ubuntu caddy[678]: {"level":"warn","ts":1728655418.9609518,"logger":"admin.api","msg":"exiting; byeee!! 👋"}
Oct 11 14:03:38 ubuntu caddy[678]: {"level":"info","ts":1728655418.961549,"logger":"tls.cache.maintenance","msg":"stopped background certificate maintenance","cache":"0xc0002ddb20"}
Oct 11 14:03:38 ubuntu caddy[678]: {"level":"info","ts":1728655418.9617188,"logger":"admin","msg":"stopped previous server","address":"localhost:2019"}
Oct 11 14:03:38 ubuntu caddy[678]: {"level":"info","ts":1728655418.9617305,"logger":"admin.api","msg":"shutdown complete","exit_code":0}
Oct 11 14:03:38 ubuntu systemd[1]: caddy.service: Deactivated successfully.

3. Caddy version:

v2.8.4 h1:q3pe0wpBj1OcHFZ3n/1nl4V4bxBrYoSoab7rL9BMYNk=

4. How I installed and ran Caddy:

a. System environment:

Ubuntu 24.04.1 LTS using docker compose version v2.29.7

b. Command:

docker compose up -d

c. Service/unit/compose file:

networks:
    proxy:
        external: true
        name: proxy

services:
    caddy:
        image: caddy:2
        container_name: caddy
        restart: unless-stopped
        cap_add:
            - NET_ADMIN
        ports:
            - 80:80
            - 443:443
        volumes:
            - ./data:/data
            - ./config:/config
            - ./Caddyfile:/etc/caddy/Caddyfile:ro
        networks:
            - proxy

d. My complete Caddy config:

While using the command:

root@ubuntu:~/caddy# docker compose exec caddy caddy fmt
Error: reading input file: open Caddyfile: no such file or directory

Caddyfile:
{
    acme_ca https://acme-v02.api.letsencrypt.org/directory
    email   redacted@m-almeida.de
    debug
}

paperless.m-almeida.de {
   @blocked not remote_ip private_ranges
    respond @blocked 403
    reverse_proxy paperless:8000
 }

wireguard.m-almeida.de {
    @blocked not remote_ip private_ranges
    respond @blocked 403
    reverse_proxy wg-easy:51821

}

5. Links to relevant resources:

Whitestrake · November 10, 2024, 11:36pm

Howdy @kaalme, welcome to the Caddy community!

Having a look over things, your Caddy config looks pretty good. (Are you specifically wanting to disable ZeroSSL with acme_ca?)

You’ve got debug enabled but your log output doesn’t seem to have any requests whatsoever between starting and being stopped. Are you sure your requests are reaching Caddy and not some other service issuing 403s for some reason?

Edit: Actually, your output should include something like enabling automatic TLS certificate management listing your sites… And I don’t see anything. Also,

The default directory in the Caddy container is /srv so the command you’d need is: docker compose exec caddy caddy fmt /etc/caddy/Caddyfile

francislavoie · November 11, 2024, 1:24am

Not quite, would need -c before the path to the config file for the fmt command, but I recommend this way instead:

docker compose exec -w /etc/caddy caddy caddy fmt

-w sets the current working directory so you don’t need to specify the config since it gets found in the current directory.

Covered here in the docs: Keep Caddy Running — Caddy Documentation

Whitestrake · November 11, 2024, 1:49am

Not per https://caddyserver.com/docs/command-line#caddy-fmt which lists syntax as

caddy fmt [<path>]
	[-w, --overwrite]
	[-d, --diff]

Does the doc need an update? Or are you confusing this with caddy adapt and others which have [-c, --config <path>]?

docker compose exec -w is the winner though for sure.

francislavoie · November 11, 2024, 2:02am

Oh, yeah you’re right, I get them confused between adapt and run needing -c

system · December 11, 2024, 2:02am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.