Caddyfile mostly working, a handful of questions

Help
1

1. The problem I’m having:

Allowing internal network to access and setting up logging, as well as tweaking my Caddyfile with any recommendations.

2. Error messages and/or full log output:

No error messages.

3. Caddy version:

v2.8.4

4. How I installed and ran Caddy:

a. System environment:

Windows 10, downloaded the Caddy exe

b. Command:

caddy run

c. Service/unit/compose file:

d. My complete Caddy config:

myserv.sytes.net {
    @blocked not remote_ip 104.20.55.2 192.168.1.140
    respond @blocked "Server is down" 403

    redir /jellyfin /jellyfin/

    reverse_proxy /jellyfin/* 192.168.1.222:8096
    reverse_proxy 192.168.1.222:5055
}

5. My questions

  1. When running, this is intended to allow the public IP and private IP listed. It works for the external address, but not internal.

  2. Does Caddy automatically redirect http attempts? It seems like it does but I did not specify in my Caddyfile.

  3. Regarding cert generation, if the server doesn’t go down for a long time, should I expect the cert will eventually expire? Otherwise, does it make a new cert each launch?

  4. Are there any other considerations for my Caddyfile? Anything for vulnerabilities or to stop malicious attempts at connecting other than my block? I saw some post online about X-Content-Type-Options “nosniff” and X-Frame-Options “DENY”. Are there recommended additions such as these?

  5. I saw a command for tls internal in one example that I tried, but that asked me to accept a cert when I ran Caddy. Is this if I wanted to run a self signed cert?

  6. Using Windows, any ‘cleaner’ way to run Caddy on boot other than dropping a .bat file in my startup programs?

  7. What do I need to do to set up a simple log? Ideally each allow or deny.

Thank you for your assistance!

2

Am I unable to edit my post?

I’ve figured out #1 and #7, but would love some input on 2-6.

Thank you.

3

WRT #6 I suggest you use nssm.

1 Like
4

Hi, welcome!

Great! I could post the solutions here, but would you mind doing that so others can know for sure a solution when they search with the same questions?

Yes.

Caddy keeps certs renewed regardless of when it is stopped. It won’t renew while it’s stopped, of course, but it will renew immediately upon restarting it if the cert is expiring soon or expired. And while it’s running it keeps certs renewed.

That’s a big question, and only you or a security consultant can really answer that. Most of the security issues will be related to your backend apps and what they require or are vulnerable to. I’d recommend researching any security configuration before adding it to your Caddyfile to ensure it won’t break anything. Some configs can brick your site for a prolonged period of time.

Yes. Caddy installs its own CA into your system’s trust store(s) so you won’t get browser warnings. Caddy will use its own certs automatically for certain hostnames (like localhost or *.localhost, etc) that are obviously internal, even without needing tls internal.

2 Likes
5

Sure! The private address (#1) was actually not coming through as a private address (which I found out once I enabled logging! - #7). I was using the external URL, so traffic was going out and back in, reporting my public IP. I just added that to the allowed list and it worked.

For #7, this was what I used to enable logging to a file and the console:

log {
	output stderr
	output file caddylog.txt
	level info
}

Understood. Since I am only allowing trusted hosts, I was more wondering if there was anything the blocked hosts could do to bypass Caddy, or anything along those lines that I would want to track / alert on.

Thank you!!

1 Like
6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.