Check server's public IP

Sirrush · May 20, 2026, 4:25am

1. The problem I’m having:

My google-fu is failing me (thanks AI), I am trying to find out if there is a way within Caddy to automatically update my public IP address (it’s incredibly stable, but I’m not paying for a static IP) for an IP whitelist on some of my services that I don’t want exposed to the internet, but do want valid certs for (purely to get rid of the cert nag).

2. Error messages and/or full log output:

No relevant logs

3. Caddy version:

v2.11.3 h1:/vFbdjcs2DtzcWTIxHybf5R5TspYFFThlZffChyBFHg=

4. How I installed and ran Caddy:

a. System environment:

N/A

b. Command:

systemctl enable caddy
systemctl start caddy

c. Service/unit/compose file:

d. My complete Caddy config:

nas.example.com {
  @allowed client_ip 192.168.0.0/21 my.public.ip.address # <--Can this be a variable that is updated automatically?
  handle @allowed {
    reverse_proxy 192.168.x.x:80
  }
}

5. Links to relevant resources:

steadytao · May 21, 2026, 4:55pm

Caddy will not automatically fetch your public IP for a client_ip matcher.

You could use an env var but it is only read when the config is adapted/reloaded:

@allowed client_ip 192.168.0.0/21 {$HOME_PUBLIC_IP}

So you would need an external script/timer to update the value and reload Caddy.

For this use case, DNS-01 is probably the cleaner answer; get a valid public cert without exposing the service. Then keep access LAN/VPN-only instead of relying on a public-IP allowlist.

Sirrush · May 22, 2026, 3:10am

Honestly, that’s about what I expected, just wanted to be sure - the only reason I was even wondering was because my phone seems to have issues when the external IP isn’t whitelisted.

Definitely something I will have to think about, but not a serious issue overall anyways.

Thank you for the detailed answer!