1. The problem I’m having:
I want to restrict incoming traffic to my network from the GeoIP white list in my firewall. As I have no requirements to allow incoming connections from USA, I want to block this country as well. (Current log analysis shows that most traffic to brute-force known vulnerabilities comes from CN, USA and ru)
My problem however is that Caddy is requesting new certificates from ACME servers and I am getting requests from USA ACME servers which do not work if I block USA incoming traffic.
2. Error messages and/or full log output:
Error message is clear, where ACME says that it can not reach my server thus could not issue cert.
3. Caddy version:
v2.9.1
4. How I installed and ran Caddy:
a. System environment:
Debian, Proxmox, LXC container
b. Command:
/usr/bin/caddy run --environ --config /etc/caddy/Caddyfi
c. Service/unit/compose file:
[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target
[Service]
Type=notify
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile --force
TimeoutStopSec=5s
LimitNOFILE=1048576
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
[Install]
WantedBy=multi-user.target
d. My complete Caddy config:
mysrv1 {
reverse_proxy 192.168.x.x:pppp
}
mysrv2 {
reverse_proxy 192.168.x.x:pppp
}
mysrv3 {
handle {
reverse_proxy 192.168.x.x:pppp {
header_down Strict-Transport-Security "max-age=15552000; includeSubDomains"
}
}
}