Have caddy check with DDNS

1. Output of caddy version:

v2.6.1 h1:EDqo59TyYWhXQnfde93Mmv4FJfYe00dO60zMiEt+pzo=

2. How I run Caddy:

a. System environment:

Windows 11 Pro

b. Command:

cd C:\caddy
caddy run

c. My complete Caddy config (Removed domain. unnecessary for issue):

example.com {
	@teammember {
        remote_ip forwarded (IP here)
	encode gzip
		log {
			output file C:\caddy\logs\jellyfin_access.log {
				roll true				# Rotate logs, enabled by default
				roll_size_mb 5			# Set max size 5 MB
				roll_gzip true			# Whether to compress rolled files
				roll_local_time 	    # Use localhost time
				roll_keep 2				# Keep at most 2 log files
				roll_keep_days 7		# Keep log files for 7 days 
	handle @teammember {
		reverse_proxy localhost:8096 
    respond "You are attempting to access protected resources!" 403

3. The problem I’m having:

I can forward the public IPs of my machines but I want to set it up so that that it somehow can check with a DDNS provider like NOIP. Say I have X domain for my PC and Y for my Phone, is there a way of making Caddy check and allow that? I want this so that I can access my Media Server from the outside while making it so that only I can access it. Is this even possible?

4. What I already tried:

Using the domain made on NOIP and putting it after remote_ip forwarded, didn’t work

The best way to protect access is with authentication. And it seems like you’re using Jellyfin, which does have its own authentication, so what you’re trying to do seems pointless. Just make sure accounts in your Jellyfin instance use strong passwords.

1 Like

Totally understand that, but I’m trying to build on redundancy here. Call it paranoia if you will but the more layers of security I can add the better, hence why I’m trying to setup something like that. Thanks for the comment

I think what you’re asking here is:

Can you have your server, every time a request comes in, check DNS for ddns-computer.example.com and ddns-phone.example.com, and then use the resultant IPs as a allowlist for access?

I can’t think of any tools that would serve this functionality out of the box. I do think that writing a custom Caddy module for this purpose would be extremely straightforward, though. In concept it’s just forward auth, except instead of checking in with an authenticating server, it’s checking with DNS to build a dynamic allowlist.

That said, if the existing authentication does not suffice… my strong recommendation is to just use WireGuard. (Or Tailscale, or ZeroTier.) Allowlisting your own secured network then becomes beyond trivial, and you’re encrypted and secure to boot. They all come with mobile apps, and it’s not like you don’t already need to install software on your clients anyway (DDNS clients); why not an actual secure VPN too?


Thank you for the comment, thanks for the recommendations. I’m not that good with Caddy, I just copy some code here and there and try to make it work so writing a module wouldn’t work for me.

I’ll take a look into WireGuard and also Authelia while I’m at it, I’d rather have two Authenticators over one.

Not sure if I fully got the problem at hand, but the caddy-remote-host plugin might potentially be what you’re looking for?


That is exactly what I needed, I really did not do a good job at explaining what I wanted but you nailed it. Thanks a bunch!

Dang, the stuff you find out there sometimes! This one’s been around for a year, too. Nice!

1 Like

Disclaimer: I’m the author of it :smile: Glad to help!


This topic was automatically closed after 30 days. New replies are no longer allowed.