c. My complete Caddy config (Removed domain. unnecessary for issue):
example.com {
@teammember {
remote_ip forwarded (IP here)
}
encode gzip
log {
output file C:\caddy\logs\jellyfin_access.log {
roll true # Rotate logs, enabled by default
roll_size_mb 5 # Set max size 5 MB
roll_gzip true # Whether to compress rolled files
roll_local_time # Use localhost time
roll_keep 2 # Keep at most 2 log files
roll_keep_days 7 # Keep log files for 7 days
}
}
handle @teammember {
reverse_proxy localhost:8096
}
respond "You are attempting to access protected resources!" 403
}
3. The problem I’m having:
I can forward the public IPs of my machines but I want to set it up so that that it somehow can check with a DDNS provider like NOIP. Say I have X domain for my PC and Y for my Phone, is there a way of making Caddy check and allow that? I want this so that I can access my Media Server from the outside while making it so that only I can access it. Is this even possible?
4. What I already tried:
Using the domain made on NOIP and putting it after remote_ip forwarded, didn’t work
The best way to protect access is with authentication. And it seems like you’re using Jellyfin, which does have its own authentication, so what you’re trying to do seems pointless. Just make sure accounts in your Jellyfin instance use strong passwords.
Totally understand that, but I’m trying to build on redundancy here. Call it paranoia if you will but the more layers of security I can add the better, hence why I’m trying to setup something like that. Thanks for the comment
Can you have your server, every time a request comes in, check DNS for ddns-computer.example.com and ddns-phone.example.com, and then use the resultant IPs as a allowlist for access?
I can’t think of any tools that would serve this functionality out of the box. I do think that writing a custom Caddy module for this purpose would be extremely straightforward, though. In concept it’s just forward auth, except instead of checking in with an authenticating server, it’s checking with DNS to build a dynamic allowlist.
That said, if the existing authentication does not suffice… my strong recommendation is to just use WireGuard. (Or Tailscale, or ZeroTier.) Allowlisting your own secured network then becomes beyond trivial, and you’re encrypted and secure to boot. They all come with mobile apps, and it’s not like you don’t already need to install software on your clients anyway (DDNS clients); why not an actual secure VPN too?
Thank you for the comment, thanks for the recommendations. I’m not that good with Caddy, I just copy some code here and there and try to make it work so writing a module wouldn’t work for me.
I’ll take a look into WireGuard and also Authelia while I’m at it, I’d rather have two Authenticators over one.
Glad to help!