Help/Guidance needed on file_server

Help
1

1. Caddy version (caddy version):

v2.0.0 h1:pQSaIJGFluFvu8KDGDODV8u4/QRED/OPyIR+MWYYse8=

2. How I run Caddy:

caddy.service file (not API)

or

caddy start/stop/reload

a. System environment:

Raspberry Pi (Raspbian Buster Lite)
Open Media Vault 5
Portainer
(Home NAS)

b. Command:

N/A

c. Service/unit/compose file:

N/A

d. My complete Caddyfile or JSON config:

mydomain.duckdns.org {
log {
    output file /var/log/caddy.log
    format console
}
 @internal {
    remote_ip 192.168.0.0/16
  }
  handle @internal {
    reverse_proxy 127.0.0.1:9000
  }
  respond 403
}
jellyfin.mydomain.duckdns.org {
log {
    output file /var/log/caddy.log
    format console
}
  reverse_proxy 127.0.0.1:8096
}
omv.mydomain.duckdns.org {
  reverse_proxy 127.0.0.1:81
}
nas.mydomain.duckdns.org {
  root * /srv/dev-disk-by-label-HomeDrive/
  file_server browse
}

3. The problem I’m having:

Hello all I am trying to figure out the best method for me to access the files on my home drive from anywhere. Well that was actually the easy part, but unfortunately I made it accessible to anyone that finds my domain address.

What I’m hoping to get help with is setting up some kind of security (usrname, passwd) or access for only certain IP addresses. I’m not sure if using a DNS is the proper way to securely access my files or if I should be using SFTP or some other form of file transfer.

Does Caddy have an option to only allow access by IP or a password enable function? I would like to use an app I have on my phone called FileExplorer which has many file transfer option available but they require a ‘host’ which if I used my local address would only give me access while internal to my network. Is there some other way I should be enabling a usr/passwd option so when someone stumbles across my DNS they can’t access my files?

Thank you in advance.

4. Error messages and/or full log output:

N/A

5. What I already tried:

Adding file_server to my caddyfile with hide. Looking up option for this but not finding any methods using the installed programs I have.

6. Links to relevant resources:

2

Yeah, you can easily block by IP – you’re actually doing that in your Caddyfile already!

@block {
	not remote_ip <your IP>
}
respond @block 403

You can password protect with the basicauth directive:

3

Doh! so it is as simple as throwing a ‘not’ on remote_ip :man_facepalming:t3:

Thank you so much. I appreciate the help.

1 Like
4

@francislavoie I have another question about the remote_ip.

Here’s my updated caddyfile:

nas.mydomain.duckdns.org {
  root * /srv/dev-disk-by-label-HomeDrive/
  file_server browse
  encode gzip
  basicauth {
     <username> <hashbrown64>
}
  @iPhone {
    not remote_ip my.home.public.address/32
}
respond @iPhone 403
}

So because my iPhone seems to get a new IP address every week I don’t want to use it’s address. I have Wireguard set up and on my server and iPhone for a direct tunnel to the house. I tried using the Peer address (10.13.13.1) which didn’t work but since it’s routing through my home network I am able to use my houses public IP address in the caddyfile to access nas.mydomain.duckdns.org from my iPhone.

The problem is that it does not prompt me for a login username and password; it takes me directly to the files.

Is this a normal function of using the remote_ip matcher? If someone were to spoof my IP address they would then be allowed unrestricted access to my hard drives, correct?

Without the remote_ip matcher I do get prompted for a username and password but then the problem is any device can find the website.

Any advice?

Thank you

5

Fixed it. I had to clear my browser history/cache. Once I did that it prompted me for login.

1 Like
6

Great! Glad you figured it out. I was stumped when I read your reply earlier.

7

This topic was automatically closed after 30 days. New replies are no longer allowed.