1. The problem I’m having:
When setting up maxmind_geolocation I can’t block non-IT IPs.
I can either block everyone (if I write error @geo 403 before the reverse_proxy instruction) or no one (if I don’t write error @geo 403, but i write reverse_proxy @geo jellyfin:8096)
I tried with my italian IP and with a VPN service (both US and european IPs)
docker logs caddy gives no errors at all
3. Caddy version:
v2.11.1
4. How I installed and ran Caddy:
docker compose
d. My complete Caddy config:
{
admin off
servers {
client_ip_headers X-Forwarded-For
trusted_proxies static private_ranges
trusted_proxies_strict
}
order crowdsec before respond
crowdsec {
api_url http://crowdsec:8080
api_key "MYKEY"
ticker_interval 15s
appsec_url http://crowdsec:7422
#disable_streaming
#enable_hard_fails
}
log {
output file /var/log/caddy/access.log {
roll_size 30MiB
roll_keep 5
}
}
}
(default-headers) {
header {
-frameDeny
-sslRedirect
-browserXssFilter
-contentTypeNosniff
-forceSTSHeader
-stsIncludeSubdomains
-stsPreload
-stsSeconds 15552000
-customFrameOptionsValue SAMEORIGIN
-customRequestHeaders X-Forwarded-Proto https
}
}
*.test.mydomain.com {
tls {
dns cloudflare MYKEY
propagation_delay 2m
resolvers 1.1.1.1
}
log
@geo maxmind_geolocation {
db_path "/etc/caddy/GeoLite2-Country.mmdb"
allow_countries IT
}
@test host *
@jellyfin host jellyfin.test.mydomain.com
route @test {
crowdsec
appsec
respond "test"
}
route @jellyfin {
# I can reach jellyfin:8096 with my italian IP but I can do that even with a non-IT VPN
error @geo 403
crowdsec
appsec
reverse_proxy jellyfin:8096
# I already tried reverse_proxy @geo jellyfin:8096
}
}
I tried this too (this gives error 403 to everyone, IT and outside):
@geo {
not maxmind_geolocation {
db_path "/etc/caddy/GeoLite2-Country.mmdb"
allow_countries IT
}
not remote_ip 172.24.0.0/22 # My container's IPs
}
route @jellyfin {
error @geo 403
crowdsec
appsec
reverse_proxy jellyfin:8096
}