Paste your config here, replacing this text.
Use `caddy fmt` to make it readable.
DO NOT REDACT anything except credentials.
LEAVE DOMAIN NAMES INTACT.
Make sure the backticks stay on their own lines.
3. The problem I’m having:
I run a bunch of sites on Caddy. For some of them, I’d like to keep the https and certificate un-exposed - unless requested from certain IPs.
How to do this?
I’m getting the sneaking notion it’s not supposed to be done.
4. Error messages and/or full log output:
Paste logs/commands/output here.
USE THE PREVIEW PANE TO MAKE SURE IT LOOKS NICELY FORMATTED.
5. What I already tried:
Mostly just staring at the documentation to no avail.
I’m not sure what to look for.
It seems that once a request to a configured sitename hits the Caddy the certificate is exchanged… which is perfectly fine for most of the sites on Caddy - but not all.
For specific sites I just want only clients from the local network 192.168.1.0/24 to even see the certificate.
I have other sites on the same Caddy where certificates are for all to see and even the existence of a given hostname in Caddy’s config is OK.
Again, everything works for now… except for the small thing about “https only for select clients”.
So how to avoid interacting with a https request with the correct hostname but from the “wrong” client IP?
It is not because I want to serve the site via http instead.
Rather, I want to keep that site hidden in all ways except for the intended.
If the site is defined in the configuration, I get a proper certificate for that site the way my config looks like now (which leaks its existence).
Basically, I want to block or dismantle the request before certificate exchange takes place so the existence of the site isn’t leaked.
Sticking remote_ip in there at the top does not parse.
Your idea, however, gave me a new view.
From the documentation on remote_ip:
@denied not remote_ip private_ranges
abort @denied
This gives an “error” but not the same error as a truly unconfigured hostname.
I think that perhaps it would be better to run another Caddy container to handle “internal sites” so that configured sites will not leak (and no; this is not security by obscurity - it’s more a question of keeping things tight). This is done through forwarding rules to :80 and :443 in the firewall based on source IP.
My desire is still to get a request for an “internal site” answered the exact same way as a non-configured name (not in Caddyfile), i.e. the same error.
Okay, you might have your reason you don’t want the world to know your have a website call top.secret.com by getting SSL certificate from public trusted certificate authority. But that doesn’t mean you have to settle for less security by using HTTP. There’re few ways you can get around it.
Option 1: TLS INTERNAL
If you setup secret.local or top.secret.local , it will use locally-trusted CA to produce certificates for the site. secret.local or top.secret.local will not known to external world. But your browser will prompt insecure https connection.
Option 2: wildcard certificate
You can create an empty shell frontpage with error 404 for outside world, but still keep your LAN HTTPS happy for other services, without publish your subdomain ( only the main domain ). Caddy will only obtain 1 time SSL certificate
Option 3 : Disable WAN 443 port
Disable all port 443 forwarding from WAN side. I believe you are still able to get SSL certificate with just port 80 open. In this case, only internal LAN will be able to access site through HTTPS
Or if you really paranoid, you can combine all 3 option into one
You can use the abort directive to close the connection as soon as possible when a certain request matcher matches, but people will still know something exists there because the TLS handshake succeeded before Caddy could cancel the connection.
What you can do instead is use firewall software to block connections before they even reach Caddy.
