I have a public DNS entry (for auto-ssl) that points to a Caddy server proxying a bunch of internal services.
I do NOT want any of these services accessible from outside of the local network. Currently I use http.ipfilter plugin and allow only LAN address ranges.
My question is: how safe is this? Is this opening too large an attack surface for my internal network? Is this plugin easily circumvented with IP spoofing etc?