I have a public DNS entry (for auto-ssl) that points to a Caddy server proxying a bunch of internal services.
I do NOT want any of these services accessible from outside of the local network. Currently I use http.ipfilter plugin and allow only LAN address ranges.
My question is: how safe is this? Is this opening too large an attack surface for my internal network? Is this plugin easily circumvented with IP spoofing etc?
I would set that at server level with firewall rules.
It would be way safer than with a plugin.
I second @magikstm. You could also instead bind Caddy to only LAN/internal interfaces, rather than a public socket, if it’s that important. (Of course, it’ll still need to use public interfaces for ACME challenges, unless you use the DNS challenge.)
Well, I am using Caddy to serve some public web sites too…
I guess I’ll figure something else out. Thanks!
This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.