I have a public DNS entry (for auto-ssl) that points to a Caddy server proxying a bunch of internal services.
I do NOT want any of these services accessible from outside of the local network. Currently I use http.ipfilter plugin and allow only LAN address ranges.
My question is: how safe is this? Is this opening too large an attack surface for my internal network? Is this plugin easily circumvented with IP spoofing etc?
I second @magikstm. You could also instead bind Caddy to only LAN/internal interfaces, rather than a public socket, if it’s that important. (Of course, it’ll still need to use public interfaces for ACME challenges, unless you use the DNS challenge.)