How secure is ipfilter?


(Dmitriy Panteleyev) #1

I have a public DNS entry (for auto-ssl) that points to a Caddy server proxying a bunch of internal services.

I do NOT want any of these services accessible from outside of the local network. Currently I use http.ipfilter plugin and allow only LAN address ranges.

My question is: how safe is this? Is this opening too large an attack surface for my internal network? Is this plugin easily circumvented with IP spoofing etc?

Thanks.


(Magikstm) #2

I would set that at server level with firewall rules.

It would be way safer than with a plugin.


(Matt Holt) #3

I second @magikstm. You could also instead bind Caddy to only LAN/internal interfaces, rather than a public socket, if it’s that important. (Of course, it’ll still need to use public interfaces for ACME challenges, unless you use the DNS challenge.)


(Dmitriy Panteleyev) #4

Well, I am using Caddy to serve some public web sites too…

I guess I’ll figure something else out. Thanks!