How secure is ipfilter?

I have a public DNS entry (for auto-ssl) that points to a Caddy server proxying a bunch of internal services.

I do NOT want any of these services accessible from outside of the local network. Currently I use http.ipfilter plugin and allow only LAN address ranges.

My question is: how safe is this? Is this opening too large an attack surface for my internal network? Is this plugin easily circumvented with IP spoofing etc?


I would set that at server level with firewall rules.

It would be way safer than with a plugin.

1 Like

I second @magikstm. You could also instead bind Caddy to only LAN/internal interfaces, rather than a public socket, if it’s that important. (Of course, it’ll still need to use public interfaces for ACME challenges, unless you use the DNS challenge.)

Well, I am using Caddy to serve some public web sites too…

I guess I’ll figure something else out. Thanks!

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.