How to avoid remote_ip repetition?

neoraptor123 · January 25, 2025, 8:39pm

1. The problem I’m having:

Hello,
I would like to only a few specific vlan to access some subdomains.
How to avoid repeating those remote_ip addresses to make it easier to change ?
Is there a way to handle subdomains differently ?
Or some kind of variables ?

Thanks for your support,

Here is my current working config (with IPs+domains redacted):

(inttls) {
    tls /certs/abs.com/fullchain.cer /certs/abs.com/abs.com.key
}
sub1.abs.com {
  import inttls
  @denied not remote_ip 192.168.0.1/24 192.168.1.1/24
  abort @denied
  reverse_proxy 172.16.88.1:8080
}
sub2.abs.com {
  import inttls
  @denied not remote_ip 192.168.0.1/24 192.168.1.1/24
  abort @denied
  reverse_proxy 172.16.88.2:8080
}
sub3.abs.com {
  import inttls
  @denied not remote_ip 192.168.0.1/24 192.168.1.1/24
  abort @denied
  reverse_proxy 172.16.88.3:8080
}
sub4.abs.com {
  import inttls
  @denied not remote_ip 192.168.0.1/24 192.168.1.1/24
  abort @denied
  reverse_proxy 172.16.88.4:8080
}

2. Error messages and/or full log output:

N.A.

3. Caddy version:

v2.8.4 h1:q3pe0wpBj1OcHFZ3n/1nl4V4bxBrYoSoab7rL9BMYNk=

4. How I installed and ran Caddy:

NA

a. System environment:

NA

b. Command:

NA

c. Service/unit/compose file:

NA

d. My complete Caddy config:

NA

5. Links to relevant resources:

NA

neoraptor123 · January 25, 2025, 9:41pm

I read a bit more docs and forums and ended up with this:
At least the allowed remote IPs are not repeated x times accross subdomains.
It simplifies the cert part as well.

(inttls) {
    tls /certs/abs.com/fullchain.cer /certs/abs.com/abs.com.key
}
*.abs.com {
  import inttls
  @denied not remote_ip 192.168.0.1/24 192.168.1.1/24
  handle @denied {
    abort
  }
  @sub1 host sub1.abs.com
  handle @sub1 {
    reverse_proxy 172.16.88.1:8080
  }
  @sub2 host sub2.abs.com
  handle @sub2 {
    reverse_proxy 172.16.88.2:8080
  }
  @sub3 host sub3.abs.com
  handle @sub3 {
    reverse_proxy 172.16.88.3:8080
  }
  @sub4 host sub4.abs.com
  handle @sub4 {
    reverse_proxy 172.16.88.4:8080
  }
}

Mohammed90 · January 26, 2025, 8:09am

Yes, that works. Note that because you used wildcard domain, Caddy will try to ask for wildcard certificate, which requires the DNS challenge, which means you’ll have to compile a custom build of Caddy with the plugin of your DNS provider.

Another way to do it is to list all the domains at the top and keep the conditions inside the block the same. Caddy will get individual certificate for each one.

neoraptor123 · January 27, 2025, 10:40am

Thanks for your feedback Mohammed.
I did use a custom build of Caddy for my DNS provider which works as intended.
Is the subdomain approach prefered (with individual certificates for all subdomains) ? What are the advantages of both approach ?

system · February 26, 2025, 10:40am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.