1. Caddy version (caddy version
):
Caddy V2.1.1
2. How I run Caddy:
I run Caddy with the Caddyfile in /etc/caddy and enabling systemd service
a. System environment:
Caddy is installed on a raspberry pi 4 running raspbian buster. Kernel 4.19.118-v7l+ Systemd version 241
b. Command:
sudo systemctl enable caddy.service
c. Service/unit/compose file:
[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target
[Service]
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE
[Install]
WantedBy=multi-user.target
d. My complete Caddyfile or JSON config:
chomsky.ddns.net
reverse_proxy 127.0.0.1:8096
log {
output file /media/ramdisk/acces.log {
roll_size 50MiB
roll_keep 5
roll_keep_for 48h
}
}
ipfilter / {
rule allow
database /home/pi/ipfilter/testdata/Geolite.mmdb
country DE
}
3. The problem I’m having:
I use Caddy as a reverse proxy for my Jellyfin media server.
So I want to block repeat offenders trying to access port 443 and 80 using Fail2ban or only allow IP addresses from a certain country. Problem with fail2ban is that there is no Fail2ban module and I don’t have a clue how what the failregex should be.
Using the above Caddyfile gives me an error. The Caddyfile without the ipfilter part runs good.
4. Error messages and/or full log output:
[I] [pi@raspberrypi ~ ]$ sudo systemctl status caddy.service
● caddy.service - Caddy
Loaded: loaded (/lib/systemd/system/caddy.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Thu 2020-07-09 09:31:23 CEST; 23s ago
Docs: Welcome — Caddy Documentation
Process: 6490 ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile (code=exited, status=1/FAILURE)
Main PID: 6490 (code=exited, status=1/FAILURE)
Jul 09 09:31:23 raspberrypi caddy[6490]: PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
Jul 09 09:31:23 raspberrypi caddy[6490]: HOME=/var/lib/caddy
Jul 09 09:31:23 raspberrypi caddy[6490]: LOGNAME=caddy
Jul 09 09:31:23 raspberrypi caddy[6490]: USER=caddy
Jul 09 09:31:23 raspberrypi caddy[6490]: INVOCATION_ID=fc08e61e021441e382590d299acc5886
Jul 09 09:31:23 raspberrypi caddy[6490]: JOURNAL_STREAM=8:39470
Jul 09 09:31:23 raspberrypi caddy[6490]: {“level”:“info”,“ts”:1594279883.6053421,“msg”:“using provided configuration”,“config_file”:"/etc/caddy/Caddyfile",“config_adapter”:""}
Jul 09 09:31:23 raspberrypi caddy[6490]: run: adapting config using caddyfile: /etc/caddy/Caddyfile:13: unrecognized directive: ipfilter
Jul 09 09:31:23 raspberrypi systemd[1]: caddy.service: Main process exited, code=exited, status=1/FAILURE
Jul 09 09:31:23 raspberrypi systemd[1]: caddy.service: Failed with result ‘exit-code’.
5. What I already tried:
I tried the above Caddyfile but the directive ipfilter isn’t recognized so I’m guessing this filter is appropriate for Caddy V1? I found that syntax here: ipfilter/README.md at master · pyed/ipfilter · GitHub
I did clone GitHub - pyed/ipfilter: ipfilter is a middleware for Caddy that blocks or allows requests based on the client's IP
I’ve looked through the Caddy V2 documentation all I can find is blocking specific IP’s or IP ranges. I did found something related to GeoIP blocking here but I don’t understand how to use it to block all countries but one.
IMPORTANT
So correct me if I’m wrong but do I have to do a custom build of Caddy using xcaddy?
something like: xcaddy build \ --with GitHub - pyed/ipfilter: ipfilter is a middleware for Caddy that blocks or allows requests based on the client's IP
Would the ipfilter plugin work then??