How to only allow certain IPs to access a subdomain?

1. The problem I’m having:

I’d like to be able to access a certain service on my server, but only through a LAN IP. I was able to achieve this with nginx reverse proxy, but I’m having trouble doing it here. Everytime I try to access it from a LAN IP, it says “403 Access Denied”. I’m afraid I lack the knowledge to successfully do this in Caddy.
Removing the private import part fixes it, but ofcourse I don’t want this page to be accessible over the whole internet.

2. Error messages and/or full log output:

{"level":"debug","ts":1719324777.0622535,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"","remote_port":"51958","subjects":[""],"managed":true,"expiration":1727015763,"hash":"d9caaa5aa6db8dde1f5f0c6517916aa019e1d3f5c18208d01509790cfd7e0e99"}

3. Caddy version:

v2.7.6 h1:w0NymbG2m9PcvKWsrXO6EEkY9Ru4FJK8uQbYcev1p3A=

4. How I installed and ran Caddy:

Docker compose

a. System environment:

Distributor ID: Debian
Description: Debian GNU/Linux 12 (bookworm)
Release: 12
Codename: bookworm

Docker version 27.0.1, build 7fafd33

b. Command:

docker-compose up -d

c. Service/unit/compose file:

    container_name: caddy
    build: .
    restart: unless-stopped
      - proxy
      - "80:80"
      - "443:443"
      - "443:443/udp"
      - /path/to/docker/caddy/Caddyfile:/etc/caddy/Caddyfile
      - /path/to/docker/caddy/site:/srv
      - /path/to/docker/caddy/data:/data
      - /path/to/docker/caddy/config:/config

    external: true

d. My complete Caddy config:

    email   <MY EMAIL>
    acme_dns cloudflare <CF API KEY>

(private) {
    @allowed {
} {
	reverse_proxy localhost:80
} {
    import private
    reverse_proxy @allowed my-application:8080
    respond / "Access Denied" 403

5. Links to relevant resources:

Can you try? {
@denied not remote_ip private_ranges
abort @denied
reverse_proxy my-application:8080
1 Like