How to only allow certain IPs to access a subdomain?

1. The problem I’m having:

I’d like to be able to access a certain service on my server, but only through a LAN IP. I was able to achieve this with nginx reverse proxy, but I’m having trouble doing it here. Everytime I try to access it from a LAN IP, it says “403 Access Denied”. I’m afraid I lack the knowledge to successfully do this in Caddy.
Removing the private import part fixes it, but ofcourse I don’t want this page to be accessible over the whole internet.

2. Error messages and/or full log output:

{"level":"debug","ts":1719324777.0622535,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"192.168.1.125","remote_port":"51958","subjects":["subdomain.example.org"],"managed":true,"expiration":1727015763,"hash":"d9caaa5aa6db8dde1f5f0c6517916aa019e1d3f5c18208d01509790cfd7e0e99"}

3. Caddy version:

v2.7.6 h1:w0NymbG2m9PcvKWsrXO6EEkY9Ru4FJK8uQbYcev1p3A=

4. How I installed and ran Caddy:

Docker compose

a. System environment:

Distributor ID: Debian
Description: Debian GNU/Linux 12 (bookworm)
Release: 12
Codename: bookworm

Docker version 27.0.1, build 7fafd33

b. Command:

docker-compose up -d

c. Service/unit/compose file:

services:
  caddy:
    container_name: caddy
    build: .
    restart: unless-stopped
    networks:
      - proxy
    ports:
      - "80:80"
      - "443:443"
      - "443:443/udp"
    volumes:
      - /path/to/docker/caddy/Caddyfile:/etc/caddy/Caddyfile
      - /path/to/docker/caddy/site:/srv
      - /path/to/docker/caddy/data:/data
      - /path/to/docker/caddy/config:/config

networks:
  proxy:
    external: true

d. My complete Caddy config:

{
    email   <MY EMAIL>
    acme_dns cloudflare <CF API KEY>
    debug
}

(private) {
    @allowed {
      remote_ip 192.168.1.0/24
    }
}

example.org {
	reverse_proxy localhost:80
}

subdomain.example.org {
    import private
    reverse_proxy @allowed my-application:8080
    respond / "Access Denied" 403
}

5. Links to relevant resources:

Can you try?

subdomain.example.com {
@denied not remote_ip private_ranges
abort @denied
reverse_proxy my-application:8080
}
1 Like