IP filtering does not behave as expected

Help
1

1. Caddy version (caddy version): 2.3.0

2. How I run Caddy:

Behind a firewall, with ports 80 and 443 port forwarded

a. System environment:

Docker

b. Command:

c. Service/unit/compose file:

d. My complete Caddyfile or JSON config:

(homecert) {
    tls /root/starhemma.crt /root/starhemma.key
}

sonarr.hemma.lokal {
    @internal {
	remote_ip forwarded 192.168.0.0/16
    }
    handle @internal {
	reverse_proxy sonarr:8989
	import homecert
    }
    log {
    	output file /tmp/sonarr.log
	level DEBUG
        format json
    }
    respond 403
}

3. The problem I’m having:

I expected requests made from 192.168.0.0/16 to go through, requests from other IPs should get the 403-error, but in the logfile I see this:

2021/08/18 13:26:18.099 info http.log.access.log0 handled request {"request": {"remote_addr": "1.1.1.1:41918", "proto": "HTTP/1.1", "method": "HEAD", "host": "sonarr.hemma.lokal", "uri": "/", "headers": {"User-Agent": ["curl/7.47.0"], "Accept": ["*/*"]}, "tls": {"resumed": false, "version": 771, "cipher_suite": 49196, "proto": "http/1.1", "proto_mutual": true, "server_name": "almstrom.org"}}, "common_log": "1.1.1.1 - - [18/Aug/2021:13:26:18 +0000] \"HEAD / HTTP/1.1\" 200 0", "duration": 0.003166562, "size": 0, "status": 200, "resp_headers": {"Date": ["Wed, 18 Aug 2021 13:26:18 GMT"], "Content-Length": ["0"], "Content-Type": ["text/html"], "Server": ["Caddy", "Mono-HTTPAPI/1.0"], "X-Ua-Compatible": ["IE=edge"], "Pragma": ["no-cache"], "Expires": ["0"], "X-Application-Version": ["3.0.6.1265"], "Cache-Control": ["no-cache, no-store, must-revalidate, max-age=0"]}}

So, the remote_addr line, which has been obfuscated, in the logfile shows that the request is coming from an IP outside the 192.168.0.0/16 range, but it still gives me a 200-response. I have tried with and without forwarded

4. Error messages and/or full log output:

5. What I already tried:

6. Links to relevant resources:

2

Please upgrade to v2.4.3!

Some comments about your Caddyfile, there’s some syntax issues.

Firstly, you have mixed tabs and spaces, so it’s sorta messy to read on the forums.

Secondly, you import homecert inside of a handle. This isn’t quite valid, because tls is not a handler directive. It needs to be at the top-level of your site (I’m kinda surprised the Caddyfile parser let that through :astonished:)

Another tiny thing, you can save a couple lines by writing your matcher like this, with the single-line syntax (you can omit the braces if you only need one matcher for your named matcher)

@internal remote_ip forwarded 192.168.0.0/16

These are the headers in the request, as logged. There’s no X-Forwarded-For in there, so the forwarded option for remote_ip won’t do anything. That option is specifically for when you have another proxy in front of Caddy which may add the original IP to the X-Forwarded-For header, but that isn’t the case here, it seems.

With that said, I’m not certain why the response wasn’t a 403, but you could try writing your Caddyfile like this, and try again:

(homecert) {
	tls /root/starhemma.crt /root/starhemma.key
}

sonarr.hemma.lokal {
	import homecert

	@internal remote_ip 192.168.0.0/16
	handle @internal {
		reverse_proxy sonarr:8989
	}
	
	handle {
		respond 403
	}

	log {
		output file /tmp/sonarr.log
		level DEBUG
		format json
	}
}
1 Like
3

Secondly, you import homecert inside of a handle. This isn’t quite valid, because tls is not a handler directive. It needs to be at the top-level of your site (I’m kinda surprised the Caddyfile parser let that through :astonished:)

After fiddling around for quite some time, I managed to get it working, by doing it in…reverse. This way I skip the whole handle-thing also.

sonarr.hemma.lokal {
    @external {
    	not remote_ip 192.168.0.0/16
    }
    respond @external 403
  	reverse_proxy sonarr:8989
   	import homecert
}

This way, if I’m from an external IP, it’ll respond 403 and not process the reverse_proxy directive.

Now…Instead of adding those four extra lines for every internal site, can I create a new definition and import that the same way I import the homecert-section?

4

Yep! Snippets also support passing arguments, as noted in the docs, which you might find useful for this.

5

This topic was automatically closed after 30 days. New replies are no longer allowed.