Is it possible to have some subdomains on the public internet; some not?

I didn’t use the template because it wasn’t relevant - I don’t have Caddy setup yet, I’m asking a question before I do.

Let’s say I own the domain, and host two services on my local network. I want Caddy to act as a reverse proxy for those two services, but I only want one of them to be accessible from the public internet. Each service would be under it’s own subdomain.

At the same time, I also want TLS on both of those subdomains. I believe this is possible using a wildcard certificate (for *, then using Pi-Hole’s custom DNS feature to direct my subdomain to the reverse proxy. Because the certificate is for any subdomain, and Caddy has the certificate, it should work.

Is this setup possible to do using Caddy? Specifically the “only some subdomains accessible” part - is there any risk having DNS records for one of the subdomains, but both be in Caddy’s reverse proxy?

Thanks for any help. Hopefully my writing was clear enough.

Yes, you can:

If you have a wildcard cert (requires building Caddy with a plugin for your DNS provider to solve the ACME DNS challenge), then you can use that pattern to set up your sites.

You can use the remote_ip matcher to reject requests that are coming from IP addresses that are non-private (and use abort to close the connections):