Is there a way to blacklist IP addresses?

kogisin · October 7, 2020, 10:47am

1. Caddy version (`caddy version`):

v2.1.1 h1:X9k1+ehZPYYrSqBvf/ocUgdLSRIuiNiMo7CvyGUQKeA=

2. How I run Caddy:

I run caddy with Caddyfile.json

a. System environment:

Ubuntu

b. Command:

sudo caddy start -config <Caddyfile.json file location>

c. Caddyfile.json

{
    "apps": {
        "http": {
            "servers": {
                "srv0": {
                    "listen": [
                        ":443"
                    ],
                    "logs": {
                        "logger_names": {
                            "<MY DOMAIN>": "log0"
                        }
                    },
                    "routes": [
                        {
                            "handle": [
                                {
                                    "handler": "subroute",
                                    "routes": [
                                        {
                                            "handle": [
                                                {
                                                    "encodings": {
                                                        "gzip": {}
                                                    },
                                                    "handler": "encode"
                                                }
                                            ]
                                        },
                                        {
                                            "handle": [
                                                {
                                                    "handler": "subroute",
                                                    "routes": [
                                                        {
                                                            "handle": [
                                                                {
                                                                    "handler": "headers",
                                                                    "response": {
                                                                        "set": {
                                                                            "Access-Control-Allow-Headers": [
                                                                                "Content-Type"
                                                                            ],
                                                                            "Access-Control-Allow-Methods": [
                                                                                "GET",
                                                                                "POST",
                                                                                "OPTIONS"
                                                                            ],
                                                                            "Access-Control-Allow-Origin": [
                                                                                "*"
                                                                            ]
                                                                        }
                                                                    }
                                                                },
                                                                {
                                                                    "handler": "static_response",
                                                                    "status_code": 204
                                                                }
                                                            ]
                                                        }
                                                    ]
                                                }
                                            ],
                                            "match": [
                                                {
                                                    "method": [
                                                        "OPTIONS"
                                                    ]
                                                }
                                            ]
                                        },
                                        {
                                            "handle": [
                                                {
                                                    "handler": "reverse_proxy",
                                                    "headers": {
                                                        "response": {
                                                            "set": {
                                                                "Access-Control-Allow-Origin": [
                                                                    "*"
                                                                ]
                                                            }
                                                        }
                                                    },
                                                    "upstreams": [
                                                        {
                                                            "dial": "localhost:1317"
                                                        }
                                                    ]
                                                }
                                            ],
                                            "match": []
                                        }
                                    ]
                                }
                            ],
                            "match": [
                                {
                                    "host": [
                                        "<MY DOMAIN>"
                                    ]
                                }
                            ],
                            "terminal": true
                        }
                    ]
                }
            }
        }
    },
    "logging": {
        "logs": {
            "default": {
                "exclude": [
                    "http.log.access",
                    "http.log.error"
                ]
            },
            "errlog0": {
                "include": [
                    "http.log.error.log0"
                ],
                "writer": {
                    "filename": "/home/ubuntu/error-lcd.log",
                    "output": "file",
                    "roll_keep": 10,
                    "roll_keep_days": 10,
                    "roll_size_mb": 50
                }
            },
            "log0": {
                "include": [
                    "http.log.access.log0"
                ],
                "writer": {
                    "filename": "/home/ubuntu/access-lcd.log",
                    "output": "file",
                    "roll_keep": 10,
                    "roll_keep_days": 10,
                    "roll_size_mb": 50
                }
            }
        },
        "sink": {
            "writer": {
                "filename": "/home/ubuntu/caddy-sink.log",
                "output": "file",
                "roll_keep": 10,
                "roll_keep_days": 10,
                "roll_size_mb": 50
            }
        }
    }
}

3. The problem I’m having:

Hi Caddiers,

Thanks for creating this awesome server !
I am trying to blacklist certain IP addresses since I get so many requests from certain IPs recently.
I can’t seem to find any syntax about how to do that. Is there a way to do that?

Thanks,
JayB

francislavoie · October 7, 2020, 11:17am

You can use the remote_ip matcher, paired with a static_response handler to block specific IPs

Or you can turn it into a whitelist by wrapping it in a not matcher which will invert the matching.

kogisin · October 8, 2020, 2:00am

Thanks for your reply and suggestion. I looked through other people’s questions about how to set up fail2ban on caddy, and I found out that unfortunately there isn’t equivalent plugin for v2 at this time. I’ll play around with your suggestion.

I actually have another question to ask, but if this requires another post, then I will go ahead create one for this. It is about real-time access log management tool. Do you happen to use any real-time log management tool for your API server? I see that the default access log looks like the lines below. It is combination of regular strings and json format. How do you manage your access logs that have this type of format?

2020/10/07 11:48:13.259	info	http.log.access.log2	handled request	{"request": {"method": "GET", "uri": "/v1/<URI>", "proto": "HTTP/2.0", "remote_addr": "<IP Address>:62920", "host": "<API DOMAIN>", "headers": {"Accept-Language": ["en-US,en;q=0.5"], "Accept-Encoding": ["gzip, deflate, br"], "Origin": ["<ORIGIN>"], "Dnt": ["1"], "Referer": ["<Referer>/"], "Te": ["trailers"], "User-Agent": ["Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:80.0) Gecko/20100101 Firefox/80.0"], "Accept": ["application/json, text/plain, */*"]}, "tls": {"resumed": false, "version": 772, "ciphersuite": 4865, "proto": "h2", "proto_mutual": true, "server_name": "<SERVER NAME>"}}, "common_log": "<IP Address>- - [07/Oct/2020:11:48:13 +0000] \"GET /v1/<API path> HTTP/2.0\" 200 37", "duration": 0.00281563, "size": 37, "status": 200, "resp_headers": {"Content-Length": ["37"], "Access-Control-Allow-Origin": ["*"], "Server": ["Caddy"], "Content-Type": ["application/json"], "Date": ["Wed, 07 Oct 2020 11:48:13 GMT"]}}

What I meant by regular strings is this part.

2020/10/07 11:48:13.259	info	http.log.access.log2	handled request

and json format is this part

{"request": {"method": "GET", "uri": "/v1/<URI>", "proto": "HTTP/2.0", "remote_addr": "<IP Address>:62920", "host": "<API DOMAIN>", "headers": {"Accept-Language": ["en-US,en;q=0.5"], "Accept-Encoding": ["gzip, deflate, br"], "Origin": ["<ORIGIN>"], "Dnt": ["1"], "Referer": ["<Referer>/"], "Te": ["trailers"], "User-Agent": ["Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:80.0) Gecko/20100101 Firefox/80.0"], "Accept": ["application/json, text/plain, */*"]}, "tls": {"resumed": false, "version": 772, "ciphersuite": 4865, "proto": "h2", "proto_mutual": true, "server_name": "<SERVER NAME>"}}, "common_log": "<IP Address>- - [07/Oct/2020:11:48:13 +0000] \"GET /v1/<API path> HTTP/2.0\" 200 37", "duration": 0.00281563, "size": 37, "status": 200, "resp_headers": {"Content-Length": ["37"], "Access-Control-Allow-Origin": ["*"], "Server": ["Caddy"], "Content-Type": ["application/json"], "Date": ["Wed, 07 Oct 2020 11:48:13 GMT"]}}

francislavoie · October 8, 2020, 2:56am

You’re seeing the output of the console encoder. You can instead configure logging to use the json encoder instead:

We’re not really aware of any good structured logs ingress tools, but you can use jq to manipulate the data however you need.

https://stedolan.github.io/jq/

matt · October 8, 2020, 3:28am

I’ve been meaning to compile a list of tools. Here are some in this thread:

system · November 6, 2020, 10:47am

This topic was automatically closed after 30 days. New replies are no longer allowed.