1. Output of caddy version
:
v2.5.2 h1:eCJdLyEyAGzuQTa5Mh3gETnYWDClo1LjtQm2q9RNZrs=
2. How I run Caddy:
I am using Caddy as a reverse proxy for a Vaultwarden instance running on a separate host at vault.thisdomain.net.
a. System environment:
Both Caddy and Vaultwarden are running in their own Ubuntu Server 20.04.4 LXC instances on a Proxmox 7.2 hypervisor behind an OpenBSD internet facing Router which is forwarding ports from external hosts and internal hosts on other subnets to the Caddy reverse proxy instance.
b. Command:
Caddy is set to autostart as a service. I can also use this command if the service is not already running.
caddy run
c. Service/unit/compose file:
[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target
[Service]
Type=notify
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile --force
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE
[Install]
WantedBy=multi-user.target
d. My complete Caddy config:
https://vault.thisdomain.net {
log {
level INFO
format json
output file /var/log/caddylogs/vault {
roll_size 10MB
roll_keep 10
}
}
encode gzip
reverse_proxy /notifications/hub/negotiate 10.20.30.40:8000
reverse_proxy /notifications/hub 10.20.30.40:3012
reverse_proxy 10.20.30.40:8000 {
header_up X-Real-IP {remote_host}
}
}
3. The problem I’m having:
What I want to do might not even be possible. I am hoping it is but haven’t found any examples of anyone trying to do it. Vaultwarden has a separate admin page available at vault.thisdomain.net/admin and for security reasons I would like regular requests to vault.thisdomain.net to continue working as they are but any request to vault.thisdomain.net/admin to get a page not found error or otherwise be blocked unless the request comes from a particular ip range such as 10.20.40.1/26.
4. Error messages and/or full log output:
5. What I already tried:
I have not tried anything yet because I am not sure what to try. I have done some google searching, and looked at the remote_ip request matcher in the documentation which seems like it should do what I need if it can be used in this way, but have not found anything that references working with a subdirectory rather than a subdomain so I don’t know what syntax to experiment with. Before I risk breaking the password manager I thought I should ask here if what I want to do is even possible first.