In the example below, I’d like to limit the ‘books’ subdomain to internal IP ranges, while allowing anyone with either a Cloudflare-forwarded IP or internal IP to access the ‘nextcloud’ subdomain.
I’ve found several examples online, but none of them also incorporate the syntax for wild card entries, which is why I’m struggling to implement it from scratch myself. I’m also trying to figure out to implement the whitelisting globally so I don’t have to manually specify the networks for each subdomain’s entry (for example, this suggestion requires specifying the allowed IP addresses for every subdomain: linux - Caddy V2 IP whitelist - Stack Overflow).
A named matcher in the wildcard domain itself, and then referencing it with an abort in each subdomain when needed. The abort statement will close all connections from IPs that are not the specified client_ips.
@Monviech that’s not quite right, because you used the same abort @domain-xyz-client-ip line multiple times in the same context (duplicate config, ineffectual).
But yes, you may use the abort directive to close the connection immediately, or the error directive if you want to trigger an error that you can handle with handle_errors and serve a custom/friendly error page.
Can I declare multiple lines in an IP range name? For instance, if I want to block anything that’s not an internal IP range OR Cloudflare, could I use something like this?
@blocked-ranges {
not client_ip 192.168.0.0/16 10.1.1.1/32
not client_ip <cloudflare ip ranges>
}
And then abort @blocked-ranges in the appropriate subdomain routes?