Localhost tls only connections

Help
1

1. The problem I’m having:

I’m trying to make the subdomains I use locally to only be reached with tls, so no one can access the sites on (for e.g. 192.168.50.242:3000).

To do this, I added the reject subdirective under the tls block. But when I try to restart Caddy I receive an error.

2. Error messages and/or full log output:

Feb 01 08:51:07 PlexServer caddy[3709825]: LOGNAME=caddy
Feb 01 08:51:07 PlexServer caddy[3709825]: USER=caddy
Feb 01 08:51:07 PlexServer caddy[3709825]: INVOCATION_ID=3c1162f75c844ca08d42357e9d8b2b98
Feb 01 08:51:07 PlexServer caddy[3709825]: JOURNAL_STREAM=8:37696382
Feb 01 08:51:07 PlexServer caddy[3709825]: SYSTEMD_EXEC_PID=3709825
Feb 01 08:51:07 PlexServer caddy[3709825]: {"level":"info","ts":1706737867.9911532,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":""}
Feb 01 08:51:07 PlexServer caddy[3709825]: Error: adapting config using caddyfile: parsing caddyfile tokens for 'tls': unknown subdirective: reject, at /etc/caddy/Caddyfile:22
Feb 01 08:51:07 PlexServer systemd[1]: caddy.service: Main process exited, code=exited, status=1/FAILURE
Feb 01 08:51:07 PlexServer systemd[1]: caddy.service: Failed with result 'exit-code'.
Feb 01 08:51:07 PlexServer systemd[1]: Failed to start caddy.service - Caddy.

3. Caddy version:

v2.7.6 h1:w0NymbG2m9PcvKWsrXO6EEkY9Ru4FJK8uQbYcev1p3A=

4. How I installed and ran Caddy:

sudo apt install caddy

a. System environment:

Ubuntu 23.10.1

b. Command:

c. Service/unit/compose file:

d. My complete Caddy config:

{
	admin 0.0.0.0:2020
}

sceptic.au {
    tls {
        dns godaddy API_Token
        reject
    }
    # Additional configuration for your local domain
    reverse_proxy localhost:443
}

nc.sceptic.au: {
	tls internal
	reverse_proxy localhost:11000
}

sonarr.sceptic.au {
	# Configuration for site1
	tls internal
	reverse_proxy localhost:8989
}

homepage.sceptic.au {
	# Configuration for site2
	tls internal
	reverse_proxy localhost:3000
}

overseerr.sceptic.au {
	tls internal
	reverse_proxy localhost:5055
}

maintainerr.sceptic.au {
	tls internal
	reverse_proxy localhost:8154
}

radarr.sceptic.au {
	tls internal
	reverse_proxy localhost:7878
}

readarr.sceptic.au {
	tls internal
	reverse_proxy localhost:8787
}

lidarr.sceptic.au {
	tls internal
	reverse_proxy localhost:8686
}

sabnzbd.sceptic.au {
	tls internal
	reverse_proxy localhost:8089
}

prowlarr.sceptic.au {
	tls internal
	reverse_proxy localhost:9696
}

https://audio.sceptic.au:443 {
	tls internal
	reverse_proxy localhost:13378
}

tautulli.sceptic.au {
	tls internal
	reverse_proxy localhost:8181
}

paperless.sceptic.au {
	tls internal
	reverse_proxy localhost:8003
}

actual.sceptic.au {
	tls internal
	reverse_proxy localhost:5006
}

freshrss.sceptic.au {
	tls internal
	reverse_proxy localhost:8282
}

immich.sceptic.au {
	tls internal
	reverse_proxy localhost:2283
}

dozzle.sceptic.au {
	tls internal
	reverse_proxy localhost:8888
}

ukuma.sceptic.au {
	tls internal
	reverse_proxy localhost:3001
}

filebrowser.sceptic.au {
	tls internal
	reverse_proxy localhost:8383
}

dockge.sceptic.au {
	tls internal
	reverse_proxy localhost:5001
}

linkding.sceptic.au {
	tls internal
	reverse_proxy localhost:9090
}

change.sceptic.au {
	tls internal
	reverse_proxy localhost:5000
}

duplicati.sceptic.au {
	tls internal
	reverse_proxy localhost:8200
}

stirlingpdf.sceptic.au {
	tls internal
	reverse_proxy localhost:8088
}

# Refer to the Caddy docs for more information:
# https://caddyserver.com/docs/caddyfile

5. Links to relevant resources:

2

That’s not a thing. Where did you see that? It’s certainly not in our docs.

That’s something you need to do in your firewall config. Make sure port 3000 is not open to the public internet. It’s not a Caddy thing.

3

I used ChatGPT, won’t make that mistake again.

I also got this from ChatGPT, and of course it doesn’t work:

sceptic.au {
    redir https://sceptic.au{uri} 301
    tls {
        dns godaddy API_Token
    }
    # Additional configuration for your local domain
    reverse_proxy localhost:443
}

https://sonarr.sceptic.au {
    redir https://sonarr.sceptic.au{uri} 301
    tls internal
    reverse_proxy localhost:8989
}

https://homepage.sceptic.au {
    redir https://homepage.sceptic.au{uri} 301
    tls internal
    reverse_proxy localhost:3000
}

# Add similar blocks for other subdomains...
4

Yeah, please never use ChatGPT for Caddy config. It can’t tell the difference between Caddy v1 and v2, and it will hallucinate things that don’t exist.

Like I said, this isn’t a question of Caddy config. If you don’t want port 3000 to be accessible publicly, then you need to block access to that port in your firewall. Don’t port forward that port in your router. Only ports 80 and 443 should be accessible, for HTTP and HTTPS respectively (unless you have some other TCP-only apps you’re trying to serve like game servers or whatever).

1 Like
5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.