1. The problem I’m having: I cant really say that I am having an issue ( other then ‘big brain’ to config correctly) , but I would like to configure my Caddyfile to have a match on remote IPs and log.
2. Error messages and/or full log output:
No error, but I do get logging no matter if the connection in from my internal LAN or an external, public IP. The 403 DOES work if there is an IP that is not 'allowed'
3. Caddy version: v2.7.6
4. How I installed and ran Caddy: Docker - Compose
vaultwarden.SorryRedactedbutIcanProvideaTestifNecessary.duckdns.org {
tls redacted@tedacted.com
@blocked not remote_ip 192.168.50.0/24 10.10.10.0/24
log @blocked {
output file {$LOG_FILE} {
roll_size 10MB
roll_keep 10
}
}
respond @blocked 403
reverse_proxy vaultwarden:80 {
# Send the true remote IP to Rocket, so that vaultwarden can put this in the log, so that fail2ban can ban the correct IP.
header_up X-Real-IP {remote_host}
}
}
First off, the log directive does not take a matcher. It’s not an HTTP handler that makes decisions based on characteristics of the HTTP request. It takes a logger_name (docs). So what this does
is define a logger named @blocked that logs for all requests.
If it’s a service that’s only meant to be available internally and if you’re using the DNS-challenge for TLS, you can bind to the internal IP addresses of your network instead of listening on all interfaces.
The alternative is to define the website twice, one binds on the external interface and doesn’t have log enabled, while the other binds on the internal interface with log.
vaultwarden.REDACTED.duckdns.org {
@logger remote_ip 192.168.50.0/24 10.10.10.0/24
skip_log @logger
# Below will still log if IP other then what is in the @logger
log {
output file {$LOG_FILE} {
roll_size 10MB
roll_keep 10
}
}