Log only if external IP

1. The problem I’m having: I cant really say that I am having an issue ( other then ‘big brain’ to config correctly) , but I would like to configure my Caddyfile to have a match on remote IPs and log.

2. Error messages and/or full log output:

No error, but I do get logging no matter if the connection in from my internal LAN or an external, public IP.  The 403 DOES work if there is an IP that is not 'allowed'

3. Caddy version: v2.7.6

4. How I installed and ran Caddy: Docker - Compose

a. System environment: Ubuntu server 22.04

b. Command:

docker compose up -d

c. Service/unit/compose file:

version: "2.21"

    image: caddy:latest
    restart: unless-stopped
      - "80:80"
      - "443:443"
      - ./Caddyfile:/etc/caddy/Caddyfile
      - ./caddy_data:/data
      - ./caddy_config:/config
      - ./logs:/logs
      LOG_FILE: /logs/access.log
    external: true

d. My complete Caddy config:

vaultwarden.SorryRedactedbutIcanProvideaTestifNecessary.duckdns.org {  
  tls redacted@tedacted.com
  @blocked not remote_ip 
  log @blocked {
      output file {$LOG_FILE} {
        roll_size 10MB
        roll_keep 10
  respond @blocked 403
  reverse_proxy vaultwarden:80 {
         # Send the true remote IP to Rocket, so that vaultwarden can put this in the log, so that fail2ban can ban the correct IP.
         header_up X-Real-IP {remote_host}

5. Links to relevant resources:

First off, the log directive does not take a matcher. It’s not an HTTP handler that makes decisions based on characteristics of the HTTP request. It takes a logger_name (docs). So what this does

is define a logger named @blocked that logs for all requests.

If it’s a service that’s only meant to be available internally and if you’re using the DNS-challenge for TLS, you can bind to the internal IP addresses of your network instead of listening on all interfaces.

The alternative is to define the website twice, one binds on the external interface and doesn’t have log enabled, while the other binds on the internal interface with log.

You can use the skip_log directive to skip logging certain requests skip_log (Caddyfile directive) — Caddy Documentation

1 Like

Oh right, I forgot about this! This approach is better.

Thank you, this worked exactly as expected.

for reference -

vaultwarden.REDACTED.duckdns.org {
  @logger remote_ip
  skip_log @logger

  # Below will still log if IP other then what is in the @logger
  log {
      output file {$LOG_FILE} {
        roll_size 10MB
        roll_keep 10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.