Make all services only accessible for one client (possibly with certificates)

bpost23 · February 15, 2023, 7:40pm

1. Caddy version:

2.6.2 alpine

2. How I installed, and run Caddy:

Working docker-compose file

a. System environment:

Ubuntu Server

d. My complete Caddy config:

service1.subdomain.org {
  reverse_proxy somecontainer:8000
}

# ... more reverse proxies

3. The problem I’m having:

I run a cloud Ubuntu server for personal use. I use Caddy as a reverse proxy to various services running in Docker containers, varying from simple websites to e-mail servers and other applications.

I would like to make all these services inaccessible to any other machines other than mine.

My first thought would be generating self-signed certificates and specifying in Caddy to approve connections only if this certificate is present.

Is this a good idea? Is there a better and/or simpler way? Will this (possibly) interfere with any protocols that an e-mail server or other applications might use? Or will this solution not work for these services?

I figured any kind of external Caddy plugin would be unnecessary complex for my use case, unless there’s a good suggestion.

Kind regards

Whitestrake · February 16, 2023, 6:49am

It should absolutely achieve what you’ve described!

Honestly - I’d just look into basic authentication or something like Authelia for a more comprehensive solution, rather than looking to mTLS. For simplicity’s sake, as well as portability (remembering your user/pass rather than transporting client certificates around).

mTLS via Caddy will only affect things that you’re accessing via Caddy.

Normally, this just means HTTP apps.

I do note that it would be very counterproductive to limit an email server from communicating to any clients except for one authorized client. Being a federated protocol, email servers really want to be able to talk to any other accessible email server.

If you just want secure access to your entire server behind a firewall, I’d consider an overlay network like ZeroTier or Tailscale.

system · March 18, 2023, 6:49am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.